ASM - 200001067 Attack Signature

Question

Struggling to find info on this AS and wanted to know if it was safe to disable it on a parameter or if there is a better approach. I am on 10.2&nbsp;
thanks&nbsp;
Lance&nbsp;
 &nbsp;

lance_99151 · Answer

Signature ID 200001067 - mocha (Parameter)&nbsp;
Blocking Mask&nbsp;
Learn - Yes; Alarm - Yes; Block - Yes&nbsp;
Details&nbsp;
Context: Parameter&nbsp;
Parameter Level: Global&nbsp;
Wildcard Parameter Name: *&nbsp;
Actual Parameter Name: searchTerm&nbsp;
Parameter Value: Mocha&nbsp;
Detected Keywords: searchTerm=Mocha&nbsp;

torti · Answer

I recommend to disable this, allways. There exists a lot of possible parameter, like cities, email address, name, which can contain the substring mocha.

cory_50405 · Answer

We've disabled this attack signature for parameters across several security policies.  The accuracy of the signature is low, so the false positive rate is high.  I wouldn't necessarily disable it for every parameter or on every policy, but just do so on policies/parameters that are problematic.

Forum Discussion

ASM - 200001067 Attack Signature

3 Replies

Jonathan - March 2026 Featured Member

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

2026 F5 DevCentral MVP Announcement

Recent Discussions

T4 and ALL tenant images

Unable to Forward APM and AFM Logs to AWS CloudWatch Using Telemetry Streaming

Managing iRules configuration

CPU load when Prometheus is scraping metrics from F5 BIG-IP LTM

[ASM] - How to disable the SQL injection attack signatures

Related Content

November Security Research Update: Newly Released Attack Signatures

Custom Attack Signatures

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

Wildcard Parameter signature attack

Attack Signature False Positive Mode

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS