What I do is dump all the various event logs into *.csv form and then Read them into tables that I've created filtering out all but the items that refer to ISA. That way I have a soucre that I can run filters from and then if I don't want something Filtered I remove it from the tables as listed below. 15101 is one that I filter most for and then pick up the ip address and generate the xml or *.csv that Will be used to feed my process that applies rules to ISA. Event Log Names: DbEvtApp - Application Events DbEvtSec - Security Events DbEvtSys - System Events DbEvtDNS - DNS log file is created on your DNS machine Joseph -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, August 19, 2003 11:59 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: port scan detected http://www.ISAserver.org Ni Brian, Nor should you. Blocking addresses that scan you is like shooting at cars that drive past your home and look at your windows and front door. :-) Be aware of the attempt, but you'll end up making a critical error sooner or later if you block addresses without putting some intelligence behind the block. HTH, Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp <http://tinyurl.com/1llp> -----Original Message----- From: Rogers, Brian [mailto:RogersB@xxxxxxxxxxxxxx] Sent: Tuesday, August 19, 2003 1:23 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: port scan detected http://www.ISAserver.org I simply don't have time to add a new filter for each and every ip address that scans the firewall. Perhaps if it would allow you to create a list of them you could update...but creating a single packet filter for every scan ive gotten would take me hours. -----Original Message----- From: Mark Hopkins [mailto:Mark.Hopkins@xxxxxxxxxxxxxxxxxxxxx] Sent: Tuesday, August 19, 2003 2:10 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: port scan detected http://www.ISAserver.org Personally, I figure that a port scan on my site is someone up to no good, and I ban the IP address (inbound). If the IP address if resolvable and I can contact the owner, I will attempt to do so. If the owner takes appropriate action (to my liking), I remove the packet filter. Lately I seem to be getting a couple of scans per week. Perhaps I should ban all incoming traffic! :-) :-) :-) Mark ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')