-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 07:48 AM 7/1/2003, you wrote: >http://www.ISAserver.org > >Please find attached a sample of the URLSCAN log on an internal WWW >server that has been published with ISA server > > > >The ISA server has SP1 and the URLSCAN filter enabled, The local >server has the URLSCAN filter also > >My first question is: Why did these attempts pass the ISA server. I >was of the opinion that the published and internal web servers >would be protected by this filter. Any suggestions on resolving >this? and perhaps a white hat site for testing ISA security for >these type of attacks The IP in the log resolves to Asia Pacific, so if that is an internal box, I'm assuming you're using Server Publishing-- the ISA URLSCAN works with Web Publishing, not Server Publishing. >The last question is &. Is it possible to create a special content >filter to filter this type of traffic and an alert when this >activity is >happening to protect IIS services. I > >This attack went on for several days. It would have been an >advantage to have had an alarm that an attack was underway URLScan on the Internal box is already protecting you from that. You should just get used to these attacks-- they will go on forever. No need to make special site-based filters. But that being said, I know many people who just block then entire China/Taiwan subnets... t -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPwGqR4hsmyD15h5gEQIWjQCfaSDgW2wG32n7mcU+ad8s/e9dEKQAn1wd KWWsV+sG+4l67jdVpnNop610 =Px7m -----END PGP SIGNATURE-----