I'm actually parsing the unknown items from the logs now and placing into a holding area that can be used to apply the filters you're looking to do. One thing, I'm working on is a web filter to pass in the IP address of the true client because web publishing looses that important information. Just having memory problems and making sure the cache does not get corrupted. Also, performance with filters is very critical and I'm wondering if an application process might be much better at processing filters. I'll tackle that next. Just need to get my function finished and then thoroughly tested. I would not want anyone's machine getting slower or crashing because of a filter that I've written! But, with you're processes I would think that real time is good however, you can accomplish the same thing nightly. I've noticed from my logs that the same sites (worm) hit every day. So, I just build the rules up from what I import from my ISA logs. All worms I ban for life! Joseph -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, February 19, 2002 12:50 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Packet Filtering on non-default external IP Address http://www.ISAserver.org That's quite an ambitious undertaking! If I can help with testing (my present profession), feel free to holler. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Max" <max.bene@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, February 19, 2002 06:45 Subject: [isalist] Re: Packet Filtering on non-default external IP Address http://www.ISAserver.org Hi Jim, There's not a special need... I've tought it would be great for my work to extend some capabilities of ISA server, for example blocking an IP address for a certain time after a Port Scan (just like Firewall-One for example does), or to automatically block traffic with people who tries something like: http://www.worm.com/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNnn... or http://.../scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir or blocking access to the SMTP relayer to those clients who tried a spam... or enhance the log capabilities building a Web based application in order to get a real-time monitoring of traffic... I'm trying to build a full-integrated firewall solution with ISA SDK, MS PLatform SDK and a Web Application for my customers, as I have to remotely support and check their arrays... You're right, for Web worms I use a "deny" Web Publishing rule for All Internal Destination Sets, populating a client address set with those IP addresses... I've thought it would be more appropriated... If you have any suggestion I'd really appreciate... Thanks again Max > It's pretty much a guarantee that any additional decision-making you apply > to any proxy/firewall will affect performance. > I'd also be careful auto-blocking; sometimes a client address set is more > appropriate than a packet filter. > Also, since ISA recognizes many of the more common intrusion attacks and > blocks them by default, what is it you're adding? > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/authors/harrison/ > Read the books! > > ----- Original Message ----- > From: "Max" <max.bene@xxxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Tuesday, February 19, 2002 00:55 > Subject: [isalist] Re: Packet Filtering on non-default external IP Address > > > http://www.ISAserver.org > > > Thanx Jim. > I'm trying to develope some addtional features on ISA, for example > Auto-Blocking Spammers, Intruders and Worm attacks on Web Proxy... > This means that I have to create a Packet Filter for each Intruder IP on > each External IP Address of each Server of the Array... > > Can this affect server performance, as each packet has to be checked with > all the filter conditions before being allowed to pass? > > Thanks Again > Max > > > Nope; packet filtering is IP-specific on the external NIC. > > > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/authors/harrison/ > > Read the books! > > > > ----- Original Message ----- > > From: "Max" <max.bene@xxxxxxxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Monday, February 18, 2002 02:52 > > Subject: [isalist] Packet Filtering on non-default external IP Address > > > > > > http://www.ISAserver.org > > > > > > Hi all, > > I'm getting some trouble with packet filters... > > My ISA has 4 IP Addresses on the external interface, and I've found out > > that blocking traffic with packet filters on non-default IP addresses > > requires filling the "This ISA Server's external IP Address" field on the > > "Local Computer" Tab... > > Is there any way to block traffic on all external IP addresses? > > > > PS: I've tried with the "These computers (on the perimeter network)..." > > option but it doesn't seem to work... > > > > > > > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > > jim@xxxxxxxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')