Bug ID 691265: Protocol Inspection custom signatures require that http_header keyword have a leading space character

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1

Fixed In:
14.0.0

Opened: Oct 27, 2017
Severity: 3-Major

Symptoms

When using the term 'http_header' as an attribute of a content check, there must be a leading space between it and the content semicolon ';' delimiter. Also, 'http_header' cannot be applied for the second or subsequent content checks if preceding content checks do not have it. It also must be the first attribute of a content check. This example fails validation because there is no space between ';' and 'http_header': alert tcp any any -> any any (content:User-agent;http_header; content:"mortest"; distance:1; nocase; sig_id:100020;) This example fails validation because 'http_header' is first used for the second content check. It also fails because 'http_header' comes after 'distance' and 'nocase' for the second content check: alert tcp any any -> any any (content:User-agent; content:"mortest"; distance:1; nocase; http_header; sig_id:100020;)

Impact

Custom signature fails validation.

Conditions

This occurs when either of the following conditions are true: -- http_header is used for a content check that is not the first content check. -- http_header is used after other content parameters, such as 'distance' and 'nocase'.

Workaround

Use the following workarounds: -- Use 'http_header' for initial content checks. -- Use 'http_header' before other content attributes, such as 'distance' and 'nocase'.

Fix Information

Protocol Inspection no longer requires such unnecessarily restrictive constraints when using the http_header keyword.

Behavior Change