Cisco Support Community
Community Member

TCP reset and Jrun applications

When the sensor(s) see's what might be a unicode attack and does a tcp reset when it fires, will it reset every port 80 requests going on to the source address?

I have XML requests that are encoded, they look like a possible unicode attack and my Oracle logs state the connection was reset by peer. The IIS/Jrun server is on the outside and the oracle server is in the inside with the sensor setting on the outside with the IIS server.

Cisco Employee

Re: TCP reset and Jrun applications

TCP reset is best effort and sends the reset to any request matching the signature. If the signature configured for RESET is of port 80, then all port 80 requests scanned for the said signature will get resets.



Cisco Employee

Re: TCP reset and Jrun applications


If your think you xml is causing the unicode alarm to fire. Then you may want to disable TCP Resets for that alarm.

If you want to find out if this may be a sensor error. Then use a sniffer to capture a sample session and replay it past a sensor to see if it fires the unicode alarm.

If that session does fire the alarm, then you can contact the TAC and provide them a copy of that session. The TAC can then pass it on to the signature development team. The signature team can then tell you if we have a sensor bug that we can fix, or if your xml looks so much like unicode that we would have to enter it into the NSDB as a benign trigger for that alarm.

CreatePlease to create content