RE: Port Scans
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 17 Mar 2005 21:27:53 -0800
You broke your firewall client application settings.
There should be *NO* entries in your firewall log from svchost.exe.
Go to "Configuration, General, Define Firewall Client Settings,
Application Settings.
There should be two the "svchost" entries:
Disable = 1
DisableEx = 1
..If you don't find any, create them.
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Wednesday, March 16, 2005 7:57 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Port Scans
http://www.ISAserver.org
Here is the last one I got...
Alert:
ISA Server detected an all port scan attack from Internet Protocol (IP)
address 10.6.8.126.
Looked in Firewall Log, only 4 entries at that time:
Original Client IP Client Agent Authenticated Client
Service Server Name Referring Server Destination Host Name
Transport MIME Type Object Source Source Proxy Destination
Proxy Bidirectional Client Host Name Filter Information Network
Interface Raw IP Header Raw Payload Source Port Processing Time
Bytes Sent Bytes Received Result Code HTTP Status Code Cache
Information Error Information Log Record Type Log Time Destination
IP Destination Port Protocol Action Rule Client IP
Client Username Source Network Destination Network HTTP Method
URL
10.6.8.126 - GATEWAY - TCP
- - - - - - 1236 13499984 3339
2222 0x0 0x0 0x0 Firewall 3/15/2005 11:34:18 AM
10.6.254.90 1745 Unidentified IP Traffic Connection Status -
10.6.8.126 - Internal - WAN Network Local Host
10.6.8.126 - GATEWAY - TCP
- - - - - - 1283 13499921 4630
3274 0x0 0x0 0x0 Firewall 3/15/2005 11:34:58 AM
10.6.254.90 1745 Unidentified IP Traffic Connection Status -
10.6.8.126 - Internal - WAN Network Local Host
10.6.8.126 svchost.exe:3:5.1 GATEWAY - UDP
- - - - - - 68 0 0 0
0x0 0x0 0x0 Firewall 3/15/2005 11:34:58 AM 10.20.1.2
67 DHCP (request) Initiated Connection IntraNet All Protocol Rule
10.6.8.126 MAPSNET\C3052$ Internal - WAN Network Internal - LAN
Network
10.6.8.126 svchost.exe:3:5.1 GATEWAY - UDP
- - - - - - 68 187 0 0
0x80074e20 0x0 0x0 Firewall 3/15/2005 11:34:58 AM
10.20.1.2 67 DHCP (request) Closed Connection IntraNet All
Protocol Rule 10.6.8.126 MAPSNET\C3052$ Internal - WAN Network
Internal - LAN Network
The first two entries are Firewall Client connections, and the other two
are DHCP requests.
Which configurations would tell it not to log things?
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, March 16, 2005 10:03
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Port Scans
http://www.ISAserver.org
Hi Dan,
Could be. But there definitely should be something in the log reflecting
the event, unless you've configured some rules to not log certain
connections.
HTH,
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
