Hi, I find this in the packetlog at the time of the warning I receive, what do you think? Norton antivirus is still telling me servers are clean and the definitions are up to date. 10.92.60.19 is a server on the network, 10.255.1.2 is the public interface of the IS server, and 212.71.32.19 is the DNS of our ISP. 2004-11-28 12:52:39 10.92.60.19 255.255.255.255 Udp 14000 14000 - BLOCKED 10.255.1.2 45 00 00 68 57 6e 00 00 80 11 9c a8 0a 5c 3c 13 ff ff ff ff 36 b0 36 b0 00 54 58 33 00 00 00 4c 3a 00 00 00 00 00 00 0c 44 53 41 4d 65 73 73 61 67 65 00 00 00 00 00 0c 00 00 00 10 4f 52 42 65 6c 69 6e 65 20 32 2e 30 00 00 00 00 00 00 00 01 41 a9 81 bb 3a 00 00 00 00 00 00 04 3a 3a 00 64 00 00 00 04 2004-11-28 12:52:58 10.255.1.2 212.71.32.19 Tcp 37895 53 SYN BLOCKED 10.255.1.2 45 00 00 30 50 b9 40 00 80 06 00 00 0a ff 01 02 d4 47 20 13 94 07 00 35 a1 c8 81 d1 00 00 00 00 70 02 ff ff ca ed 00 00 02 04 05 b4 01 01 04 02 2004-11-28 Thanks, Ruba Al Omari -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Wednesday, November 24, 2004 4:46 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: FW: ISA Server alert: An intrusion was attempted by an external user. http://www.ISAserver.org You need to review the packet filter logs for that time (remember to account for GMT logging). The actual traffic is located there. By default, ISA logs to %ProgramFiles%\Micorosoft ISA Server/ISALogs Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -----Original Message----- From: Ruba Al Omari, Eng. [mailto:romari@xxxxxxxxxxxxxxxxx] Sent: Wednesday, November 24, 2004 12:12 AM To: [ISAserver.org Discussion List] Subject: [isalist] FW: ISA Server alert: An intrusion was attempted by an external user. http://www.ISAserver.org Hi I have 2 arms ISA2000, one NIC connected to switch with a netscreen device (10.255.1.2) and the other arm is connected to internal LAN. I keep getting these notifications almost every few minutes; from the interface that is connected to the netscreen LAN which only has 2 devices connected to this LAN the ISA and the netscreen. I know the ISA is not infected, could there be any other reason for this? Thanks for any help Ruba Al-Omari -----Original Message----- From: 9000-srv [mailto:9000-srv] Sent: Wednesday, November 24, 2004 10:06 AM To: DAH Technical Support Subject: ISA Server alert: An intrusion was attempted by an external user. ISA Server name: 9000-SRV ISA Server detected an all port scan attack from Internet Protocol (IP) address 10.255.1.2. For more information about this event, see ISA Server Help. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: romari@xxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx