Inline... Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: Kirk Poser To: [ISAserver.org Discussion List] Sent: Monday, September 03, 2001 7:13 PM Subject: [isalist] Intrusion detection http://www.ISAserver.org Evening Group, My questions are: I am getting 4 to 6 alerts each day of someone doing some all port scans on my system. My thoughts that need everyone's expert opinion on are: 1. Is there something I should be looking for to confirm ISA is doing its job? I do see packets being dropped, so I am assuming it is. I know this is probably a silly question, but how do I know? What else do I look for? ( Toms book is great by the way, but it doesnt address what to do in an attack situation) - ISA's log entries are the only indicator you have. If ISA tells you that it dropped a packet, then it did. 2. Are there any programs out there that will let me trace where these attacks are coming from? The IP addresses are 192.xxx.xxx.xxx (internals) Can I trace it back and send them a warning message? (Reverse hack?) - If the source IP addresses are really 192.168.x.x, 172.16.x.x - 172.31.x.x, or 10.x.x.x, then there's no way for you to "reverse-anything" them. These addresses are truly bogus and your ISP router should be dumping them. 3. If someone is doing a port scan, when ISA alerts me, what is the next usual recommended course of action? Are these scans harmless if ISA drops their packets? - If the source IP addresses are routable (not as listed above), then you can find out who owns the IP block and get them to help you track down the culprit. I've used that method very often and the netblock owners are usually more than happy to help you. Use http://www.arin.net/whois/index.html to help you sort this out. - generally, if ISA dumps the packet, it's a non-issue as far as damage control is concerned. Thanks for your assistance! Kapt Kirk MCP, MSS, CIWSS, A+ ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------------------------------ Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com