Haaaa..along these same lines. The IP 166.60.12.11 has been doing an entire port scan (yes ladies..thats 1 - 64xxx) since yesterday at 4pm. Hes already up to 35867 as of 11am this morning. Still no response from his ISP...imagine that. Brian W. Rogers Operations Engineer Tree of Life Corporation rogersb@xxxxxxxxxxxxxx office: (904)940-2152 mobile: (904)806-7173 -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Wednesday, August 20, 2003 10:56 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: port scan detected http://www.ISAserver.org No way! The compiled ISAInfo is the longest... ..so there.. thpthpthpthpthp Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Steve Moffat" <steve@xxxxxxxxxxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, August 19, 2003 18:02 Subject: [isalist] RE: port scan detected http://www.ISAserver.org This must be one of the longest awaited projects out there....:)) Steve -----Original Message----- From: cismic [mailto:cismic@xxxxxxx] Sent: Tuesday, August 19, 2003 9:55 PM To: Isa Weblist http://www.ISAserver.org Here is some follow-up on the information below: The dumpel command is quite slick and can be placed into a batch file that run's nightly dumpel -f application.out -l application -m "Microsoft ISA Server Control" -e 20063 15102 14123 15105 11001 dumpel -f event.out -l system -m rdr -e 20063 15102 14123 15105 11001 dumpel -f system.out -s systemname r -l system I'll finish my testing on the import scripts today. Joseph -----Original Message----- From: cismic [mailto:cismic@xxxxxxx] Sent: Tuesday, August 19, 2003 12:21 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: port scan detected http://www.ISAserver.org What I do is dump all the various event logs into *.csv form and then Read them into tables that I've created filtering out all but the items that refer to ISA. That way I have a soucre that I can run filters from and then if I don't want something Filtered I remove it from the tables as listed below. 15101 is one that I filter most for and then pick up the ip address and generate the xml or *.csv that Will be used to feed my process that applies rules to ISA. Event Log Names: DbEvtApp - Application Events DbEvtSec - Security Events DbEvtSys - System Events DbEvtDNS - DNS log file is created on your DNS machine Joseph -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, August 19, 2003 11:59 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: port scan detected http://www.ISAserver.org Ni Brian, Nor should you. Blocking addresses that scan you is like shooting at cars that drive past your home and look at your windows and front door. :-) Be aware of the attempt, but you'll end up making a critical error sooner or later if you block addresses without putting some intelligence behind the block. HTH, Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp> -----Original Message----- From: Rogers, Brian [mailto:RogersB@xxxxxxxxxxxxxx] Sent: Tuesday, August 19, 2003 1:23 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: port scan detected http://www.ISAserver.org I simply don't have time to add a new filter for each and every ip address that scans the firewall. Perhaps if it would allow you to create a list of them you could update...but creating a single packet filter for every scan ive gotten would take me hours. -----Original Message----- From: Mark Hopkins [mailto:Mark.Hopkins@xxxxxxxxxxxxxxxxxxxxx] Sent: Tuesday, August 19, 2003 2:10 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: port scan detected http://www.ISAserver.org Personally, I figure that a port scan on my site is someone up to no good, and I ban the IP address (inbound). If the IP address if resolvable and I can contact the owner, I will attempt to do so. If the owner takes appropriate action (to my liking), I remove the packet filter. Lately I seem to be getting a couple of scans per week. Perhaps I should ban all incoming traffic! :-) :-) :-) Mark ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: steve@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') This E-Mail is confidential. It is not intended to be read, copied, disclosed or used by any person other than the recipient named above. Unauthorised use, disclosure, or copying is strictly prohibited and may be unlawful. Optimum IT Solutions disclaims any liability for any action taken in connection of this E-Mail. The comments or statements expressed in this E-Mail are not necessarily those of Optimum IT Solutions or its subsidiaries or affiliates. administrator@xxxxxxxxxxxxxxxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rogersb@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')