Bug ID 691265: Protocol Inspection custom signatures require that http_header keyword have a leading space character

Last Modified: May 29, 2024

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
13.1.0,,,,,,,,, 13.1.1,,,,, 13.1.3,,,,,,, 13.1.4,, 13.1.5,

Fixed In:

Opened: Oct 27, 2017

Severity: 3-Major


When using the term 'http_header' as an attribute of a content check, there must be a leading space between it and the content semicolon ';' delimiter. Also, 'http_header' cannot be applied for the second or subsequent content checks if preceding content checks do not have it. It also must be the first attribute of a content check. This example fails validation because there is no space between ';' and 'http_header': alert tcp any any -> any any (content:User-agent;http_header; content:"mortest"; distance:1; nocase; sig_id:100020;) This example fails validation because 'http_header' is first used for the second content check. It also fails because 'http_header' comes after 'distance' and 'nocase' for the second content check: alert tcp any any -> any any (content:User-agent; content:"mortest"; distance:1; nocase; http_header; sig_id:100020;)


Custom signature fails validation.


This occurs when either of the following conditions are true: -- http_header is used for a content check that is not the first content check. -- http_header is used after other content parameters, such as 'distance' and 'nocase'.


Use the following workarounds: -- Use 'http_header' for initial content checks. -- Use 'http_header' before other content attributes, such as 'distance' and 'nocase'.

Fix Information

Protocol Inspection no longer requires such unnecessarily restrictive constraints when using the http_header keyword.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips