11-29-2005 04:29 AM - edited 03-10-2019 01:46 AM
The signature id 5648 (Tomcat Denial of Service Attack) seams to be prone to false positives....
We have seen in a number of incidents, that when the destination of this attack uses the ephemeral port of 8007 with an established connection on TCP port 80, the signature is often triggered. The signature looks for the content \xfe\x0f
Is anyone else seeing this problem?
11-29-2005 07:51 AM
Can you please send me some more information and we can look into refining this signature.
An IPLog dmp file or a traffic capture would help me dig into the cause of the false positive.
-jonathan
12-01-2005 06:32 AM
i replied to you with the information you requested offline
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: