Add all rule labels to events in F5 Rules for AWS WAF - Web exploits OWASP Rules

Question

Hi all,We're subscribed to the "F5 Rules for AWS WAF - Web exploits OWASP Rules" rules for AWS WAF via Marketplace, and we're looking at the labels that are added to events passing through the WAF. Currently we see only a single label added to all the events, regardless of which rule triggered a match, the label is:&nbsp;"labels": [ { "name": "awswaf:managed:f5:web-exploits-owasp-rules:OWASP4" } ],&nbsp;Is there any way to also see the specific rule that triggered, for example the `ruleId`, which we can see in the logs is `rule_Union_Based_AllQueryArguments_Body`.&nbsp;"terminatingRule": { "ruleId": "rule_Union_Based_AllQueryArguments_Body", "action": "BLOCK", "ruleMatchDetails": null },&nbsp;This would allow us to better handle false positives for specific rules, without disabling the entire thing.Does anyone have any ideas? Thanks

wenhaoc · Answer

Hello Ryan,
&nbsp;
In this case, the OWASP4 label was created by the terminating rule "rule_Union_Based_AllQueryArguments_Body". More importantly, we’ve received multiple reports of false positives on this rule following a recent update to our rule sets, so we’ve temporarily rolled back the update to further investigate and adjust the rules.&nbsp;If possible, could you share a few examples of the legitimate requests that were blocked by this rule? That will help us validate the false positive pattern and apply a targeted fix.
Note:&nbsp;With full request logging, you can share information on a rule suspected of blocking a legitimate request by performing the following tasks:

Log the HTTP requests that were blocked and the name of the rules that matched them.
Make sure that the requests do not contain sensitive information; if they do, mask the sensitive data with ****.

Please don’t hesitate to reach out if there’s anything else we can help with. Thank you.

ryan_c · Answer

Ah great thanks for your reply! We did see that it had started working again, and couldn't work out why.

In this case the request that was triggering it was a PATCH request with a JSON body that contained the following:

{"comment":"An example was \"The Teachers' Union\""}

Forum Discussion

Add all rule labels to events in F5 Rules for AWS WAF - Web exploits OWASP Rules

2 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Question/Advice on iRule Remediating the Telerik (Unsafe Reflection Vulnerability (CVE-2025-3600)

Resetting to Factory Default

sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic

Issue with IIS and Client Component Service Load balancing

Syslog Filter Configuration for Separating Audit and LTM logs.

Related Content

Cross Site Scripting (XSS) Exploit Paths

Google Calendar Exploits, Fake AI Packages, Malware Arrests, and a Newly Proposed Exploit Metric

What is Web Cache Exploitation?

Mitigating OWASP Web Application Risk: Injection exploits using F5 BIG-IP

iRule Event Order Flowchart

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS