RE: port scan detected
- From: "Rogers, Brian" <RogersB@xxxxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 20 Aug 2003 11:02:34 -0400
Haaaa..along these same lines. The IP 166.60.12.11 has been doing an entire
port scan (yes ladies..thats 1 - 64xxx) since yesterday at 4pm.
Hes already up to 35867 as of 11am this morning.
Still no response from his ISP...imagine that.
Brian W. Rogers
Operations Engineer
Tree of Life Corporation
rogersb@xxxxxxxxxxxxxx
office: (904)940-2152
mobile: (904)806-7173
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, August 20, 2003 10:56 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: port scan detected
http://www.ISAserver.org
No way!
The compiled ISAInfo is the longest...
..so there..
thpthpthpthpthp
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://www.microsoft.com/isaserver
http://isaserver.org/Jim_Harrison
http://isatools.org
Read the help, books and articles!
----- Original Message -----
From: "Steve Moffat" <steve@xxxxxxxxxxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, August 19, 2003 18:02
Subject: [isalist] RE: port scan detected
http://www.ISAserver.org
This must be one of the longest awaited projects out there....:))
Steve
-----Original Message-----
From: cismic [mailto:cismic@xxxxxxx]
Sent: Tuesday, August 19, 2003 9:55 PM
To: Isa Weblist
http://www.ISAserver.org
Here is some follow-up on the information below:
The dumpel command is quite slick and can be placed into a batch file
that run's nightly
dumpel -f application.out -l application -m "Microsoft ISA Server
Control" -e 20063 15102 14123 15105 11001 dumpel -f event.out -l system
-m rdr -e 20063 15102 14123 15105 11001 dumpel -f system.out -s
systemname r -l system
I'll finish my testing on the import scripts today.
Joseph
-----Original Message-----
From: cismic [mailto:cismic@xxxxxxx]
Sent: Tuesday, August 19, 2003 12:21 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: port scan detected
http://www.ISAserver.org
What I do is dump all the various event logs into *.csv form and then
Read them into tables that I've created filtering out all but the items
that refer to
ISA. That way I have a soucre that I can run filters from and then if I
don't want something Filtered I remove it from the tables as listed
below. 15101 is one that I filter most for and then pick up the ip
address and generate the xml or *.csv that Will be used to feed my
process that applies rules to ISA.
Event Log Names:
DbEvtApp - Application Events
DbEvtSec - Security Events
DbEvtSys - System Events
DbEvtDNS - DNS log file is created on your DNS machine
Joseph
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Tuesday, August 19, 2003 11:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: port scan detected
http://www.ISAserver.org
Ni Brian,
Nor should you. Blocking addresses that scan you is like shooting at
cars that drive past your home and look at your windows and front door.
:-) Be aware of the attempt, but you'll end up making a critical error
sooner or later if you block addresses without putting some intelligence
behind the block.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
<http://tinyurl.com/1llp>
-----Original Message-----
From: Rogers, Brian [mailto:RogersB@xxxxxxxxxxxxxx]
Sent: Tuesday, August 19, 2003 1:23 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: port scan detected
http://www.ISAserver.org
I simply don't have time to add a new filter for each and every
ip address that scans the firewall.
Perhaps if it would allow you to create a list of them you could
update...but creating a single packet filter for every scan ive gotten
would take me hours.
-----Original Message-----
From: Mark Hopkins [mailto:Mark.Hopkins@xxxxxxxxxxxxxxxxxxxxx]
Sent: Tuesday, August 19, 2003 2:10 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: port scan detected
http://www.ISAserver.org
Personally, I figure that a port scan on my site is someone up
to no good, and I ban the IP address (inbound). If the IP address if
resolvable and I can contact the owner, I will attempt to do so. If the
owner takes appropriate action (to my liking), I remove the packet
filter. Lately I seem to be getting a couple of scans per week. Perhaps
I should ban all incoming traffic! :-) :-) :-)
Mark
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
steve@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
This E-Mail is confidential. It is not intended to be read, copied,
disclosed or used by any person other than the recipient named above.
Unauthorised use, disclosure, or copying is strictly prohibited and may be
unlawful. Optimum IT Solutions disclaims any liability for any action taken
in connection of this E-Mail. The comments or statements expressed in this
E-Mail are not necessarily those of Optimum IT Solutions or its subsidiaries
or affiliates.
administrator@xxxxxxxxxxxxxxxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rogersb@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
