ASM - 200001067 Attack Signature

Question

Struggling to find info on this AS and wanted to know if it was safe to disable it on a parameter or if there is a better approach. I am on 10.2&nbsp;
thanks&nbsp;
Lance&nbsp;
 &nbsp;

lance_99151 · Answer

Signature ID 200001067 - mocha (Parameter)&nbsp;
Blocking Mask&nbsp;
Learn - Yes; Alarm - Yes; Block - Yes&nbsp;
Details&nbsp;
Context: Parameter&nbsp;
Parameter Level: Global&nbsp;
Wildcard Parameter Name: *&nbsp;
Actual Parameter Name: searchTerm&nbsp;
Parameter Value: Mocha&nbsp;
Detected Keywords: searchTerm=Mocha&nbsp;

torti · Answer

I recommend to disable this, allways. There exists a lot of possible parameter, like cities, email address, name, which can contain the substring mocha.

cory_50405 · Answer

We've disabled this attack signature for parameters across several security policies.  The accuracy of the signature is low, so the false positive rate is high.  I wouldn't necessarily disable it for every parameter or on every policy, but just do so on policies/parameters that are problematic.

Forum Discussion

ASM - 200001067 Attack Signature

Recent Discussions

self-directed requests fail because of no certificate

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

ip x-forwarding

F5 ASM API-Protection Policy

Related Content

Mitigating JSON-based SQL injection with BIG-IP ASM / Advanced WAF Attack Signatures

Wildcard Parameter signature attack

Live Update- ASM attack signatures

Attacks against Domain Specific Languages, EU Cybersecurity Laws, & Supply Chain Attacks

Default Attack Signature Sets

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS