Custom Rules Syntax

A custom rule query is composed of terms and operators.
Multiple terms can be combined together with Boolean operators to form a more complex query

Term

All fields are listed below.
Fields and values are case sensitive.

field:value

Boolean Operator

Three boolean operators are available: AND OR NOT

Wildcard Searches

Wildcard searches * look for 0 or more characters.
For example, to include test, tests or tester in the same search, you can type the following:

useragent:test*

The wildcard character * cannot be used inside a double quote. Therefore you should avoid special characters.

Range Searches

Range queries allow to match documents with field(s) values that are between lower and upper bounds specified by the range query.
Range queries can be inclusive or exclusive of the lower and upper bounds.

ip:[1.2.3.4 TO 1.2.3.9]

Grouping

Grouping is using parentheses to group clauses to form sub-queries. This can be very useful if you want to control the boolean logic for a query.

The query example below allows/blocks requests incoming from "www.example.com" and are using one of these criteria:

  • useragent: test
  • ip: 1.2.3.4
(useragent:"test" OR ip:"1.2.3.4") AND domain:"www.example.com"

The query example below allows/blocks requests incoming from "www.example.com" and are using one of these criteria:

  • useragent: test
  • useragent: mywork
useragent:("test" OR "mywork") AND domain:"www.example.com"

Special Characters

The following characters need to be avoided by using a backslash:
+ - & | ! ( ) { } [ ] ^ " ~ * ? : \

useragent:*Windows\ NT* AND url:*\+*

Available fields

DataDome Name

Type

Example

Description

asn

Number

asn:(14618 OR 16509 OR 38895)

Block/allow all requests using an (Autonomous System Number) ASN:

  • 14618
  • 16509
  • 38895

city

String

city:"Paris"

Block/allow all requests incoming from:

  • Paris

countrycode

String

NOT countrycode:(BE OR BG OR CZ OR DK OR DE OR

EE OR IE OR EL OR ES OR FR OR HR OR IT OR CY OR

LV OR LT OR LU OR HU OR MT OR NL OR AT OR PL OR

PT OR RO OR SI OR SK OR FI OR SE OR UK OR IS OR

LI OR NO OR CH)

Block/allow all requests that are not incoming from:

  • A European country
  • When there is a link to all country codes

domain

String

domain:*.back.example.com

Block/allow all requests going to:

  • dashboard.back.example.com
  • bo.back.example.com

fileextension

String

fileextension:"php"

Block/allow all php requests

ip

IP

ip:[1.2.3.4 TO 1.2.3.6]
ip:"1.2.3.4"
ip:"2001:0db8:85a3:0000:0000:8a2e:0370:7334"

Block/allow all requests with IP :

  • Range: 1.2.3.4 , 1.2.3.5 , 1.2.3.4.6
  • Single IPv4: 1.2.3.4
  • Single IPv6: 2001:0db8:85a3:0000:0000:8a2e:0370:7334

method

String

method:"POST"

Block/allow all requests with:

  • POST Method

protocol

String

protocol:"http"

Block/allow all requests with:

  • HTTP protocol

referer

String

referer:"www.example.com/example"

Block/allow all requests incoming from:

  • "www.example.com/example"

refererdomain

String

refererdomain:"www.google.fr"

Block/allow all requests incoming from:

  • "www.google.fr"

reversedns

String

reversedns:*.example.com

Block/allow all requests with a Reverse DNS:

  • mail.example.com
  • IP-34-45-56-23-box.example.com

sessionid

String

sessionid:AHrlqAAAAAMA2mpXOOaaUKMA0Y0tvQ==

Block a specific session ID.

tor

Boolean

tor:true

Block/allow all request using:

  • tor network
  • not false
  • Not using Tor:false
  • You can use NOT Tor:true

url

String

url:(?utm_source=myUtm OR &utm_source=myUtm)

Block/allow all requests using:

  • utm_source=myUtm

useragent

String

useragent:"AdsBot-Google (+http://www.google.com/adsbot.html)"

Block/allow all requests with the user agent: