Re: ISA Server alert: An intrusion was attempted by an external user.
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 11 Sep 2001 10:33:27 -0700
IP...log is a generalization for the Packet Filter log that ISA creates.
This is named IP^*yyymmdd.log, where "^" may be "EXT" if you're using W3C
format and "*" represents the log turnover periodicity (D, W, M, Y).
ISA is responsible for the event log entry, so ISA did report it.
Don't use the reports for specific incident evaluation; they're very
general.
Let's keep this in the list so everyone can play...
Jim Harrison
MCP(2K), A+, Network+, PCG
----- Original Message -----
From: "Alex Decarli" <decarli@xxxxxxxxxxxxx>
To: "Jim Harrison" <jim@xxxxxxxxxxxx>
Sent: Tuesday, September 11, 2001 09:53
Subject: RES: ISA Server alert: An intrusion was attempted by an external
user.
WhatÂs "IP...log" ?
I saw event viewer and ISA reports (traffic utilization, dropped
packets) all.
In event viewer thisÂs reported. In ISA server, not.
I only sent it to you because another user sent the same problem to
isalist, and you answered.
Thank you again !
Alex
-----Mensagem original-----
De: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Enviada em: terÃa-feira, 11 de setembro de 2001 13:45
Para: Alex Decarli
Assunto: Re: ISA Server alert: An intrusion was attempted by an external
user.
Tak a look at your "IP....log" for events with that same date/time
(adjust
for GMT in the log). That will tell you what was seen that ISA called
an
"attack".
Generally, if ISA reports it, ISA blocked it.
Jim Harrison
MCP(2K), A+, Network+, PCG
----- Original Message -----
From: "Alex Decarli" <decarli@xxxxxxxxxxxxx>
To: <jim@xxxxxxxxxxxx>
Sent: Tuesday, September 11, 2001 09:09
Subject: ENC: ISA Server alert: An intrusion was attempted by an
external
user.
IÂm receiving this message.
Yesterday , I received the same message with this ip: 200.187.233.12.
Today, I received the same messagem with this ip: 200.176.2.85.
I think that message doesnÂt show-me attack properly because We receive
email message through ISA Server.
1. What do you think ?, is this a "Attack" ou no ?
2. Isa server discard this ?
Any idea ?
Help-me please
Alex Decarli
Netadmin - Tecfil Brazil
Thanks
-----Mensagem original-----
De: isaalert [mailto:isaalert]
Enviada em: terÃa-feira, 11 de setembro de 2001 12:56
Para: isaalert
Assunto: ISA Server alert: An intrusion was attempted by an external
user.
ISA Server name: SVISA
ISA Server detected an all port scan attack from Internet Protocol (IP)
address 200.176.2.85.
For more information about this event, see ISA Server Help.
Other related posts:
