Custom Attack Signature for Accept Header
Hi Guys, In the past, I worked on an iRule to block specific Accept header patterns, and it was working fine. Now that we have WAF in place, I was wondering if this is something I could achieve using custom signatures instead. The idea is: text/html,application/xhtml+xml,application/xml, - Block text/html,application/xhtml+xml,application/xml - Allow text/html,application/xhtml+xml,application/xml,application/rss+xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 - Allow text/html,application/xhtml+xml,application/xml,text/xml - Allow And similar scenarios with other Accept header. Is this possible to achieve with F5 WAF, and if so, could anyone provide guidance on how to configure this properly? I am currently using in the lab the following costum signature: regex: re2:"/text\/html,application\/xhtml\+xml,application\/xml,/H"; nocase; This works well to block text/html,application/xhtml+xml,application/xml,but the signature also triggers in the cases of 3 and 4, which I want to avoid. Any suggestions or guidance would be appreciated. Thnx.