When ISA lists a packet as "Blocked", that means that it didn't even respond, something colloquially known as "stealth". The sending machine is still ignorant regarding that IP / port combination. Yes, isalist and isaserver.org are great, but no; I'm not responsible (nobody saw me, can't prove a thing). Steven and Tom keep that rolling for everyone. Yes, I'm ISA certified (test 70-227). Now if I can just get the rest of the tests behind me... ;-) Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Alex Decarli" <decarli@xxxxxxxxxxxxx> To: "Jim Harrison" <jim@xxxxxxxxxxxx>; "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, September 11, 2001 10:41 Subject: RES: ISA Server alert: An intrusion was attempted by an external user. Ok, this solved my problem. I opened ipxxxx.log e I saw the ipÂs below. there is a field called "filter-rule" near ipÂs with status blocked. I think that isa server blocked this port scan. Right ? About isalist, I will include-me again. Regards. P.s: Are you responsible for isaserver.org ? Are you certificated in isa server ? Thanks again Alex -----Mensagem original----- De: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Enviada em: terÃa-feira, 11 de setembro de 2001 14:33 Para: [ISAserver.org Discussion List] Cc: Alex Decarli Assunto: Re: ISA Server alert: An intrusion was attempted by an external user. IP...log is a generalization for the Packet Filter log that ISA creates. This is named IP^*yyymmdd.log, where "^" may be "EXT" if you're using W3C format and "*" represents the log turnover periodicity (D, W, M, Y). ISA is responsible for the event log entry, so ISA did report it. Don't use the reports for specific incident evaluation; they're very general. Let's keep this in the list so everyone can play... Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Alex Decarli" <decarli@xxxxxxxxxxxxx> To: "Jim Harrison" <jim@xxxxxxxxxxxx> Sent: Tuesday, September 11, 2001 09:53 Subject: RES: ISA Server alert: An intrusion was attempted by an external user. WhatÂs "IP...log" ? I saw event viewer and ISA reports (traffic utilization, dropped packets) all. In event viewer thisÂs reported. In ISA server, not. I only sent it to you because another user sent the same problem to isalist, and you answered. Thank you again ! Alex -----Mensagem original----- De: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Enviada em: terÃa-feira, 11 de setembro de 2001 13:45 Para: Alex Decarli Assunto: Re: ISA Server alert: An intrusion was attempted by an external user. Tak a look at your "IP....log" for events with that same date/time (adjust for GMT in the log). That will tell you what was seen that ISA called an "attack". Generally, if ISA reports it, ISA blocked it. Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Alex Decarli" <decarli@xxxxxxxxxxxxx> To: <jim@xxxxxxxxxxxx> Sent: Tuesday, September 11, 2001 09:09 Subject: ENC: ISA Server alert: An intrusion was attempted by an external user. IÂm receiving this message. Yesterday , I received the same message with this ip: 200.187.233.12. Today, I received the same messagem with this ip: 200.176.2.85. I think that message doesnÂt show-me attack properly because We receive email message through ISA Server. 1. What do you think ?, is this a "Attack" ou no ? 2. Isa server discard this ? Any idea ? Help-me please Alex Decarli Netadmin - Tecfil Brazil Thanks -----Mensagem original----- De: isaalert [mailto:isaalert] Enviada em: terÃa-feira, 11 de setembro de 2001 12:56 Para: isaalert Assunto: ISA Server alert: An intrusion was attempted by an external user. ISA Server name: SVISA ISA Server detected an all port scan attack from Internet Protocol (IP) address 200.176.2.85. For more information about this event, see ISA Server Help.