Bom dia Alex, as far as I observed this is fairly common. There are a number of people out there who on a regular basis try to break into systems. Those attempts are detected as well-known, half and full scan attempts. It is a good advise to check the security of your setup as you are in fact a target of an intrusion attempt. But as long as everything's save in this respect, you can relax and let your system be port-scanned, nothing else will happen there. You wouldn't want to waste your time running after these events only to find out that the source ip was spoofed. Question for the experts: would there be any method of gathering more information about the attacker (including spoofed IPs) that could be automated? I don't know exactly which information could be considered useful - but surely this is a common demand among firewall admins, no? Mark -----Original Message----- From: Alex Decarli [mailto:decarli@xxxxxxxxxxxxx] Sent: Thursday, May 23, 2002 4:46 PM To: [ISAserver.org Discussion List] Subject: [isalist] RES: RE: IP SCAN http://www.ISAserver.org In this events that I listed, He try to access from 80 port to several ports on my server, It could be a deceit? -----Mensagem original----- De: Mark Hippenstiel [mailto:mark@xxxxxxxxxxxx] Enviada em: quinta-feira, 23 de maio de 2002 10:19 Para: [ISAserver.org Discussion List] Assunto: [isalist] RE: IP SCAN http://www.ISAserver.org Yeah, only as long as the IP isn't spoofed, that is. I've had this a couple of times and didn't know what to do then. Anybody knows if ISA is capable of logging the MAC address? Mark -----Original Message----- From: Bruno ROUY [mailto:bruno.rouy@xxxxxxxx] Sent: Thursday, May 23, 2002 2:53 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: IP SCAN http://www.ISAserver.org ONLY..... YESSSSSSSS ! but you can trace who scan your ports -----Message d'origine----- De : Alex Decarli [mailto:decarli@xxxxxxxxxxxxx] Envoyé : jeudi 23 mai 2002 14:14 À : [ISAserver.org Discussion List] Objet : [isalist] IP SCAN http://www.ISAserver.org Hi folks, I've received the following message: "ISA Server detected an all port scan attack from Internet Protocol (IP) address xxx.xxx.xxx.xxx" i've registered in IP...log several connections of this ip on port 80 (http) is this a port scan attack ? When I do a manual port scan , isa server says "ISA Server detected a well-known port scan attack from Internet Protocol (IP) address xxx.xxx.xxx.xxx. A well-known port is any port in the range of 1-2048. For more information about this event, see ISA Server Help. Any idea ? Alex Decarli ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bruno.rouy@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: mark@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: decarli@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: mark@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')