Security Basics mailing list archives
RE: New scanner?
From: "m0use" <m0use () helixsecurity net>
Date: Tue, 26 Nov 2002 15:05:40 -0600
On Mon, 25 Nov 2002 11:31:43 -0800 (PST), H C wrote
However, I think my point stands...the OP didn't post (a) the actual contents of the rules themselves (he may have modified them in some way), or (b) his web logs, so there's no way anyone on the list can do anything other than offer advice or make assumptions. Sure, some of the assumptions can be very well reasoned, but the OP didn't even say whether he's running Windows or even IIS. Sure, the "established" key word sort of makes it obvious that he's got *something* listening on port 80, but we don't know for sure what that is, do we?
IMHO for any of this to be of value the examiner would need IIS/Apache logs to see just how far this went. I am a firm believer in thos few Managed Security services out there that correlate the data across IDS, Firewall, Web server to give the admin a fuller picture of the event. What was the server response to this obvious worm related event. Thats where we find the meat of the issue. -- m0use
Current thread:
- RE: New scanner? H C (Nov 25)
- RE: New scanner? newsletters (Nov 25)
- RE: New scanner? H C (Nov 25)
- RE: New scanner? m0use (Nov 26)
- RE: New scanner? H C (Nov 25)
- RE: New scanner? newsletters (Nov 25)
- RE: New scanner? newsletters (Nov 25)
- RE: New scanner? newsletters (Nov 25)