Re: ISA Server alert: An intrusion was attempted by an external user.
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 11 Sep 2001 11:13:52 -0700
When ISA lists a packet as "Blocked", that means that it didn't even
respond, something colloquially known as "stealth". The sending machine is
still ignorant regarding that IP / port combination.
Yes, isalist and isaserver.org are great, but no; I'm not responsible
(nobody saw me, can't prove a thing). Steven and Tom keep that rolling for
everyone.
Yes, I'm ISA certified (test 70-227). Now if I can just get the rest of the
tests behind me... ;-)
Jim Harrison
MCP(2K), A+, Network+, PCG
----- Original Message -----
From: "Alex Decarli" <decarli@xxxxxxxxxxxxx>
To: "Jim Harrison" <jim@xxxxxxxxxxxx>; "[ISAserver.org Discussion List]"
<isalist@xxxxxxxxxxxxx>
Sent: Tuesday, September 11, 2001 10:41
Subject: RES: ISA Server alert: An intrusion was attempted by an external
user.
Ok, this solved my problem.
I opened ipxxxx.log e I saw the ipÂs below.
there is a field called "filter-rule" near ipÂs with status blocked. I
think that isa server blocked this port scan. Right ?
About isalist, I will include-me again.
Regards.
P.s: Are you responsible for isaserver.org ?
Are you certificated in isa server ?
Thanks again
Alex
-----Mensagem original-----
De: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Enviada em: terÃa-feira, 11 de setembro de 2001 14:33
Para: [ISAserver.org Discussion List]
Cc: Alex Decarli
Assunto: Re: ISA Server alert: An intrusion was attempted by an external
user.
IP...log is a generalization for the Packet Filter log that ISA creates.
This is named IP^*yyymmdd.log, where "^" may be "EXT" if you're using
W3C
format and "*" represents the log turnover periodicity (D, W, M, Y).
ISA is responsible for the event log entry, so ISA did report it.
Don't use the reports for specific incident evaluation; they're very
general.
Let's keep this in the list so everyone can play...
Jim Harrison
MCP(2K), A+, Network+, PCG
----- Original Message -----
From: "Alex Decarli" <decarli@xxxxxxxxxxxxx>
To: "Jim Harrison" <jim@xxxxxxxxxxxx>
Sent: Tuesday, September 11, 2001 09:53
Subject: RES: ISA Server alert: An intrusion was attempted by an
external
user.
WhatÂs "IP...log" ?
I saw event viewer and ISA reports (traffic utilization, dropped
packets) all.
In event viewer thisÂs reported. In ISA server, not.
I only sent it to you because another user sent the same problem to
isalist, and you answered.
Thank you again !
Alex
-----Mensagem original-----
De: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Enviada em: terÃa-feira, 11 de setembro de 2001 13:45
Para: Alex Decarli
Assunto: Re: ISA Server alert: An intrusion was attempted by an external
user.
Tak a look at your "IP....log" for events with that same date/time
(adjust
for GMT in the log). That will tell you what was seen that ISA called
an
"attack".
Generally, if ISA reports it, ISA blocked it.
Jim Harrison
MCP(2K), A+, Network+, PCG
----- Original Message -----
From: "Alex Decarli" <decarli@xxxxxxxxxxxxx>
To: <jim@xxxxxxxxxxxx>
Sent: Tuesday, September 11, 2001 09:09
Subject: ENC: ISA Server alert: An intrusion was attempted by an
external
user.
IÂm receiving this message.
Yesterday , I received the same message with this ip: 200.187.233.12.
Today, I received the same messagem with this ip: 200.176.2.85.
I think that message doesnÂt show-me attack properly because We receive
email message through ISA Server.
1. What do you think ?, is this a "Attack" ou no ?
2. Isa server discard this ?
Any idea ?
Help-me please
Alex Decarli
Netadmin - Tecfil Brazil
Thanks
-----Mensagem original-----
De: isaalert [mailto:isaalert]
Enviada em: terÃa-feira, 11 de setembro de 2001 12:56
Para: isaalert
Assunto: ISA Server alert: An intrusion was attempted by an external
user.
ISA Server name: SVISA
ISA Server detected an all port scan attack from Internet Protocol (IP)
address 200.176.2.85.
For more information about this event, see ISA Server Help.
Other related posts:
