RE: New scanner?

[H C <keydet89 () yahoo com>]

A couple of things...

First off, it's good that snort is running to catch
these things.

To CB...
"My opinion would be to rebuild the box with all
current patches and service packs."

Why?  Just b/c snort picked up the signatures, doesn't
mean that the box was actually compromised...does it? 
After all, the snort signatures are specific enough to
pick up the inbound signatures, but nothing from
Jeremy shows what the response codes from IIS are...do
they?  Jeremy didn't mention anything about the
server's responses, nor did he post the web logs.  In
fact, Jeremy never actually said which web server (if
any) he's running!

The assumption is that Jeremy is running IIS...and
this may actually be the case.  However, Jeremy's post
has only the snort signature titles, and nothing else.
 

What this shows is that there is still a propensity to
make assumptions, not only regarding posts such as
Jeremy's, but in incident response investigations, as well.

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus – Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com