The BIG-IP ASM attack signature engine has a limited maximum recursion depth
According to sol12250
This behavior limits the amount of resources that can be dedicated to any one evaluation operation. Certain combinations of attack signatures and request payloads may result in a long recursive evaluation that reaches the maximum depth before determining if the attack signature matches. In such cases, the request is marked as a match for the signature because the BIG-IP ASM system has not yet determined that the request is not a match. While this design may result in false positive violations, it ensures that unverified requests are not passed through the attack signature engine.
F5 Product Development is tracking an enhancement request to make the recursion depth a user configurable option as ID 242268 (formerly CR133384) and ID 224531 (formerly CR136691)."
We are seeing this quite often and we had to disable lots of signatures because of it, and we're not very happy with that "solution", so we'd like to know if anyone is using this new "tuning the regex recursion depth" feature?
Any suggestions about configuring the depth value? Does it significantly increase the CPU usage?