Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP AFM
Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1
Fixed In:
14.0.0
Opened: Oct 27, 2017 Severity: 3-Major
When using the term 'http_header' as an attribute of a content check, there must be a leading space between it and the content semicolon ';' delimiter. Also, 'http_header' cannot be applied for the second or subsequent content checks if preceding content checks do not have it. It also must be the first attribute of a content check. This example fails validation because there is no space between ';' and 'http_header': alert tcp any any -> any any (content:User-agent;http_header; content:"mortest"; distance:1; nocase; sig_id:100020;) This example fails validation because 'http_header' is first used for the second content check. It also fails because 'http_header' comes after 'distance' and 'nocase' for the second content check: alert tcp any any -> any any (content:User-agent; content:"mortest"; distance:1; nocase; http_header; sig_id:100020;)
Custom signature fails validation.
This occurs when either of the following conditions are true: -- http_header is used for a content check that is not the first content check. -- http_header is used after other content parameters, such as 'distance' and 'nocase'.
Use the following workarounds: -- Use 'http_header' for initial content checks. -- Use 'http_header' before other content attributes, such as 'distance' and 'nocase'.
Protocol Inspection no longer requires such unnecessarily restrictive constraints when using the http_header keyword.