Hi Bjoern,
I can't really see the value in only applying the attack signature to response content for non-POST requests. Chances are the only vulnerability within an application which would lead to credit cards being leaked in response content would be from POST requests. So why would you want to disable the check for POST requests and not all requests?
If you do want to do this an iRule and second policy would be an option. You could use the 'HTTP::class select' command (
Click here) to select a second HTTP class for POST requests. Note the second HTTP class must also be added to the virtual server in order to select it using HTTP::class. Selecting a second virtual server would work, but unnecessarily add the need for a second virtual server.
Aaron