TCP for Reset (ie- close the connection) >----- >Robert Bosch Corporation >Technical Systems Analyst (RBNA/CSA1) >Corporate Sales Reporting Systems >38000 Hills Tech Drive - Farmington Hills, MI 48331 - USA >phone: 1 (248) 553-1164 fax: 1 (248) 848-6969 >shawn.quillman@xxxxxxxxxxxx >http://www.bosch.us -----Original Message----- From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, September 14, 2005 1:28 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: All Port Scans, false positive http://www.ISAserver.org What does RST stand for? Amy Harbor Computer Services Small Business Computer Specialists Client Blog: http://smalltechnotes.blogspot.com/ Tech Blog: http://isainsbs.blogspot.com/ Website: http://www.harborcomputerservices.net/ -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Wednesday, September 14, 2005 1:25 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: All Port Scans, false positive http://www.ISAserver.org Possible, but the most likely reason is the "late packet" scenario I've described before. IE and some web services are very rude on the wire. Instead of closing a session with a nice, friendly FIN-ACK sequence, they RST the connection. If this happens before the other side has responded to a previous communication, ISA will have closed the connection and will see the response packet as an "all port scan" because it is destined for a port on the ephemeral range. You can validate this by examining your ISA logs for previous communication between ISA and the source of the "scan". Odds are, it's listed as a source port used between ISA and the "scan" source in a previous communication. -----Original Message----- From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Wednesday, September 14, 2005 9:51 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: All Port Scans, false positive http://www.ISAserver.org http://www.ISAserver.org A hacked router is one example... I'm not sure if I'm correct on this, but I understand it as an "All Port" scan in ISA actually means there 20 (default setting) ports scanned in quick succession, it doesn't necessarily mean ALL ports were tried. The setting for this is in the "Configuration->General->Enable Intrusion Detection and DNS Attack Detection" menu. ________________________________ From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, September 14, 2005 12:30 PM To: [ISAserver.org Discussion List] Subject: [isalist] All Port Scans, false positive http://www.ISAserver.org http://www.ISAserver.org A question comes to me and I don't have the answer but I know that you guys will. If I have a router in front of my ISA/SBS server that only allows 4 ports through, how is it that all port scans are reported from IP addresses at Microsoft and the ISP on my ISA server? Is it a false positive? If so, what in the world causes it when there are only 4 accessible ports? Amy Harbor Computer Services Small Business Computer Specialists Client Blog: http://smalltechnotes.blogspot.com/ Tech Blog: http://isainsbs.blogspot.com/ Website: http://www.harborcomputerservices.net/ ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=alist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?typeúQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dball@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=alist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=alist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?typeúQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dball@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=alist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=alist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?typeúQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=alist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=alist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?typeúQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=alist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx