RE: Port Scans

• From: "Ball, Dan" <DBall@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 16 Mar 2005 11:00:24 -0500

Spoofing in ISA2004 comes up with its own separate alert, but I don't
see any spoof alert for the same timeframe as the scan alert.

 

________________________________

From: Steve Lunn [mailto:Steve.Lunn@xxxxxxxxxxxxxxxx] 
Sent: Wednesday, March 16, 2005 10:02
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Port Scans

 

http://www.ISAserver.org

I would imagine it's IP Spoofing. I get quite a few of these in ISA2k,
but at least it tells 
you that it's received the packet on the wrong interface and drops it. 

Regards, 
  
Steve 
  
Steve Lunn - PC & Network Support 
Microsoft MCP 
DDI: 01423 855101 
Fax: 01423 855181 

 

-----Original Message----- 
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
Sent: 16 March 2005 14:59 
To: [ISAserver.org Discussion List] 
Subject: [isalist] RE: Port Scans 

http://www.ISAserver.org 

Does anyone have an answer on this other than laughter? 

-----Original Message----- 
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
Sent: Tuesday, March 15, 2005 10:25 
To: [ISAserver.org Discussion List] 
Subject: [isalist] Port Scans 

http://www.ISAserver.org 

I get an lot of these alerts on my ISA2004 server: 

ISA Server detected an all port scan attack from Internet Protocol (IP) 
address xx.xx.xx.xx. 

Normally, I just ignore these, as there isn't much I can do about 
outside servers.  However, I've noticed a few of these with IP addresses

on our internal network, which has me concerned.  Whenever I see one of 
these, I check every log I can think of, and don't find any other 
indication of any activity other than the alert itself.  Even the 
Firewall Log doesn't show any blocked packets during that time period.  

Do you think the IP address of the scanner is being spoofed? 

 

------------------------------------------------------ 
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist 
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ 
------------------------------------------------------ 
Other Internet Software Marketing Sites: 
World of Windows Networking: http://www.windowsnetworking.com 
Leading Network Software Directory: http://www.serverfiles.com 
No.1 Exchange Server Resource Site: http://www.msexchange.org 
Windows Security Resource Site: http://www.windowsecurity.com/ 
Network Security Library: http://www.secinf.net/ 
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com 
------------------------------------------------------ 
You are currently subscribed to this ISAserver.org Discussion List as:
steve.lunn@xxxxxxxxxxxxxxxx 
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist

Report abuse to listadmin@xxxxxxxxxxxxx 

 

Homeowners Group consists of Homeowners Friendly Society Limited (HFSL),
Registered and Incorporated under the Friendly Societies Act 1992, Reg.
No. 964F, Homeowners Investment Fund Managers Limited (HIFML), Reg. No.
3224780, Homeowners Financial Administration Limited (HFAL), Reg. No.
4301736, Homeowners Membership Services Limited (HMSL), Reg. No. 3091667
and UK Friendly Insurance Services Limited (UKFISL), Reg. No. 3088162,
all registered at Hornbeam Park Avenue, Harrogate. HG2  8XE. Tel: 01423
855000    Web: http://www.homeowners.co.uk 

HFSL and HIFML are both authorised and regulated by the Financial
Services Authority (FSA). HFSL's FSA Register no. is 110072, HIFML's FSA
Register no. is 181487. You can check this on the FSA's Register by
visiting the FSA's website http://www.fsa.gov.uk/register or by
contacting the FSA on 0845 606 1234 

HFAL, HMSL and UKFISL are non-regulated limited companies. 

United Kingdom Civil Service Benefit Society (UKCSBS) and United Kingdom
Armed Forces Benefit Society (UKAFBS) are trading styles of Homeowners
Friendly Society Limited 

This e-mail is intended only for the person named as recipient. The
contents are confidential. If you are not the intended recipient of this
e-mail, please notify us as soon as possible and delete it. If you are
not the intended recipient of the e-mail, any use by you is prohibited.

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

Other related posts:

• » Port Scans
• » Re: Port Scans
• » Re: Port Scans
• » Re: Port Scans
• » Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans
• » RE: Port Scans

1. Home
2. isalist
3. Archive
4. 03-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---