RE: Feature Pack 1 - URLScan

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 25 Feb 2003 18:03:12 -0600

Hi Raji,

You don't even need to use URLScan to block those. I'm sure you are not
using "www" in your Destination Sets, and you would never use IP
addresses in your Web Publishing Rule Destination Sets, so you're not
going to be whacked by those and they should never appear in your Web
server log, only in the Web Proxy log.

HTH,
Tom

Thomas W Shinder 
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1 
Configuring ISA Server: http://tinyurl.com/1llp 



-----Original Message-----
From: Raji Arulambalam [mailto:rajia@xxxxxxxxxxxxxx] 
Sent: Tuesday, February 25, 2003 5:45 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Feature Pack 1 - URLScan


http://www.ISAserver.org


Hi

What needs adding to the URLSCAN.ini file to catch these attacks.??

217.96.188.1    anonymous       -       N       2003-02-25      23:33:19
w3proxy CELERIS -       www     -       -       -       96      3551
http
TCP     GET
http://www/scripts/..%252f../winnt/system32/cmd.exe?/c+dir
-       -       502     -       -       -

I have added these various combinations  '.exe?' , '?/' , '/c+' to the
ini
file, but non seem to catch this. 
I want to remove this so it does not clog up my iis server logs.

Any clues.????


---------------------------------------------
  Raji Arulambalam       
  Systems Administrator          
  Environment Bay of Plenty 
  P O Box 364 Whakatane.
  NEW ZEALAND  
--------------------------------------------




******************************************************
This e-mail has been checked for viruses and no viruses were detected.

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Feature Pack 1 - URLScan
• » RE: Feature Pack 1 - URLScan
• » RE: Feature Pack 1 - URLScan
• » RE: Feature Pack 1 - URLScan

1. Home
2. isalist
3. Archive
4. 02-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---