Yeh - Tim is single because he understands women... ..scuze me while I ROTFLMFAO... -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Tuesday, July 25, 2006 2:47 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Port Scan You have to understand Amy, these guys are a bunch of geeks. They don't understand what's important to a woman, or even how to treat a woman like a lady. This is what happens when they spend too much time with "email," and not enough time with "female." ;) That's also why they are married, and I am single. :-p If it makes you feel good, then go for it. t On 7/25/06 2:26 PM, "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx> spoketh to all: > http://www.toolzz.com/ISATools/2000tools.htm > > It may be a waste but you forgot that I feel better now. That's > something. Maybe it's a girl thing. > > I also have a habit of creating protocols for stuff that shows up as > unidentified traffic. I suppose that's a waste too because ISA handles > it whether it has a name or not. But it makes it easier on me. > > Now I can look at the logs and when I see Denied and the rule is Drop > This Connection, then I know what it is. Just like when I see HP > Printer Broadcast protocol in the logs, I know what that is. (and how > to stop > it) > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: Tuesday, July 25, 2006 5:17 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Port Scan > > ..where? > > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Amy Babinchak > Sent: Tuesday, July 25, 2006 13:58 > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Port Scan > > I found the script available on ISAtoolz. Never heard of that site > either. > > Amy > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: Tuesday, July 25, 2006 4:54 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Port Scan > > I think Tsu added quite of bit of intelligence into the script :P > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of >> God) >> Sent: Tuesday, July 25, 2006 3:52 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: Port Scan >> >> Yep--- was there any "intelligence" in the blocking rule, or could >> someone do a simple port scan of the external interface from the >> NAT'd > >> internal LAN to automatically block all internal traffic? ;) >> >> t >> >> >> On 7/25/06 1:42 PM, "Jim Harrison" <Jim@xxxxxxxxxxxx> spoketh to all: >> >>> Yep - total agreement and this was the core of the "fight" >> way back when. >>> Not only that, but any automated "rule builder" can be used >> a great DoS >>> mechanism. >>> >>> ------------------------------------------------------- >>> Jim Harrison >>> MCP(NT4, W2K), A+, Network+, PCG >>> http://isaserver.org/Jim_Harrison/ >>> http://isatools.org >>> Read the help / books / articles! >>> ------------------------------------------------------- >>> >>> >>> -----Original Message----- >>> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On >>> Behalf Of Thor (Hammer of God) >>> Sent: Tuesday, July 25, 2006 12:52 >>> To: isapros@xxxxxxxxxxxxx >>> Subject: [isapros] Re: Port Scan >>> >>> .02: >>> >>> It seems like a total waste of time to respond to "scan >> attacks" with a block >>> script, as everything is being blocked anyway- just not >> with an explicit >>> "block" rule. The presence of the "scan" alert tells you >> that ISA is doing >>> its job - AFAIAC, no other action is even necessary. If >> there is some >>> incessant attack from a persistent IP hammering away at >> published services and >>> you just don't want to see it, then put in a deny rule. If >> it is a bandwidth >>> issue (like when I was getting Code Red attacks all day, >> every day) then block >>> it on the ISP side. But that costs money for that service, >> typically. >>> However, it does work. >>> >>> If it is in the realm of "identified" attacks ala my >> "strikeback" model, then >>> that is a different thing- and something that is deployed >> in a completely >>> different way to solve a different problem (lest someone >> tried to use that >>> against me ;). Port scans and "noise" traffic an safely be ignored. >>> >>> t >>> >>> >>> On 7/25/06 11:58 AM, "Jim Harrison" <Jim@xxxxxxxxxxxx> >> spoketh to all: >>> >>>> Think way back to your involvement with SBS in the Yahoo list. >>>> It was how I got invited to join that list; the >> BlockAttacker script >>>> was being touted as the be-all, end-all to ISA port scan response. >>>> I had to get really nasty (even for me) with the proponent of this >>>> technique before he finally backed down. >>>> He still regurgitates this nonsense (among other senseless >>>> meanderings) from time to time, but it's an easy head-slap. >>>> >>>> For those not familiar, the BlockAttacker script was an >> expansion of >>>> the ISA 2000 alert action example that used the client IP >> to create a >>>> packet filter blocking the "offending host". While it provided an >>>> excellent example of using ISA alert environment >> variables, it turned >>>> out to be a great DoS tool as well and we pulled it from >> isatools.org. >>>> >>>> Unfortunately, there is one (TSu) individual who shall >> remain nameless >>>> (Tony >>>> Su) who insists on singing the praises of this response >> technique to >>>> unsuspecting ISA admins. Luckily, he's not skilled enough >> to sort out >>>> how to port the script to ISA 2004 or we'd have more PSS >> calls than we do >>>> now. >>>> >>>> ------------------------------------------------------- >>>> Jim Harrison >>>> MCP(NT4, W2K), A+, Network+, PCG >>>> http://isaserver.org/Jim_Harrison/ >>>> http://isatools.org >>>> Read the help / books / articles! >>>> ------------------------------------------------------- >>>> >>>> >>>> -----Original Message----- >>>> From: isapros-bounce@xxxxxxxxxxxxx >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak >>>> Sent: Tuesday, July 25, 2006 11:21 >>>> To: isapros@xxxxxxxxxxxxx >>>> Subject: [isapros] Re: Port Scan >>>> >>>> I don't know that joke. I think it was before my time on the list. >>>> What's the block attacker script? Never heard of it. >>>> >>>> Amy Babinchak >>>> >>>> >>>> >>>> >>>> >>>> >>>> -----Original Message----- >>>> From: isapros-bounce@xxxxxxxxxxxxx >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] >>>> On Behalf Of Jim Harrison >>>> Sent: Tuesday, July 25, 2006 2:19 PM >>>> To: isapros@xxxxxxxxxxxxx >>>> Subject: [isapros] Re: Port Scan >>>> >>>> Ask Tony for the BlockAttacker script. >>>> I'm sure he's still trying to support it. >>>> :-p >>>> >>>> Tom has it right; you can generally ignore them, since >> damn few ISPs >>>> even care. >>>> >>>> ------------------------------------------------------- >>>> Jim Harrison >>>> MCP(NT4, W2K), A+, Network+, PCG >>>> http://isaserver.org/Jim_Harrison/ >>>> http://isatools.org >>>> Read the help / books / articles! >>>> ------------------------------------------------------- >>>> >>>> >>>> -----Original Message----- >>>> From: isapros-bounce@xxxxxxxxxxxxx >>>> [mailto:isapros-bounce@xxxxxxxxxxxxx] >>>> On Behalf Of Amy Babinchak >>>> Sent: Tuesday, July 25, 2006 10:21 >>>> To: isapros@xxxxxxxxxxxxx >>>> Subject: [isapros] Port Scan >>>> >>>> What should I do about a port scan that just won't go >> away? I've got >>>> two IP addresses port scanning my server around the clock. >> An email to >>>> the owner bounced back, unknown email address. >>>> >>>> Is there anything to be done? >>>> >>>> >>>> Amy >>>> >>>> >>>> >>>> >>>> All mail to and from this domain is GFI-scanned. >>>> >>>> >>>> >>>> >>>> All mail to and from this domain is GFI-scanned. >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>> All mail to and from this domain is GFI-scanned. >>> >>> >>> >>> >> >> >> >> >> > > > > All mail to and from this domain is GFI-scanned. > > > > > All mail to and from this domain is GFI-scanned.