Actually, that's a question I've posed to the ISA team with little success; It seems that GHBx requests can use any rule pertaining to the client...? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Friday, March 01, 2002 13:46 Subject: [isalist] Whacky Log file tricks http://www.ISAserver.org Hey guys, Here's a whacky log file finding: 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:01, -, -, -, law8.oe.hotmail.com, 216.33.240.253, 0, 80, 0, 0, -, -, GHBN, -, -, -, 0, -, NNTP-TACTEAM, Allow Auth Users, 773, 0 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:01, -, -, -, -, 216.33.240.253, 80, 10, 0, 0, 80, TCP, Connect, -, -, -, 0, -, All Open Users, -, 773, 9461 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:01, -, -, -, -, 216.33.240.253, 80, 10, 0, 0, 80, TCP, Connect, -, -, -, 0, -, All Open Users, -, 773, 9461 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:01, -, -, -, law8.oe.hotmail.com, 216.33.240.253, 0, -, 0, 0, -, -, GHBN, -, -, -, 0, -, NNTP-TACTEAM, Allow Auth Users, 773, 0 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:01, -, -, -, -, 216.33.240.253, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, -, All Open Users, -, 773, 9462 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:01, -, -, -, -, 216.33.240.253, 80, -, 0, 0, 80, TCP, Connect, -, -, -, 0, -, All Open Users, -, 773, 9462 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:02, -, -, -, law8.oe.hotmail.com, 216.33.240.253, 0, -, 0, 0, -, -, GHBN, -, -, -, 0, -, NNTP-TACTEAM, Allow Auth Users, 773, 0 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:02, -, -, -, -, 216.33.240.253, 80, 10, 0, 0, 80, TCP, Connect, -, -, -, 0, -, All Open Users, -, 773, 9463 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:02, -, -, -, -, 216.33.240.253, 80, 10, 0, 0, 80, TCP, Connect, -, -, -, 0, -, All Open Users, -, 773, 9463 192.168.1.8, tomshinder, msimn.exe:3:5.1, -, 3/1/2002, 15:28:03, -, -, -, law8.oe.hotmail.com, 216.33.240.253, 0, -, 0, 0, -, -, GHBN, -, -, -, 0, -, NNTP-TACTEAM, Allow Auth Users, 773, 0 The NNTP-TACTEAM rule is a Server Publishing Rule for a NNTP server on the internal network. The 192.168.1.8 is my workstation. Why would GHBN use inbound TCP 119? Log files are certainly fun! Tom www.isaserver.org/shinder ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')