IP...log is a generalization for the Packet Filter log that ISA creates. This is named IP^*yyymmdd.log, where "^" may be "EXT" if you're using W3C format and "*" represents the log turnover periodicity (D, W, M, Y). ISA is responsible for the event log entry, so ISA did report it. Don't use the reports for specific incident evaluation; they're very general. Let's keep this in the list so everyone can play... Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Alex Decarli" <decarli@xxxxxxxxxxxxx> To: "Jim Harrison" <jim@xxxxxxxxxxxx> Sent: Tuesday, September 11, 2001 09:53 Subject: RES: ISA Server alert: An intrusion was attempted by an external user. WhatÂs "IP...log" ? I saw event viewer and ISA reports (traffic utilization, dropped packets) all. In event viewer thisÂs reported. In ISA server, not. I only sent it to you because another user sent the same problem to isalist, and you answered. Thank you again ! Alex -----Mensagem original----- De: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Enviada em: terÃa-feira, 11 de setembro de 2001 13:45 Para: Alex Decarli Assunto: Re: ISA Server alert: An intrusion was attempted by an external user. Tak a look at your "IP....log" for events with that same date/time (adjust for GMT in the log). That will tell you what was seen that ISA called an "attack". Generally, if ISA reports it, ISA blocked it. Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Alex Decarli" <decarli@xxxxxxxxxxxxx> To: <jim@xxxxxxxxxxxx> Sent: Tuesday, September 11, 2001 09:09 Subject: ENC: ISA Server alert: An intrusion was attempted by an external user. IÂm receiving this message. Yesterday , I received the same message with this ip: 200.187.233.12. Today, I received the same messagem with this ip: 200.176.2.85. I think that message doesnÂt show-me attack properly because We receive email message through ISA Server. 1. What do you think ?, is this a "Attack" ou no ? 2. Isa server discard this ? Any idea ? Help-me please Alex Decarli Netadmin - Tecfil Brazil Thanks -----Mensagem original----- De: isaalert [mailto:isaalert] Enviada em: terÃa-feira, 11 de setembro de 2001 12:56 Para: isaalert Assunto: ISA Server alert: An intrusion was attempted by an external user. ISA Server name: SVISA ISA Server detected an all port scan attack from Internet Protocol (IP) address 200.176.2.85. For more information about this event, see ISA Server Help.