ADC

Configure a Rewrite Action

Warning

The Pattern function in a rewrite action is deprecated from Citrix ADC 12.0 build 56.20 onwards and as an alternative, Citrix recommends you to use the Search rewrite action parameter.

A rewrite action indicates changes made to a request or response prior to sending it to a server or client.

Expressions define the following:

  • Rewrite action type.

  • Location of the rewrite action.

  • Rewrite action configuration type.

For Example, a DELETE action only uses a target expression. A REPLACE action uses a target expression and an expression to configure the replacement text.

After enabling the rewrite feature, you need to configure one or more actions unless a built-in rewrite action is sufficient. All of the built-in actions have names beginning with the string ns_cvpn, followed by a string of letters and underscore characters. Built-in actions perform useful and complex tasks such as decoding parts of a clientless VPN request or response or modifying JavaScript or XML data. The built-in actions can be viewed, enabled, and disabled, but cannot be modified or deleted.

Note:

Action types that can be used only for HTTP rewrite are identified in the Rewrite Action Type column.

For more information, see Type parameter.

Create a rewrite action by using the command line interface

At the command prompt, type the following commands to create a rewrite action and verify the configuration:

  • add rewrite action <name> <type> <target> [<stringBuilderExpr>] [-search <expression>] [refineSearch <expression>] [-comment<string>]
  • show rewrite action <name>

For more information, see the Rewrite Action Types and their Arguments table.

The rewrite feature has the following built-in actions:

  • NOREWRITE-Sends the request or response to the user without rewriting it.

  • RESET - Resets the connection and notifies the user’s browser, so that the user can resend the request.

  • DROP - Drops the connection without sending a response to the user.

One of the following flow types is implicitly associated with every action:

  • Request - Action applies to the request.

  • Response - Action applies to the response.

  • Neutral - Action applies to both requests and responses.

Name

Name for the user-defined rewrite action. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) hash (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Can be changed after the rewrite policy is added.

Type parameter

The Type parameter shows the type of user-defined rewrite action.

Following are the values of the Type parameter:

  • REPLACE <target> <string_builder_expr>. Replaces the string with the string-builder expression.

Example:

> add rewrite action replace_http_act replace http.res.body(100) '"new_replaced_data"'
Done
> sh rewrite action replace_http_act
Name: replace_http_act
Operation: replace
Target:http.res.body(100)
Value:"new_replaced_data"
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • REPLACE_ALL <target> <string_builder_expr1> -(pattern|search) <string_builder_expr2>. In the request or response specified by <target>, replaces all occurrences of the string defined by <string_builder_expr1> with the string defined by <string_builder_expr2>. You can use a PCRE-format pattern or the search facility to find the strings to be replaced.

Example:

> add policy patset pat_list_2
Done
> bind policy patset pat_list_2 "www.abc.com"
Done
> bind policy patset pat_list_2 "www.def.com"
Done
> add rewrite action refineSearch_act_31 replace_all "HTTP.RES.BODY(100000)" "\"https://\""-search "patset(\"pat_list_2\")" -refineSearch "EXTEND(7,0).REGEX_SELECT(re#http://#)"
Done

> sh rewrite action refineSearch_act_31
Name: refineSearch_act_31
Operation: replace_all
Target:HTTP.RES.BODY(100000)
Refine Search:EXTEND(7,0).REGEX_SELECT(re#http://#)
Value:"https://"
Search: patset("pat_list_2")
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • REPLACE_HTTP_RES <string_builder_expr>. Replaces the complete HTTP response with the string defined by the string-builder expression.

Example:

> add rewrite action replace_http_res_act replace_http_res '"HTTP/1.1 200 OK\r\n\r\nSending from ADC"'
 Done
> sh rewrite action replace_http_res_act
Name: replace_http_res_act
Operation: replace_http_res
Target:"HTTP/1.1 200 OK
Sending from ADC"
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • REPLACE_SIP_RES <target>. Replaces the complete SIP response with the string specified by <target>.

Example:

> add rewrite action replace_sip_res_act replace_sip_res '"HTTP/1.1 200 OK\r\n\r\nSending from ADC"'
Done
> sh rewrite action replace_sip_res_act
Name: replace_sip_res_act
Operation: replace_sip_res
Target:"HTTP/1.1 200 OK
Sending from ADC"
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • INSERT_HTTP_HEADER <header_string_builder_expr> <contents_string_builder_expr>. Inserts the HTTP header specified by and header contents specified by .

Example:

> add rewrite action ins_cip_header insert_http_header "CIP" "CLIENT.IP.SRC"
Done
> sh rewrite action ins_cip_header
Name: ins_cip_header
Operation: insert_http_header
Target:CIP
Value:CLIENT.IP.SRC
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • DELETE_HTTP_HEADER <target>. Deletes the HTTP header specified by <target>

Example:

> add rewrite action del_true_client_ip_header delete_http_header "True-Client-IP"
Done
> sh rewrite action del_true_client_ip_header
Name: del_true_client_ip_header
Operation: delete_http_header
Target:True-Client-IP
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • CORRUPT_HTTP_HEADER <target>. Replaces the header name of all occurrences of the HTTP header specified by <target> with a corrupted name, so that it will not be recognized by the receiver Example: MY_HEADER is changed to MHEY_ADER.

Example:


> add rewrite action corrupt_content_length_hdr corrupt_http_header "Content-Length"
Done
> sh rewrite action corrupt_content_length_hdr
Name: corrupt_content_length_hdr
Operation: corrupt_http_header
Target:Content-Length
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • INSERT_BEFORE <string_builder_expr1> <string_builder_expr1>. Finds the string specified in <string_builder_expr1> and inserts the string in <string_builder_expr2> before it.
> add rewrite action insert_before_ex_act insert_before http.res.body(100) '"Add this string in the starting"'
Done
> sh rewrite action insert_before_ex_act
Name: insert_before_ex_act
Operation: insert_before
Target:http.res.body(100)
Value:"Add this string in the starting"
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • INSERT_BEFORE_ALL <target> <string_builder_expr1> -(pattern|search) <string_builder_expr2>. In the request or response specified by <target>, locates all occurrences of the string specified in <string_builder_expr1> and inserts the string specified in <string_builder_expr2> before it. You can use a PCRE-format pattern or the search facility to find the strings.

Example:


> add policy patset pat
 Done
> bind policy patset pat abcd
 Done
> add rewrite action refineSearch_act_1 insert_before_all http.res.body(10) 'target.prefix(10) + "refineSearch_testing"' -search patset("pat") -refineSearch extend(10,10)
 Done
> sh rewrite action refineSearch_act_1
Name: refineSearch_act_1
Operation: insert_before_all
Target:http.res.body(10)
Refine Search:extend(10,10)
Value:target.prefix(10) + "refineSearch_testing"
Search: patset("pat")
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • INSERT_AFTER <string_builder_expr1> <string_builder_expr2>. Finds the string specified in , and inserts the string specified in after it. **Example**:
> add rewrite action insert_after_act insert_after http.req.body(100) '"add this string after 100 bytes"'
Done
> sh rewrite action insert_after_act
Name: insert_after_act
Operation: insert_after
Target:http.req.body(100)
Value:"add this string after 100 bytes"
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • INSERT_AFTER_ALL <target> <string_builder_expr1> -(pattern|search) <string_builder_expr>. In the request or response specified by <target>, locates all occurrences of the string specified by <string_builder_expr1> and inserts the string specified by <string_builder_expr2> after each. You can use a PCRE-format pattern or the search facility to find the strings.

Example:


> add rewrite action refineSearch_act_2 insert_after_all http.res.body(100) '"refineSearch_testing"' -search text("abc") -refineSearch extend(0, 10)
Done
> sh rewrite action refineSearch_act_2
Name: refineSearch_act_2
Operation: insert_after_all
Target:http.res.body(100)
Refine Search:extend(0, 10)
Value:"refineSearch_testing"
Search: text("abc")
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • DELETE <target>. Finds and deletes the specified target.

Example:

> add rewrite action delete_ex_act delete http.req.header("HDR")
Done
> sh rewrite action delete_ex_act
Name: delete_ex_act
Operation: delete
Target:http.req.header("HDR")
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • DELETE_ALL <target> -(pattern|search) <string_builder_expr>. In the request or response specified by <target>, locates and deletes all occurrences of the string specified by <string_builder_expr>. You can use a PCRE-format pattern or the search facility to find the strings.

Example:


>add rewrite action refineSearch_act_4 delete_all "HTTP.RES.BODY(50000)" -search text("Windows Desktops") -refineSearch "EXTEND(40,40).REGEX_SELECT(re#\\s`*`<AppData>.`*`\\s`*`<\\/AppData>#)"
Done
> show REWRITE action refineSearch_act_4
Name: refineSearch_act_4
Operation: delete_all
Target:HTTP.RES.BODY(50000)
Refine Search:EXTEND(40,40).REGEX_SELECT(re#\s`*`<AppData>.`*`\s`*`<\/AppData>#)
Search: text("Windows Desktops")
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • REPLACE_DIAMETER_HEADER_FIELD <target> <field value>. In the request or responses modify the header field specified by <target>. Use Diameter.req.flags.SET(<flag>) or Diameter.req.flags.UNSET<flag> as stringbuilderexpression to set or unset flags.

Example:


> add rewrite action replace_diameter_field_ex_act  replace_diameter_header_field diameter.req.flags diameter.req.flags.set(PROXIABLE)
Done
> sh rewrite action replace_diameter_field_ex_act
Name: replace_diameter_field_ex_act
Operation: replace_diameter_header_field
Target:diameter.req.flags
Value:diameter.req.flags.set(PROXIABLE)
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • REPLACE_DNS_HEADER_FIELD <target>. In the request or response modifies the header field specified by <target>.

Example:


> add rewrite action replace_dns_hdr_act replace_dns_header_field dns.req.header.flags.set(AA)
Done
> sh rewrite action replace_dns_hdr_act
Name: replace_dns_hdr_act
Operation: replace_dns_header_field
Target:dns.req.header.flags.set(AA)
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • REPLACE_DNS_ANSWER_SECTION <target>. Replace the DNS answer section in the response. This is currently applicable for A and AAAA records only. Use DNS.NEW_RRSET_A and NS.NEW_RRSET_AAAA expressions to configure the new answer section.

Example:


> add rewrite action replace_dns_ans_act replace_dns_answer_section  DNS.NEW_RRSET_A("1.1.1.1", 10)
Done
> sh rewrite action replace_dns_ans_act
Name: replace_dns_ans_act
Operation: replace_dns_answer_section
Target:DNS.NEW_RRSET_A("1.1.1.1", 10)
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • CLIENTLESS_VPN_DECODE<target>. Decodes the pattern specified by target In clientless VPN format.

Example:


> add rewrite action cvpn_decode_act_1 clientless_vpn_decode http.req.body(100)
Done
> sh rewrite action cvpn_decode_act_1
Name: cvpn_decode_act_1
Operation: clientless_vpn_decode
Target:http.req.body(100)
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • CLIENTLESS_VPN_DECODE_ALL<target>-search<expression>. Decodes ALL the patterns specified by search parameter In clientless VPN format.

Example:


> add rewrite action act1 clientless_vpn_decode_all http.req.body(100) -search text("abcd")
Done
> sh rewrite action act1
Name: act1
Operation: clientless_vpn_decode_all
Target:http.req.body(100)
Search: text("abcd")
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • CLIENTLESS_VPN_ENCODE<target>. Encodes the pattern specified by target in clientless VPN format.

Example:


> add rewrite action cvpn_encode_act_1 clientless_vpn_encode http.req.body(100)
Done
> sh rewrite action cvpn_encode_act_1
Name: cvpn_encode_act_1
Operation: clientless_vpn_encode
Target:http.req.body(100)
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • CLIENTLESS_VPN_ENCODE_ALL<target>-search<expression>. Encodes ALL the patterns specified search parameter in clientless VPN format.

Example:


> add rewrite action act2 clientless_vpn_encode_all http.req.body(100) -search text("abcd")
Done
> sh rewrite action act2
Name: act1
Operation: clientless_vpn_encode_all
Target:http.req.body(100)
Search: text("abcd")
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • CORRUPT_SIP_HEADER<target>. Replaces the header name of all occurrences of the SIP header specified by <target> with a corrupted name, so that the receiver doesn’t recognize it.

Example:


> add rewrite action corrupt_sip_hdr_act corrupt_sip_header SIP_HDR
Done
> sh rewrite action corrupt_sip_hdr_act
Name: corrupt_sip_hdr_act
Operation: corrupt_sip_header
Target:SIP_HDR
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • INSERT_SIP_HEADER <header_string_builder_expr> <contents_string_builder_expr>. Inserts the SIP header specified by <header_string_builder_expr> and header contents specified by <contents_string_builder_expr>.

Example:


> add rewrite action insert_sip_hdr_act insert_sip_header SIP_HDR '"inserting_sip_header"'
 Done
>sh rewrite action insert_sip_hdr_act
Name: insert_sip_hdr_act
Operation: insert_sip_header
Target:SIP_HDR
Value:"inserting_sip_header"
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->
  • DELETE_SIP_HEADER<target>. Deletes the SIP header specified by <target>

Example:


> add rewrite action delete_sip_hdr delete_sip_header  SIP_HDR
Done
> sh rewrite action delete_sip_hdr
Name: delete_sip_hdr
Operation: delete_sip_header
Target:SIP_HDR
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->

Target parameter

The Target parameter Is an expression that specifies which part of the request or response to rewrite.

StringBuilderExpr

The StringBuilderExpr Is an expression that specifies the content that Is to be Inserted into the request or response at the specified location. This expression replaces a specified string.

Example 1. Inserting an HTTP Header With the Client IP:


> add rewrite action insertact INSERT_HTTP_HEADER "client-IP" CLIENT.IP.SRC
Done
> show rewrite action insertact
Name: insertact
Operation: insert_http_header
Target:Client-IP
Value:CLIENT.IP.SRC
BypassSafetyCheck : NO
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->

Example 2. Replacing Strings in a TCP Payload (TCP Rewrite):


> add rewrite action client_tcp_payload_replace_all REPLACE_ALL
  'client.tcp.payload(1000)' '"new-string"' -search text("old-string")
Done
> show rewrite action client_tcp_payload_replace_all
Name: client_tcp_payload_replace_all
Operation: replace_all
Target:client.tcp.payload(1000)
Value:"new-string"
Search: text("old-string")
BypassSafetyCheck : NO
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done
>
<!--NeedCopy-->

Search a part of the request or response to rewrite

The Search functionality helps to find all the Instances of the required pattern in the request or response.

The Search functionality is required to be used in the following Action types:

  • INSERT_BEFORE_ALL
  • INSERT_AFTER_ALL
  • REPLACE_ALL
  • DELETE_ALL
  • CLIENTLESS_VPN_ENCODE_ALL
  • CLIENTLESS_VPN_DECODE_ALL

The Search functionality cannot be used with the following Action types:

  • INSERT_HTTP_HEADER
  • INSERT_BEFORE
  • INSERT_AFTER
  • REPLACE
  • DELETE
  • DELETE_HTTP_HEADER
  • CORRUPT_HTTP_HEADER
  • REPLACE_HTTP_RES
  • CLIENTLESS_VPN_ENCODE
  • CLIENTLESS_VPN_DECODE
  • INSERT_SIP_HEADER
  • DELETE_SIP_HEADER
  • CORRUPT_SIP_HEADER
  • REPLACE_DIAMETER_HEADER_FIELD
  • REPLACE_DNS_ANSWER_SECTION
  • REPLACE_DNS_HEADER_FIELD
  • REPLACE_SIP_RES

The following Search types are supported:

  • Text - a literal string Example: -search text (”hello”)
  • Regular Expression - pattern that is used to match multiple strings in the request or response Example: -search regex(re~^hello*~)
  • XPATH - An XPATH expression to search XML. Example: -search xpath(xp%/a/b%)
  • JSON - An XPATH expression to search JSON. Example: -search xpath_json(xp%/a/b%) HTML - An XPATH expression to search HTML Example: -search xpath_html(xp%/html/body%) Patset - This searches all the patterns bound to the patset entity. Example: -search patset(“patset1”)
  • Datset - This searches all the patterns bound to the datset entity. Example: -search dataset(“dataset1”)
  • AVP - AVP number that is used to match multiple AVPs in a Diameter/Radius Message Example: -search avp(999)

Refine the search results

You can use the Refine Search functionality to specify the additional criteria to refine the search results. Refine Search functionality can only be used if Search functionality is used. The Refine search parameter always starts with the “extend(m,n)” operation, where ‘m’ specifies a number of bytes to the left of the search result and ‘n’ specifies a number of bytes to the right of the search result to extend the selected area.

If the configured rewrite action is:


> add rewrite action test_refine_search replace_all http.res.body(10) '”testing_refine_search”' -search text("abc") -refineSearch extend(1,1)
And the HTTP response body is abcxxxx456.

<!--NeedCopy-->

Then, the search parameter finds pattern “abc” and since the refineSearch parameter is also configured to check an extra 1 byte to the left and an extra one byte to the right of the matched pattern. The resultant replaced text is: abcx. So, the output of this action is testing_refine_searchxxx456.

Example 1:Using the Refine search functionality in INSERT_BEFORE_ALL action type.


> add policy patset pat
Done
> bind policy patset pat abcd
Done
> add rewrite action refineSearch_act_1 insert_before_all http.res.body(10) 'target.prefix(10) + "refineSearch_testing"' -search patset("pat") -refineSearch extend(10,10)
Done
> sh rewrite action refineSearch_act_1
Name: refineSearch_act_1
Operation: insert_before_all
Target:http.res.body(10)
Refine Search:extend(10,10)
Value:target.prefix(10) + "refineSearch_testing"
Search: patset("pat")
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->

Example 2: Using the Refine search functionality in INSERT_AFTER_ALL action type.


> add rewrite action refineSearch_act_2 insert_after_all http.res.body(100) '"refineSearch_testing"' -search text("abc") -refineSearch extend(0, 10)
Done
> sh rewrite action refineSearch_act_2
Name: refineSearch_act_2
Operation: insert_after_all
Target:http.res.body(100)
Refine Search:extend(0, 10)
Value:"refineSearch_testing"
Search: text("abc")
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->

Example 3: Using the Refine search functionality in REPLACE_ALL action type.


> add policy patset pat_list_2
Done
> bind policy patset pat_list_2 "www.abc.com"
Done
> bind policy patset pat_list_2 "www.def.com"
Done
> add rewrite action refineSearch_act_31 replace_all "HTTP.RES.BODY(100000)" "\"https://\"" -search "patset(\"pat_list_2\")" -refineSearch "EXTEND(7,0).REGEX_SELECT(re#http://#)"
Done
> sh rewrite action refineSearch_act_31
Name: refineSearch_act_31
Operation: replace_all
Target:HTTP.RES.BODY(100000)
Refine Search:EXTEND(7,0).REGEX_SELECT(re#http://#)
Value:"https://"
Search: patset("pat_list_2")
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->

Example 4: Using the Refine search functionality in DELETE_ALL action type.


>add rewrite action refineSearch_act_4 delete_all "HTTP.RES.BODY(50000)" -search text("Windows Desktops") -refineSearch "EXTEND(40,40).REGEX_SELECT(re#\\s*<AppData>.*\\s*<\\/AppData>#)"
> show REWRITE action refineSearch_act_4
Name: refineSearch_act_4
Operation: delete_all
Target:HTTP.RES.BODY(50000)
Refine Search:EXTEND(40,40).REGEX_SELECT(re#\s*<AppData>.*\s*<\/AppData>#)
Search: text("Windows Desktops")
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done
>
<!--NeedCopy-->

Example 5: Using the Refine Search functionality in CLIENTLESS_VPN_ENCODE_ALL action type.

’’’

add rewrite action act2 clientless_vpn_encode_all http.req.body(100) -search text(“abcd”) Done sh rewrite action act2 Name: act1 Operation: clientless_vpn_encode_all Target:http.req.body(100) Search: text(“abcd”) Hits: 0 Undef Hits: 0 Action Reference Count: 0 Done

’’’

Example 6: Using the Refine Search functionality in CLIENTLESS_VPN_DECODE_ALL action type.


> add rewrite action act1 clientless_vpn_decode_all http.req.body(100) -search text("abcd")
Done
> sh rewrite action act1
Name: act1
Operation: clientless_vpn_decode_all
Target:http.req.body(100)
Search: text("abcd")
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done
>
<!--NeedCopy-->

Modify an existing rewrite action by using the command line interface

At the command prompt, type the following commands to modify an existing rewrite action and verify the configuration:

  • set rewrite action <name> [-target<expression>] [-stringBuilderExpr<expression>] [-pattern<expression> | -search <expression>] [-refineSearch<expression>] [-comment<string>]
  • show rewrite action <name>

Example:


> set rewrite action insertact -target "Client-IP"
 Done
> show rewrite action insertact

Name: insertact
Operation: insert_http_header   Target:Client-IP
Value:CLIENT.IP.SRC
Hits: 0
Undef Hits: 0
Action Reference Count: 0
Done

<!--NeedCopy-->

Remove a rewrite action by using the command line interface

At the command prompt, type the following commands to remove a rewrite action:

rm rewrite action <name>

Example:


> rm rewrite action insertact
Done

<!--NeedCopy-->

Configure a rewrite action by using the configuration utility

  1. Navigate to AppExpert > Rewrite > Actions.
  2. In the details pane, do one of the following:
    • To create an action, click Add.
    • To modify an existing action, select the action, and then click Edit.
  3. Click Create or OK. A message appears in the status bar, stating that the Action has been configured successfully.
  4. Repeat steps 2 through 4 to create or modify as many rewrite actions as you want.
  5. Click Close. Configure a rewrite action

Add an expression by using the Add Expression dialog box

  1. In the Create Rewrite Action or Configure Rewrite Action dialog box, under the text area for the type argument you want to enter, click Add.
  2. In the Add Expression dialog box, in the first list box choose the first term for your expression.

    • HTTP. The HTTP protocol. Choose this if you want to examine some aspect of the request that pertains to the HTTP protocol.
    • SYS. The protected Web sites. Choose this if you want to examine some aspect of the request that pertains to the recipient of the request.
    • CLIENT. The computer that sent the request. Choose this if you want to examine some aspect of the sender of the request.

When you make your choice, the rightmost list box lists appropriate terms for the next part of your expression.

  1. In the second list box, choose the second term for your expression. The choices depend upon which choice you made in the previous step, and are appropriate to the context. After you make your second choice, the Help window below the Construct Expression window (which was blank) displays help describing the purpose and use of the term you just chose.

  2. Continue choosing terms from the list boxes that appear to the right of the previous list box, or typing strings or numbers in the text boxes that appear to prompt you to enter a value, until your expression is finished. For more information about the PI expressions language and creating expressions for responder policies, see “Policies and Expressions.”

If you want to test the effect of a rewrite action when used on sample HTTP data, you can use the Rewrite Expression Evaluator.

Rewrite TCP payloads

Target expressions in actions for TCP rewrite must begin with one of the following expression prefixes:

  • CLIENT.TCP.PAYLOAD. For rewriting TCP payloads in client requests. For example, CLIENT.TCP.PAYLOAD(10000).AFTER_STR(“string1”).
  • SERVER.TCP.PAYLOAD. For rewriting TCP payloads in server responses. For example, SERVER.TCP.PAYLOAD(1000).B64DECODE.BETWEEN(“string1”,”string2”).

Evaluate a rewrite action by using the Rewrite Action Evaluator dialog box

  1. In the Rewrite Actions details pane, select the rewrite action that you want to evaluate, and then click Evaluate.
  2. In the Rewrite Expression Evaluator dialog box, specify values for the following parameters. (An asterisk indicates a required parameter.)

    Rewrite Action—If the rewrite action you want to evaluate is not already selected, select it from the drop-down list. After you select a Rewrite action, the Details section displays the details of the selected Rewrite action. New—Select New to open the Create Rewrite Action dialog box and create a rewrite action. Modify—Select Modify to open the Configure Rewrite Action dialog box and modify the selected rewrite action. Flow Type—Specifies whether to test the selected rewrite action with HTTP Request data or HTTP Response data. The default is Request. If you want to test with Response data, select Response. HTTP Request/Response Data*—Provides a space for you to provide the HTTP data that the Rewrite Action Evaluator is used for testing. You can paste the data directly into the window, or click Sample to insert some sample HTTP headers. Show end-of-line—Specifies whether to show UNIX-style end-of-line characters (\n) at the end of each line of sample HTTP data. Sample—Inserts sample HTTP data into the HTTP Request/Response Data window. You can choose either GET or POST data. Browse—Opens a local browse window so that you can choose a file containing sample HTTP data from a local or network location. Clear—Clears the current sample HTTP data from the HTTP Request/Response Data window.

  3. Click Evaluate. The Rewrite Action Evaluator evaluates the effect of the Rewrite action on the sample data that you chose, and displays the results as modified by the selected Rewrite action in the Results window. Additions and deletions are highlighted as indicated in the legend in the lower left-hand corner of the dialog box.
  4. Continue evaluating Rewrite actions until you have determined that all of your actions have the effect that you wanted.

    • You can modify the selected rewrite action and test the modified version by clicking Modify to open the Configure Rewrite Action dialog box, making and saving your changes, and then clicking Evaluate again.
    • You can evaluate a different rewrite action using the same request or response data by selecting it from the Rewrite Action drop-down list, and then clicking Evaluate again.
  5. Click Close to close the Rewrite Expression Evaluator and return to the Rewrite Actions pane.

  6. To delete a rewrite action, select the rewrite action you want to delete, then click Remove and, when prompted, confirm your choice by clicking OK. Evaluate a rewrite action