-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 06:41 AM 5/3/2002, you wrote: >I only find this in the event log on the ISA server. > >Event Type: Warning >Event Source: ISS Filter >Event Category: None >Event ID: 6 >Date: 4/30/2002 >Time: 5:32:00 PM >User: N/A >Computer: PATHFINDER >Description: >POP buffer overflow detected from 209.94.202.69:1617 to 206.X.X.X:110 > >Chris Basically, the POP Intrusion Detection filter (on by default) is picking up what it considers to be a an attack against a POP3 server. Many different servers have had issues where very long commands submitted to the server could cause a buffer overrun- depending on the situation, successful attacks would result in things like DoS or remote code execution. The client at the above IP is submitting data that the filter thinks could be hostile, so it is filtering it out. I could not find any information on what criteria the filter uses to make this determination, but since it was written by ISS, they may have some more information on it. It is too bad that ISA does not provide more information than it does- the data that caused the trigger really should be written to a log somewhere. Kind of like the SMTP traps- they tell you the command that caused the trigger, but don't tell you where it came from :(. HTH some... ttyt T -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPNKXrYhsmyD15h5gEQLCBwCfU2W3oIv4WkbV4lDqwq3VDvqotngAnjOJ Ld0AZAJvsELh2Aa7NdO6QxKK =awCs -----END PGP SIGNATURE-----