Re: Help - ICMP Traffic Killing ISA
- From: Jim Harrison <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 20 Oct 2003 14:35:09 -0700
ISA can only report what it gets.
The IPext..log holds that data after you apply the "block and log" fix I
referenced you to.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
On Mon, 20 Oct 2003 09:56:25 -0700
"Ray Dzek" <rdzek@xxxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org
Jim,
Thanks for the reply, but...
Neither of changes mentioned in the KB article really helps me. They stop
the traffic from taversing ISA, but still do nothing to let me know who is
generating the traffic. Ultimately, it was Network Monitor and using the
MAC-to-IP program I pasted the link to earlier that got me the information I
needed to squash the last few machines still infected. I just think that I
should have been able to get this information from ISA faster and easier.
----- Original Message -----
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Sunday, October 19, 2003 7:49 PM
Subject: [isalist] Re: Help - ICMP Traffic Killing ISA
> http://www.ISAserver.org
>
> Here y'go...
>
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;283213&Product=ISAS
>
> ..all you need is SP1 for these settings to work...
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://www.microsoft.com/isaserver
> http://isaserver.org/Jim_Harrison
> http://isatools.org
>
> Read the help, books and articles!
> ----- Original Message -----
> From: "Ray Dzek" <rdzek@xxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Friday, October 17, 2003 09:14
> Subject: [isalist] Help - ICMP Traffic Killing ISA
>
>
> http://www.ISAserver.org
>
> We had some visitors come in from out of town and help themselves to an
> ethernet port which unleashed Welchia and Blaster on our internal network.
> (Yes .. there will be public floggings at noon today). But I am trying to
> track down where the stragglers are on the network that are still
infected.
> I have been using netmonitor and other tools to find the "screamers" on
the
> LAN. I was also trying to use Wintail to simply tell me who on the
network
> is generating the traffic. When I tail the ippextd logs, I see all the
ICMP
> traffic scrolling, but it all looks like it is coming from the external
> interface of ISA. There is no corresponding traffic in the webextd or
> fwextd logs. If I stop the fw and web services, the ippextd logs continue
> to scroll with ICMP traffic. What is up?
>
> Thanks in advance.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
>
> All mail from this domain is virus-scanned with RAV.
> www.ravantivirus.com
>
> ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
rdzek@xxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com
^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
Other related posts:
