Below is the IDS Alerts and the web server log from the same time period, what would i do in response to the Alert?

/usr/local/apache/access.log:
72.140.131.231 - - [03/Apr/2007:15:31:27 -0400] "GET / HTTP/1.1" 304 -
72.140.131.231 - - [03/Apr/2007:16:19:03 -0400] "GET / HTTP/1.1" 200 44
72.140.131.231 - - [03/Apr/2007:16:29:31 -0400] "GET /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 227
72.140.131.231 - - [03/Apr/2007:16:29:31 -0400] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 227

/var/log/snort/snort.log:
Apr 3 16:31:25 Snort snort[2217]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {TCP} 72.140.131.231:13446 -> 192.168.1.1:80
Apr 3 16:31:27 Snort snort[2217]: [1:1807:10] WEB-MISC Chunked-Encoding transfer attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 72.140.131.231:13449 -> 192.168.1.1:80
Apr 3 16:31:27 Snort snort[2217]: [1:1248:13] WEB-FRONTPAGE rad fp30reg.dll access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 72.140.131.231:13449 -> 192.168.1.1:80
Apr 3 16:31:27 Snort snort[2217]: [1:1288:8] WEB-FRONTPAGE /_vti_bin/ access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 72.140.131.231:13449 -> 192.168.1.1:80
Apr 3 16:31:27 Snort snort[2217]: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {TCP} 72.140.131.231:13449 -> 192.168.1.1:80

Well except for maybe banning the offending ip address, nothing. Your server 404'd (not found/inaccessible) those files and unless you have the frontpage extensions it was just someone probing. Course if you're running the frontpage extensions someone attempting to find vulnerabilities on your server is the least of your concerns.

I agree with rweaver...consider it benign unless you're actually affected.

Nice to see someone actually conducting log correlation, though!