Re: Can anybody here me with IPPEXTD logs

• From: "cismic" <cismic@xxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 25 Feb 2004 10:54:41 -0800

Isn't it also a good idea to configure at the adapter not to use netbios
over tcpip?

----- Original Message ----- 
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, February 25, 2004 6:54 AM
Subject: [isalist] Re: Can anybody here me with IPPEXTD logs


http://www.ISAserver.org

Hi Jim,

Those records are also a lot of fun when you publishing Web sites and
the NetBIOS node adapter status queries fill up the logs :)

I just created packet filters for the NetBIOS protocols and then
configured the filters to not log.

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder
ISA 2004 Beta - Get it now!
http://www.microsoft.com/isaserver/beta/default.asp
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp




-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, February 25, 2004 8:38 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Can anybody here me with IPPEXTD logs


http://www.ISAserver.org

Actually (sorry, Joe; I have to do this), those entries are ISA trying
to use NetBIOS name resolution (UDP-137) because DNS resolution failed.
Since you don't have a PF allowing ISA to use the this protocol (don't
add one), it shows as "BLOCKED".
Dont get in a twist over this; since you're completely dependent on the
distant site and their ISP to maintain proper DNS records, these entries
are commonplace.

The IP..log entries are always Source-IP, Destination-IP; not ISA-IP,
Remote-IP...

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Wed, 25 Feb 2004 12:12:54 -0000
 Paul Crisp <PCrisp@xxxxxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org

Cool, another less thing to worry about then.

Thanks again

Paul Crisp
Snr Network Support Analyst
t: 020 7 827 5201
f: 020 7 827 5266


-----Original Message-----
From: cismic [mailto:cismic@xxxxxxx]
Sent: Wednesday, February 25, 2004 12:09 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Can anybody here me with IPPEXTD logs
Importance: High

http://www.ISAserver.org

Hi Paul,
A machine from the outside world is trying to gain access and the good
thing
is that
ISA blocked them.

Joseph
----- Original Message ----- 
From: "Paul Crisp" <PCrisp@xxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, February 25, 2004 3:11 AM
Subject: [isalist] Re: Can anybody here me with IPPEXTD logs


http://www.ISAserver.org

Thanks Joseph I will.

Does this mean then that the ISA Server or a machine on the LAN is
transmitting these possible vulnerabilities or the machine from the
outside
world is trying to expose them ?

Paul Crisp
Snr Network Support Analyst
t: 020 7 827 5201
f: 020 7 827 5266


-----Original Message-----
From: cismic [mailto:cismic@xxxxxxx]
Sent: Wednesday, February 25, 2004 11:03 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Can anybody here me with IPPEXTD logs
Importance: High

http://www.ISAserver.org

Hi Paul,
The way the logs are layed out will show your ISA IP address first then
the
IP Address of the site that was attempting to talk to your site.  In
this
case most are UDP transports using ports 2629, 2630 etc. They were
attempting access to TCP transport 137. Which is a good thing.  ISA
blocked
those.  Read up on NETBIOS and directory traversal vulnerabilities.

HTH,
Joseph

----- Original Message ----- 
From: "Paul Crisp" <PCrisp@xxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, February 25, 2004 2:05 AM
Subject: [isalist] Can anybody here me with IPPEXTD logs


http://www.ISAserver.org

I am getting the following appearing in my IPPEXTD logs.

The first IP address is my external IP address of the ISA server and the
second address changes. What is causing this?

2004-02-25 00:00:01 195.xxx.xxx.xxx 66.151.150.33 Udp 2629
137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 91 00 00 80 11 00 00 c3 9d 37
fa 42 97 96 21 0a 45 00 89 00 3a 2e ed
2004-02-25 00:00:01 195.xxx.xxx.xxx 66.151.150.33 Udp 2630
137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 92 00 00 80 11 00 00 c3 9d 37
fa 42 97 96 21 0a 46 00 89 00 3a 2e ea
2004-02-25 00:00:01 195.xxx.xxx.xxx 66.151.150.33 Udp 2631
137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 93 00 00 80 11 00 00 c3 9d 37
fa 42 97 96 21 0a 47 00 89 00 3a 2e e7
2004-02-25 00:00:01 195.xxx.xxx.xxx 66.151.150.33 Udp 2632
137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 94 00 00 80 11 00 00 c3 9d 37
fa 42 97 96 21 0a 48 00 89 00 3a 2e e4
2004-02-25 00:00:02 195.xxx.xxx.xxx 66.151.150.33 Udp 2629
137 BLOCKED 195.xxx.xxx.xxx 45 00 00 4e 89 fe 00 00 80 11 00 00 c3 9d 37
fa 42 97 96 21 0a 45 00 89 00 3a 2e df

Paul Crisp
Snr Network Support Analyst
t: 020 7 827 5201
f: 020 7 827 5266



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
pcrisp@xxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
pcrisp@xxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Can anybody here me with IPPEXTD logs
• » Re: Can anybody here me with IPPEXTD logs
• » Re: Can anybody here me with IPPEXTD logs
• » Re: Can anybody here me with IPPEXTD logs
• » Re: Can anybody here me with IPPEXTD logs
• » Re: Can anybody here me with IPPEXTD logs
• » Re: Can anybody here me with IPPEXTD logs
• » Re: Can anybody here me with IPPEXTD logs
• » Re: Can anybody here me with IPPEXTD logs
• » Re: Can anybody here me with IPPEXTD logs
• » Re: Can anybody here me with IPPEXTD logs
• » Re: Can anybody here me with IPPEXTD logs
• » Re: Can anybody here me with IPPEXTD logs
• » Re: Can anybody here me with IPPEXTD logs

1. Home
2. isalist
3. Archive
4. 02-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---