Need help writing an irule to bypass ASM attack signature for specific json parameter

Question

I have a problem with f5 WAF that protect my mobile application server. When I use upload image function on my mobile app, the image will be encoded to a very long string. Sometimes f5 blocks the request that contains some string match an attack signature. I think it's not a good practice to wait until user reports an error then I look for the error log and click learn to accept that false positive. 
I found "Check attack signatures" checkbox in f5 GUI to bypass attack signature for asm_json profile but this way will affect all json parameter. I need to bypass only request that related to an image. I think writing an irule may be able to help me but I don't know how to write it. Can someone guide me?

Example json parameter:
{"req":{"app":"MyMobile","dom":"MyMobile","srv":"User","op":"saveUserImage","header":{*
Example request:
{"req":{"app":"MyMobile","dom":"MyMobile","srv":"User","op":"saveUserImage","header":{"image":"\/9j\/4AAQSkZJRgABAQAASABIAAD\/4QBYRXhpZgAATU0AKgAAAAgAAgESAAMAAAABAAEAAIdpAAQAAAABAAAAJgAAAAAAA6ABAAMAAAABAAEAAKACAAQAAAABAAAB9KADAAQAAAABAAAB9AAAAAD\/7QA4UGhvdG9zaG9wIDMuMAA4QklNBAQAAAAAAAA4QklNBCUAAAAAABDUHYzZjwCyBOmACZjs+EJ+\/8AAEQgB9AH0AwEiAAIRAQMRAf\/EAB8AAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKC\/\/EALUQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZGhCCNCscEVUtHwJDNicoIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29\/j5+v\/EAB8BAAMBAQEBAQEBAQEAAAAAAAABAgMEBQYHCAkKC\/\/EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAUhMQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp6vLz9PX29.....

boneyard · Answer

you don't require an iRule for that, just exclude the parameter from signature checking&nbsp;
https://devcentral.f5.com/questions/can-i-disable-specific-attack-signature-on-particular-url&nbsp;

Forum Discussion

Need help writing an irule to bypass ASM attack signature for specific json parameter

1 Reply

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Illegal Metacharacter in Parameter Name in Json Data

Cisco TACACS+ Config on ISE LTM Pair

AS3 declaration to set cookie to preferred

SSL Bridging and FQDN rewrite Policy

Checking for X-Forwarded-For against an Address Data-Group

Related Content

Wildcard Parameter signature attack

November Security Research Update: Newly Released Attack Signatures

NGINX App Protect v5 Signature Notifications

Custom Attack Signatures

APM-Specific Features for Securing Your Website

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS