Tomcat logs are flooded with Intrusion Exceptions

AK_9989455 · ‎Sep 28, 2021

Hello,

Tomcat logs are getting filled with intrusion exceptions as below:

ERROR IntrusionException:55 - [SECURITY FAILURE Anonymous:null@unknown -> /ExampleApplication/IntrusionException] INTRUSION - Multiple (2x) and mixed encoding (3x) detected.

It's not creating issues in the application but tomcat logs are flooded with these errors.

Followed this article and turned errors into warnings but still size of log file is increasing too fast.

How to handle these exceptions? Can anyone help me with your inputs to handle this?

Thanks!

slangley · ‎Oct 06, 2021

Hi @AK_9989455.

This is outside the realm of ThingWorx support, but you should engage your network engineering team for blocking the source connection(s). You should be able to tell from the access logs where the traffic is originating from. Usually IT teams will want to handle this at the firewall under their current security policies.

Regards.

--Sharon

AK_9989455 · ‎Oct 07, 2021

Our Thingworx Application logs are filled with "Error occurred while validating HTTP header: cookie", to handle this we followed ptc articles and updated validation properties. After that http header cookie error went away, now it started filling tomcat with ERROR IntrusionException:55 - [SECURITY FAILURE Anonymous:null@unknown -> /ExampleApplication/IntrusionException] INTRUSION - Multiple (2x) and mixed encoding (3x) detected.

@slangley Followed below community post and article:

https://community.ptc.com/t5/ThingWorx-Developers/Thingworx-and-current-Chrome-flooding-the-Application-log/td-p/697236

https://www.ptc.com/en/support/article/CS324394

We were able to turn errors into warnings following the article but tomcat logs are filling fast. can you provide some workaround to handle this?

Thanks!

slangley · ‎Oct 13, 2021

Hi @AK_9989455.

Have you checked the access logs to determine where the traffic is originating?

Regards.

--Sharon