Thanks. Checked and in fact did have a space in the path. Put quotes around it and am now waiting to be attacked again to see if it works :-) -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, November 27, 2002 12:30 PM To: ISA Server Discussion List Subject: [isalist] RE: Intruder is external nic http://www.ISAserver.org Hi Larry, Check this out: ============================== Hello, As luck would have it, I just fixed this same problem yesterday. First off, the .vbs script should be run under the local system account. Next, you have 2 choices: 1) place double quotes around the folder path to the script in the intrusion detected alert or 2)place the .vbs script should be in a folder path that doesn't have any spaces. If you notice from the second error message, it is trying to execute a dos command pointing to a folder path with spaces. This will not work in dos without quotes surrounding the entire path. It took me a while to figure this out. The script works like a champ though now. Hope this works for you! Josh =================================== HTH, Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> http://tinyurl.com/1llp <http://tinyurl.com/1llp> -----Original Message----- From: Larry Lentz [mailto:Larry@xxxxxxxxxxxxxxxxx] Sent: Wednesday, November 27, 2002 12:26 PM To: [ISAserver.org Discussion List] Cc: Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx Subject: [isalist] RE: Intruder is external nic http://www.ISAserver.org Amy, What I do when I have an intrusion like that is immediately create an IP packet filter to totally block the offending IP address. I've found this to be effective. If you want to see where the attack is coming from, try looking up the IP address at www.samspade.org/t/ <http://www.samspade.org/t/> There is a script available on the ISA Toolzz web site that supposed automatically creates a blocking packet filter but I haven't been able to get it to work. Larry ---------------------------------------------- Larry Lentz, MCSE+I, MCDBA MCSE on Windows 2000 GoldMine Certified Professional Lentz Computer Services GoldMine Solutions Partner San Antonio, Texas Larry@xxxxxxxxxxxxxxxxx For networking that makes sense, Count on Lentz! ---------------------------------------------- -----Original Message----- From: Amy Babinchak [mailto:Amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Tuesday, November 26, 2002 6:09 PM To: ISA Server Discussion List Subject: [isalist] Intruder is external nic http://www.ISAserver.org I'm getting intrusion detection alerts for port scan and the IP address listed is the ISA external NIC. I'm not sure where to begin troubleshooting this. Suggestions? Amy Babinchak Technology Consultant ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: larry@xxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: larry@xxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')