[Dshield] l httpd logs

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Thu Jun 21 15:57:10 GMT 2007


On Thu, 21 Jun 2007 10:48:05 EDT, Rick Leir said:

> > Marc calls it: "We saw this, did it hurt?"
> 
> would you explain this pls?

That refers to seeing an event logged by the IDS that you're reasonably sure
didn't actually *do* anything to your system/network.  Things like an IIS
exploit heading for your Linux Apache webserver, or an exploit for a hole that
you already pushed a patch out to.

The problem is that often, you need to do some research to show that in
fact, it didn't do anything.  For instance, if it's pointing into a /24
that serves several offices full of paper-pushers, you probably need to
find out if the particular desktop machine targeted did in fact actually
*install* the patch that you pushed, or if something caused the push to
fail, and the box is pwned as a result...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/list/attachments/20070621/fa48dc68/attachment.bin 


More information about the list mailing list