cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
773
Views
0
Helpful
3
Replies

Sig5813 Vector Markup Language Vulnerability - False Positives?

enelson
Level 1
Level 1

Seeing alot of activity with regard to this new vulnerability. The sensor is denying packets. The html is usually in the "Context" of the packet. Has anyone seen false positives for this signature?

<html xmlns:v="urn:schemas-microsoft-com:vm

3 Replies 3

jlimbo
Level 1
Level 1

Just to confirm is this subsig 5813-0? Or another subsignature.

Would you be able to provide the triggering packet through a produce verbose alert or even better a traffic sample?

Over 2200 alerts since the signature was intruduced.

These are ALL subsig 0.

We use Security Monitor to display our events.

Will Verbose alerts show in Secmon under ALERT DETAILS after enabled for this signature? (evIdsalert)

There is a bug in Ciscoworks VMS Security Monitor, Secmon will always display subsig 0. The bug does not show the proper subsig. To determine the correct subsig you will need to obtain the event from the sensor itself using "show events" command.

M

Review Cisco Networking for a $25 gift card