Hi,

Can you look at what I believe to be a false positive for sig 5551

Thanks,

evIdsAlert: eventId=1116783457905897506 severity=high vendor=Cisco

originator:

hostId: Vintage01

appName: sensorApp

appInstanceId: 340

time: 2005/11/01 01:06:33 2005/10/31 17:06:33 GMT-08:00

signature: description=Outlook Web Access Cross Site Scripting Vulnerability i

d=5551 version=S191

subsigId: 0

sigDetails: Outlook Web Access Cross Site Scripting Vulnerability

interfaceGroup:

vlan: 0

participants:

attacker:

addr: locality=OUT <address removed>

port: 80

target:

addr: locality=DMZ1 <address removed>

port: 3735

context:

fromAttacker:

000000 65 63 68 6E 69 63 69 61 6E 73 20 28 45 4D 54 73 echnicians (EMTs

000010 29 20 61 6E 64 20 70 61 72 61 6D 65 64 69 63 73 ) and paramedics

000020 2E 0D 0A 3C 62 72 3E 3C 62 72 3E 0D 0A 3C 41 20 ...<br><br>..<A

000030 48 52 45 46 3D 22 68 74 74 70 3A 2F 2F 61 64 2E HREF="http://ad.

000040 6E 32 34 33 34 2E 64 6F 75 62 6C 65 63 6C 69 63 n2434.doubleclic

000050 6B 2E 6E 65 74 2F 6A 75 6D 70 2F 4E 32 34 33 34 k.net/jump/N2434

000060 2E 6D 69 6C 69 74 61 72 79 61 64 76 61 6E 74 61 .militaryadvanta

000070 67 65 2F 42 31 35 34 37 30 38 30 2E 35 3B 73 7A ge/B1547080.5;sz

000080 3D 31 78 31 3B 6F 72 64 3D 26 23 39 31 3B 74 69 =1x1;ord=[ti

000090 6D 65 73 74 61 6D 70 26 23 39 33 3B 3F 22 3E 0D mestamp]?">.

0000A0 0A 3C 49 4D 47 20 53 52 43 3D 22 68 74 74 70 3A .<IMG SRC="http:

0000B0 2F 2F 61 64 2E 6E 32 34 33 34 2E 64 6F 75 62 6C //ad.n2434.doubl

0000C0 65 63 6C 69 63 6B 2E 6E 65 74 2F 61 64 2F 4E 32 eclick.net/ad/N2

0000D0 34 33 34 2E 6D 69 6C 69 74 61 72 79 61 64 76 61 434.militaryadva

0000E0 6E 74 61 67 65 2F 42 31 35 34 37 30 38 30 2E 35 ntage/B1547080.5

0000F0 3B 73 7A 3D 31 78 31 3B 6F 72 64 3D 26 23 39 31 ;sz=1x1;ord=&#91

riskRatingValue: 75

interface: fe1_0

protocol: tcp