ASM - 200001067 Attack Signature

Question

Struggling to find info on this AS and wanted to know if it was safe to disable it on a parameter or if there is a better approach. I am on 10.2&nbsp;
thanks&nbsp;
Lance&nbsp;
 &nbsp;

lance_99151 · Answer

Signature ID 200001067 - mocha (Parameter)&nbsp;
Blocking Mask&nbsp;
Learn - Yes; Alarm - Yes; Block - Yes&nbsp;
Details&nbsp;
Context: Parameter&nbsp;
Parameter Level: Global&nbsp;
Wildcard Parameter Name: *&nbsp;
Actual Parameter Name: searchTerm&nbsp;
Parameter Value: Mocha&nbsp;
Detected Keywords: searchTerm=Mocha&nbsp;

torti · Answer

I recommend to disable this, allways. There exists a lot of possible parameter, like cities, email address, name, which can contain the substring mocha.

cory_50405 · Answer

We've disabled this attack signature for parameters across several security policies.  The accuracy of the signature is low, so the false positive rate is high.  I wouldn't necessarily disable it for every parameter or on every policy, but just do so on policies/parameters that are problematic.

Forum Discussion

ASM - 200001067 Attack Signature

3 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Cisco TACACS+ Config on ISE LTM Pair

iRule causing requests to be duplicated (sometimes)

SSL Bridging and FQDN rewrite Policy

How can I get started with iCall

Checking for X-Forwarded-For against an Address Data-Group

Related Content

November Security Research Update: Newly Released Attack Signatures

Custom Attack Signatures

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

Wildcard Parameter signature attack

Post-Quantum Cryptography, OpenSSH, & s1ngularity supply chain attack

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS