On Mon, 25 Nov 2002 11:31:43 -0800 (PST), H C wrote > However, I think my point stands...the OP didn't post > (a) the actual contents of the rules themselves (he > may have modified them in some way), or (b) his web > logs, so there's no way anyone on the list can do > anything other than offer advice or make assumptions. > Sure, some of the assumptions can be very well > reasoned, but the OP didn't even say whether he's > running Windows or even IIS. Sure, the "established" > key word sort of makes it obvious that he's got > *something* listening on port 80, but we don't know > for sure what that is, do we?
IMHO for any of this to be of value the examiner would need IIS/Apache logs to see just how far this went. I am a firm believer in thos few Managed Security services out there that correlate the data across IDS, Firewall, Web server to give the admin a fuller picture of the event. What was the server response to this obvious worm related event. Thats where we find the meat of the issue. -- m0use
