It still records the port scan...even if it drops the packet (at least that's my understanding). Brian W. Rogers Operations Engineer Tree of Life Corporation <mailto:rogersb@xxxxxxxxxxxxxx> rogersb@xxxxxxxxxxxxxx office: (904)940-2152 mobile: (904)806-7173 -----Original Message----- From: Mark Hopkins [mailto:Mark.Hopkins@xxxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, August 20, 2003 11:26 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: port scan detected http://www.ISAserver.org Tom, Interesting thing happened today. After creating a packet filter to block an IP, two days ago, he port scanned me again this morning. Can you explain this? Thanks. Mark _____ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, August 19, 2003 4:02 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: port scan detected http://www.ISAserver.org Hi Mark, Sure. Human eyes must evaluate the nature of the attack, and human eyes must evaluate the source location. For example, if the "attack" if some a DNS timeout issue with your DNS server, do you want to block that? Another example, if the "attack" is from another admin testing his "skills" from home, do you want to block that? Another example, the IDS is misconfigured, do you want to block what it says? Another example, a legit host is infected and cleaned. Now that host is blocked. Do you want to block that and then deal with connectivity issues when you forgot about your blocking filters or try to fish out the blocked host address from the thousands you your list? Harden your hosts, use Application and Web filters, never publish a Web site using an IP address, all the basic stuff. That's a lot more effective than blocking addresses willy nilly. YMMV, Tom Thomas W Shinder <http://www.isaserver.org/shinder> www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> Configuring ISA Server: <http://tinyurl.com/1llp> http://tinyurl.com/1llp -----Original Message----- From: Mark Hopkins [mailto:Mark.Hopkins@xxxxxxxxxxxxxxxxxxxxx] Sent: Tuesday, August 19, 2003 2:13 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: port scan detected http://www.ISAserver.org Tom, Could you elaborate on this "intelligent address blocking"? Thanks. Mark _____ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, August 19, 2003 1:59 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: port scan detected http://www.ISAserver.org Ni Brian, Nor should you. Blocking addresses that scan you is like shooting at cars that drive past your home and look at your windows and front door. :-) Be aware of the attempt, but you'll end up making a critical error sooner or later if you block addresses without putting some intelligence behind the block. HTH, Tom Thomas W Shinder <http://www.isaserver.org/shinder> www.isaserver.org/shinder ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: mark.hopkins@xxxxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rogersb@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')