Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Tomcat Denial of Service Attack

The signature id 5648 (Tomcat Denial of Service Attack) seams to be prone to false positives....

We have seen in a number of incidents, that when the destination of this attack uses the ephemeral port of 8007 with an established connection on TCP port 80, the signature is often triggered. The signature looks for the content \xfe\x0f

Is anyone else seeing this problem?

2 REPLIES
New Member

Re: Tomcat Denial of Service Attack

Can you please send me some more information and we can look into refining this signature.

An IPLog dmp file or a traffic capture would help me dig into the cause of the false positive.

-jonathan

New Member

Re: Tomcat Denial of Service Attack

i replied to you with the information you requested offline

229
Views
0
Helpful
2
Replies
CreatePlease to create content