Search your FW log for that same timeframe. If you have a Slammer-infected internal host, it'll show there as well. If you don't see it in the FW logs, then there are two possibilities: 1 - your ISA is infected (sux2beu) 2 - these packets are spoofs Unless you'e mangled those IPs too, I'd bet on #1 just based on the way those packets are being reported. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Mon, 4 Oct 2004 15:19:00 +0200 "William Robertson" <robertson.william@xxxxxxxxxxxxxx> wrote: http://www.ISAserver.org Hi there I am seeing something strange, and would appreciate some comment on this please... I have noticed an ever-increasing amount of UDP:1433 traffic in my Packet Filter Log, the bugger is that my ISA's external IP Address is shown as the source address. My semi-conclusion at this stage is that I may have a SQL Slammer infected server/workstation in my midst, but I would appreciate any and all analysis of the following excerpt (BTW, the destination IP Address range varies quite immensely) 10/4/2004, 15:12:08, <ISA Ext NIC>, 5.0.255.19, Udp, 1434, 137, -, BLOCKED, <ISA Ext NIC>, -, - 10/4/2004, 15:12:16, <ISA Ext NIC>, 0.0.255.19, Udp, 1433, 137, -, BLOCKED, <ISA Ext NIC>, -, - 10/4/2004, 15:12:16, <ISA Ext NIC>, 0.0.255.19, Udp, 1434, 137, -, BLOCKED, <ISA Ext NIC>, -, - 10/4/2004, 15:12:19, <ISA Ext NIC>, 0.0.255.19, Udp, 1433, 137, -, BLOCKED, <ISA Ext NIC>, -, - 10/4/2004, 15:12:19, <ISA Ext NIC>, 0.0.255.19, Udp, 1434, 137, -, BLOCKED, <ISA Ext NIC>, -, - 10/4/2004, 15:12:21, <ISA Ext NIC>, 0.0.255.19, Udp, 1433, 137, -, BLOCKED, <ISA Ext NIC>, -, - 10/4/2004, 15:12:21, <ISA Ext NIC>, 0.0.255.19, Udp, 1434, 137, -, BLOCKED, <ISA Ext NIC>, -, - Thanks William R. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx