Re: FW: WEB server URLSCAN logs
- From: "Deus, Attonbitus" <Thor@xxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 01 Jul 2003 08:35:28 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
At 07:48 AM 7/1/2003, you wrote:
>http://www.ISAserver.org
>
>Please find attached a sample of the URLSCAN log on an internal WWW
>server that has been published with ISA server
>
>
>
>The ISA server has SP1 and the URLSCAN filter enabled, The local
>server has the URLSCAN filter also
>
>My first question is: Why did these attempts pass the ISA server. I
>was of the opinion that the published and internal web servers
>would be protected by this filter. Any suggestions on resolving
>this? and perhaps a white hat site for testing ISA security for
>these type of attacks
The IP in the log resolves to Asia Pacific, so if that is an internal
box,
I'm assuming you're using Server Publishing-- the ISA URLSCAN works
with
Web Publishing, not Server Publishing.
>The last question is &. Is it possible to create a special content
>filter to filter this type of traffic and an alert when this
>activity is
>happening to protect IIS services. I
>
>This attack went on for several days. It would have been an
>advantage to have had an alarm that an attack was underway
URLScan on the Internal box is already protecting you from that. You
should
just get used to these attacks-- they will go on forever. No need to
make
special site-based filters.
But that being said, I know many people who just block then entire
China/Taiwan subnets...
t
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPwGqR4hsmyD15h5gEQIWjQCfaSDgW2wG32n7mcU+ad8s/e9dEKQAn1wd
KWWsV+sG+4l67jdVpnNop610
=Px7m
-----END PGP SIGNATURE-----
Other related posts:
