mailing list archives
RE: New scanner?
From: "m0use" <m0use () helixsecurity net>
Date: Tue, 26 Nov 2002 15:05:40 -0600
On Mon, 25 Nov 2002 11:31:43 -0800 (PST), H C wrote
However, I think my point stands...the OP didn't post
(a) the actual contents of the rules themselves (he
may have modified them in some way), or (b) his web
logs, so there's no way anyone on the list can do
anything other than offer advice or make assumptions.
Sure, some of the assumptions can be very well
reasoned, but the OP didn't even say whether he's
running Windows or even IIS. Sure, the "established"
key word sort of makes it obvious that he's got
*something* listening on port 80, but we don't know
for sure what that is, do we?
IMHO for any of this to be of value the examiner would need IIS/Apache logs to
see just how far this went. I am a firm believer in thos few Managed Security
services out there that correlate the data across IDS, Firewall, Web server to
give the admin a fuller picture of the event. What was the server response to
this obvious worm related event. Thats where we find the meat of the issue.