Maximum number of allowed recursions exceeded

We recently got the F5 & the Application Security module and enabled it for a test app.

 

I have not enabled any learning and enabled the default out-of-the box ruleset in transparent alarm mode to understand the working of the ASM.

 

 

I am seeing a lot of false attack signature alerts with the following description "The signature is not matched. The matching process exceeded the maximum number of allowed recursions".

 

 

For SQL injection attack alerts here is what I see.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Context = Parameter

 

Parameter Level = Global

 

Wildcard Parameter Name = *

 

Actual Parameter Name = value

 

Parameter Value = "A TEXT MESSAGE GOES HERE"

 

Detected Keywords =

 

Description = The signature is not matched. The matching process exceeded the maximum number of allowed recursions

 

 

For XSS alerts here is what I see.

 

~~~~~~~~~~~~~~~~~~~~~

 

Context = Request

 

Detected Keywords =

 

Description = The signature is not matched. The matching process exceeded the maximum number of allowed recursions.

 

 

Am I doing something fundamentally incorrect here? Do I need to specify what rules need to apply for what parameters and pages etc.,? How do i fix this issue?

 

 

When I looked through the help pages, it mentioned that there is a default size of 5000 so that each request do not take up too much resources and increasing this number can fix this error. However, some of the requests where the alert gets triggered is a simple GET request with 5 - 10 headers and some cookies. I am not sure what the number 5000 means exactly and how such a small request can cause the maximum number of allowed recursions to exceed.

 

 

Thanks for any and all help.