Sorry to beat this dying horse, but what do you make of this, then? 10.0.1.197, -, -, N, 3/10/2002, 20:29:12, fwsrv, -, -, -, 209.214.157.87, 1030, -, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, - 10.0.1.197, -, -, N, 3/10/2002, 20:29:12, fwsrv, -, -, -, 209.214.157.87, 1030, -, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, - 10.0.1.197, -, -, N, 3/10/2002, 20:29:13, fwsrv, -, -, -, 209.214.157.87, 1031, -, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, - 10.0.1.197, -, -, N, 3/10/2002, 20:29:13, fwsrv, -, -, -, 209.214.157.87, 1031, -, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, - 10.0.1.197, -, -, N, 3/10/2002, 20:29:13, fwsrv, -, -, -, 209.214.157.87, 1032, -, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, - 10.0.1.197, -, -, N, 3/10/2002, 20:29:13, fwsrv, -, -, -, 209.214.157.87, 1032, -, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, - 10.0.1.197, -, -, N, 3/10/2002, 20:29:14, fwsrv, -, -, -, 209.214.157.87, 1033, -, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, - 10.0.1.197, -, -, N, 3/10/2002, 20:29:14, fwsrv, -, -, -, 209.214.157.87, 1033, -, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, - 10.0.1.197, -, -, N, 3/10/2002, 20:29:15, fwsrv, -, -, -, 209.214.157.87, 1034, -, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, - 10.0.1.197, -, -, N, 3/10/2002, 20:29:15, fwsrv, -, -, -, 209.214.157.87, 1034, -, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, - 10.0.1.197, -, -, N, 3/10/2002, 20:29:16, fwsrv, -, -, -, 209.214.157.87, 1035, -, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, - 10.0.1.197, -, -, N, 3/10/2002, 20:29:16, fwsrv, -, -, -, 209.214.157.87, 1035, -, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, - -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Monday, March 11, 2002 3:05 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: can someone interpret this log entry? http://www.ISAserver.org Hi Jay, Good point. The "Accept" indicates that its an incoming request. If you turn on Rule#1 and Rule#2, it'll make it a lot easier to analyze the logs. HTH, Tom -----Original Message----- From: Jay J. Mobley [mailto:jmobley@xxxxxxxxxx] Sent: Monday, March 11, 2002 4:41 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: can someone interpret this log entry? http://www.ISAserver.org Tom, So is there anyway to tell if this is an SSL request being made by the internal server, Or is this server responding to SSL requests? -Jay -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Monday, March 11, 2002 2:30 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: can someone interpret this log entry? http://www.ISAserver.org Hi Jay, How is connecting to SSL port 443 considered a port scan? Thanks! Tom -----Original Message----- From: Jay J. Mobley [mailto:jmobley@xxxxxxxxxx] Sent: Monday, March 11, 2002 4:24 PM To: [ISAserver.org Discussion List] Subject: [isalist] can someone interpret this log entry? http://www.ISAserver.org So I got a message from our ISP today telling me that my server is hacked because they got a complaint from a user who siad I am scanning his ports. infering from the time of day, and the ports that he said were scanned, I must assume the below are the firewall entries that corrospond to this event, but before I go back to my ISP with what looks to me like routine HTTPS traffic I want to submit to y'all to see if you agree. 10.0.1.197, -, -, N, 3/10/2002, 19:21:30, fwsrv, -, -, -, 207.225.29.119, 1509, -, -, 0, 443, TCP, Accept, -, -, -, 20000, -, -, -, -, - 10.0.1.197, -, -, N, 3/10/2002, 19:21:31, fwsrv, -, -, -, 207.225.29.119, 1510, -, -, 0, 443, TCP, Accept, -, -, -, 0, -, -, -, -, - ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jmobley@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jmobley@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')