Custom Attack Signature for Accept Header

Hi Guys,

In the past, I worked on an iRule to block specific Accept header patterns, and it was working fine. Now that we have WAF in place, I was wondering if this is something I could achieve using custom signatures instead.

The idea is:

1. text/html,application/xhtml+xml,application/xml, - Block
2. text/html,application/xhtml+xml,application/xml - Allow
3. text/html,application/xhtml+xml,application/xml,application/rss+xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 - Allow
4. text/html,application/xhtml+xml,application/xml,text/xml - Allow

And similar scenarios with other Accept header.

Is this possible to achieve with F5 WAF, and if so, could anyone provide guidance on how to configure this properly?

I am currently using in the lab the following costum signature:

regex: re2:"/text\/html,application\/xhtml\+xml,application\/xml,/H"; nocase;

This works well to block text/html,application/xhtml+xml,application/xml, but the signature also triggers in the cases of 3 and 4, which I want to avoid.

Any suggestions or guidance would be appreciated.

Thnx.