12209 is ISA's equivalent to the HTTP 407 - Proxy Authentication Required. Those requests are being denied by the Default Rule. -Shawn ----- Shawn R. Quillman Robert Bosch Corporation RBNA/CIT1.1 38000 Hills Tech Drive Farmington Hills, MI 48331 (248) 553-1164 (P) (248) 848-2855 (F) shawn.quillman@xxxxxxxxxxxx -----Original Message----- From: Raji Arulambalam [mailto:rajia@xxxxxxxxxxxxxx] Sent: Tuesday, January 21, 2003 2:24 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Rules - Why does this not work http://www.ISAserver.org Hi Tom Not sure what it means exactly, but I know the request was blocked by ISA. Is there a document that has all these various retuen codes and their meanings.? BTW I have your second book and am reading thru your defense plan 4 now. Want to set TSAC. Cheers --------------------------------------------- Raji Arulambalam Systems Administrator Environment Bay of Plenty P O Box 364 Whakatane. NEW ZEALAND -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, January 21, 2003 7:23 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Rules - Why does this not work http://www.ISAserver.org Hi Raji, What does that 12209 mean to you? ;-) HTH, Tom Thomas W Shinder www.isaserver.org/shinder http://tinyurl.com/1jq1 http://tinyurl.com/1llp -----Original Message----- From: Raji Arulambalam [mailto:rajia@xxxxxxxxxxxxxx] Sent: Tuesday, January 21, 2003 12:21 AM To: [ISAserver.org Discussion List] Subject: [isalist] Rules - Why does this not work http://www.ISAserver.org Hi Why does not this set of configuration stop these trojans instead of the default rule. Site and Content Rule Name : Stop Code Red Description : Stop the Code Red Enabled : True Rule Applies to : Selected Destination Set Destination Set Used : Stop Code Red Access to the specified destinations : Denied Rule Applies to : Any Request Rule Applies to : All Content Types Web Publishing Rule Name : Code Red Enabled : True Rule Applies to : Selected Destination Set Destination Set Used : Stop Code Red Action : Discard the request Redirect HTTP requests as : HTTP Requests Redirect SSL requests as : SSL Requests Require SSL for Published Site : False Rule Applies to : Any Request Destination Set Name : Stop Code Red DomainName: www Path: /* 211.160.21.17 anonymous - N 2003-01-21 05:59:33 W3ReverseProxy CELERIS - www - - - 72 - - TCP GET http://www/scripts/root.exe?/c+dir - - 12209 0x0 Default rule - 211.160.21.17 anonymous - N 2003-01-21 05:59:38 W3ReverseProxy CELERIS - www - - - 70 - - TCP GET http://www/MSADC/root.exe?/c+dir - - 12209 0x0 Default rule - 211.160.21.17 anonymous - N 2003-01-21 05:59:40 W3ReverseProxy CELERIS - www - - - 80 - - TCP GET http://www/c/winnt/system32/cmd.exe?/c+dir - - 12209 0x0 Default rule - 211.160.21.17 anonymous - N 2003-01-21 05:59:42 W3ReverseProxy CELERIS - www - - - 80 - - TCP GET http://www/d/winnt/system32/cmd.exe?/c+dir - - 12209 0x0 Default rule - 24.27.90.89 anonymous - N 2003-01-21 06:01:06 W3ReverseProxy CELERIS - www - - - 72 - - TCP GET http://www/scripts/root.exe?/c+dir - - 12209 0x0 Default rule - 24.27.90.89 anonymous - N 2003-01-21 06:01:07 W3ReverseProxy CELERIS - www - - - 70 - - TCP GET http://www/MSADC/root.exe?/c+dir - - 12209 0x0 Default rule - 24.27.90.89 anonymous - N 2003-01-21 06:01:07 W3ReverseProxy CELERIS - www - - - 80 - - TCP GET http://www/c/winnt/system32/cmd.exe?/c+dir - - 12209 0x0 Default rule - 24.27.90.89 anonymous - N 2003-01-21 06:01:08 W3ReverseProxy CELERIS - www - - - 80 - - TCP GET http://www/d/winnt/system32/cmd.exe?/c+dir - - 12209 0x0 Default rule - 24.27.90.89 anonymous - N 2003-01-21 06:01:09 W3ReverseProxy CELERIS - www - - 15 96 - - TCP GET http://www/scripts/..%255c../winnt/system32/cmd.exe?/c+dir - - 12209 0x0 Default rule - 24.27.90.89 anonymous - N 2003-01-21 06:01:10 W3ReverseProxy CELERIS - www - - - 117 - - TCP GET http://www/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe ?/c+ dir - - 12209 0x0 Default rule - --------------------------------------------- Raji Arulambalam Systems Administrator Environment Bay of Plenty P O Box 364 Whakatane. NEW ZEALAND -------------------------------------------- ****************************************************** This e-mail has been checked for viruses and no viruses were detected. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rajia@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ********************************************************************** This e-mail message has been swept for content and viruses. No viruses were detected. Contact the Helpdesk on extension 9CIS (9247) for assistance, if required. ****************************************************** This e-mail has been checked for viruses and no viruses were detected. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')