That depends on the severity of the "attack" Sometimes, an "all port scan" might be nothing more than a string of "late" packets. Examine the IP...log for the time (GMT, remember) when the alert is thrown. I believe you'll find that most "alerts" are spurious. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Bentley, Todd" <bentley@xxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, February 26, 2002 06:41 Subject: [isalist] ISA Server detected an all port scan attack from Internet Protocol (IP) address xx.xx.xx.xx? http://www.ISAserver.org it seems my isa server is doing its job detecting and blocking these scans, but now what? Is there someway I can let this address know we are on to him. Is there a watch dog service I could report it to. Any suggestions on what I can do beyond discarding the attack? Thanx in advance Todd L. Bentley MCSE Rupert Technologies ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')