Custom Signature with Two Criteria

I am trying to create a custom attack signature that matches if one criteria is matched but NOT if both criteria are matched. Below is an example that would match the first criteria "headercontent:"jakarta"; nocase;" but NOT IF the second criteria was ALSO true. However, I cannot get it to work. Both of the string values are located within different parts of the HTTP request header.

Criteria

headercontent:"jakarta"; nocase; headercontent:!"X-Forwarded-For: 10.10.11.12"; nocase;

Request Example

GET /online/something HTTP/1.1 Host: Upgrade-Insecure-Requests: 1 User-Agent: Jakarta (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,_/_;q=0.8 X-Forwarded-For: 10.10.11.12

application delivery

ASM Advanced WAF

security

Forum Discussion

Custom Signature with Two Criteria

Recent Discussions

ASM cookie, modifying "domain" field

URL

service profile HTTP in LTM v16.1?

iRule resulting in too many redirects

Azure SAML - F5 APM

Related Content

Customized Bot Signature not working

Mitigating log4j (CVE-2021-44228) with AFM Protocol Inspection Custom Signatures

Using Perl Compatible Regular Expressions (PCRE) in Protocol Inspection Custom Signatures

AFM Protocol Custom Signatures for Spring4Shell and Spring_Cloud (CVE-2022-22963 and -22965)

F5 Distributed Cloud - Customer Edge Site - Deployment & Routing Options