Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
419
Views
0
Helpful
2
Replies

Tomcat Denial of Service Attack

darin.marais
Level 4
Level 4

‎11-29-2005 04:29 AM - edited ‎03-10-2019 01:46 AM

The signature id 5648 (Tomcat Denial of Service Attack) seams to be prone to false positives....

We have seen in a number of incidents, that when the destination of this attack uses the ephemeral port of 8007 with an established connection on TCP port 80, the signature is often triggered. The signature looks for the content \xfe\x0f

Is anyone else seeing this problem?

Labels:
0 Helpful
2 Replies 2

jlimbo
Level 1
Level 1

‎11-29-2005 07:51 AM

Can you please send me some more information and we can look into refining this signature.

An IPLog dmp file or a traffic capture would help me dig into the cause of the false positive.

-jonathan

0 Helpful

darin.marais
Level 4
Level 4
In response to jlimbo

‎12-01-2005 06:32 AM

i replied to you with the information you requested offline

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card