RE: New scanner?

["m0use" <m0use () helixsecurity net>]

On Mon, 25 Nov 2002 11:31:43 -0800 (PST), H C wrote
> However, I think my point stands...the OP didn't post
> (a) the actual contents of the rules themselves (he
> may have modified them in some way), or (b) his web
> logs, so there's no way anyone on the list can do
> anything other than offer advice or make assumptions. 
> Sure, some of the assumptions can be very well
> reasoned, but the OP didn't even say whether he's
> running Windows or even IIS.  Sure, the "established"
> key word sort of makes it obvious that he's got
> *something* listening on port 80, but we don't know
> for sure what that is, do we?

IMHO for any of this to be of value the examiner would need IIS/Apache logs to
see just how far this went.  I am a firm believer in thos few Managed Security
services out there that correlate the data across IDS, Firewall, Web server to
give the admin a fuller picture of the event. What was the server response to
this obvious worm related event.  Thats where we find the meat of the issue. 


--
m0use