ASM Signature Update 02/08/2019 Contains Incorrect Command Execution Signatures
The 2/8/19 signature update available on F5 Downloads (shows a create date of 1/22/19 in the F5 UI) has some questionable updates for Command Execution signatures on parameters that cause a large amount of false positives.
Instead of properly checking to see if a parameter contains a real command execution attempt, it is just firing on anything containing a the string that matches the command name. It's so bad that the sig for g++ will go off every time there is a " g " in a parameter being posted.
This has been confirmed on 12.1.X
I would suggest skipping this update until they address. If installed, my suggestion would be to disable all signatures with the string "execution attempt" in the title that relates to parameters (likely leave URL and Header sigs active, not getting false positives on those but ymmv) and contain a command that resembles a human word or is 3 characters or less. If not too labor intensive it would likely be better to disable on a parameter basis. Even if you have these signatures in staging, you may not get all possible values in your staging traffic so the next time you get a user with the name of "Pico", they could be blocked.
Because we are on 12.x we had been setup to not put update signatures into staging because we didn't want to loose coverage, after years of that working perfectly for us, this update came and basically locked out our applications.
Working with support on this, will update.