https://community.cisco.com/t5/network-security/sig5813-vector-markup-language-vulnerability-false-positives/m-p/630391#M92257 <P>Seeing alot of activity with regard to this new vulnerability. The sensor is denying packets. The html is usually in the "Context" of the packet. Has anyone seen false positives for this signature?</P><P></P><P>&lt;html xmlns:v="urn:schemas-microsoft-com:vm</P> Sun, 10 Mar 2019 10:15:06 GMT enelson 2019-03-10T10:15:06Z https://community.cisco.com/t5/network-security/sig5813-vector-markup-language-vulnerability-false-positives/m-p/630391#M92257 <P>Seeing alot of activity with regard to this new vulnerability. The sensor is denying packets. The html is usually in the "Context" of the packet. Has anyone seen false positives for this signature?</P><P></P><P>&lt;html xmlns:v="urn:schemas-microsoft-com:vm</P> Sun, 10 Mar 2019 10:15:06 GMT https://community.cisco.com/t5/network-security/sig5813-vector-markup-language-vulnerability-false-positives/m-p/630391#M92257 enelson 2019-03-10T10:15:06Z https://community.cisco.com/t5/network-security/sig5813-vector-markup-language-vulnerability-false-positives/m-p/630392#M92258 <HTML><HEAD></HEAD><BODY><P>Just to confirm is this subsig 5813-0? Or another subsignature.</P><P></P><P>Would you be able to provide the triggering packet through a produce verbose alert or even better a traffic sample?</P></BODY></HTML> Sat, 30 Sep 2006 00:35:00 GMT https://community.cisco.com/t5/network-security/sig5813-vector-markup-language-vulnerability-false-positives/m-p/630392#M92258 jlimbo 2006-09-30T00:35:00Z https://community.cisco.com/t5/network-security/sig5813-vector-markup-language-vulnerability-false-positives/m-p/630393#M92259 <HTML><HEAD></HEAD><BODY><P>Over 2200 alerts since the signature was intruduced.</P><P></P><P>These are ALL subsig 0.</P><P></P><P>We use Security Monitor to display our events.</P><P>Will Verbose alerts show in Secmon under ALERT DETAILS after enabled for this signature? (evIdsalert)</P><P></P><P></P></BODY></HTML> Sat, 30 Sep 2006 13:01:54 GMT https://community.cisco.com/t5/network-security/sig5813-vector-markup-language-vulnerability-false-positives/m-p/630393#M92259 enelson 2006-09-30T13:01:54Z https://community.cisco.com/t5/network-security/sig5813-vector-markup-language-vulnerability-false-positives/m-p/630394#M92260 <HTML><HEAD></HEAD><BODY><P>There is a bug in Ciscoworks VMS Security Monitor, Secmon will always display subsig 0. The bug does not show the proper subsig. To determine the correct subsig you will need to obtain the event from the sensor itself using "show events" command.</P><P>M</P></BODY></HTML> Sat, 30 Sep 2006 20:04:47 GMT https://community.cisco.com/t5/network-security/sig5813-vector-markup-language-vulnerability-false-positives/m-p/630394#M92260 mkirbyii 2006-09-30T20:04:47Z