RE: port scan detected
- From: "cismic" <cismic@xxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 19 Aug 2003 12:20:39 -0700
What I do is dump all the various event logs into *.csv form and then
Read them into tables that I've created filtering out all but the items
that refer to
ISA. That way I have a soucre that I can run filters from and then if I
don't want something
Filtered I remove it from the tables as listed below.
15101 is one that I filter most for and then pick up the ip address and
generate the xml or *.csv that
Will be used to feed my process that applies rules to ISA.
Event Log Names:
DbEvtApp - Application Events
DbEvtSec - Security Events
DbEvtSys - System Events
DbEvtDNS - DNS log file is created on your DNS machine
Joseph
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Tuesday, August 19, 2003 11:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: port scan detected
http://www.ISAserver.org
Ni Brian,
Nor should you. Blocking addresses that scan you is like shooting at
cars that drive past your home and look at your windows and front door.
:-) Be aware of the attempt, but you'll end up making a critical error
sooner or later if you block addresses without putting some intelligence
behind the block.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
<http://tinyurl.com/1llp>
-----Original Message-----
From: Rogers, Brian [mailto:RogersB@xxxxxxxxxxxxxx]
Sent: Tuesday, August 19, 2003 1:23 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: port scan detected
http://www.ISAserver.org
I simply don't have time to add a new filter for each and every
ip address that scans the firewall.
Perhaps if it would allow you to create a list of them you could
update...but creating a single packet filter for every scan ive gotten
would take me hours.
-----Original Message-----
From: Mark Hopkins [mailto:Mark.Hopkins@xxxxxxxxxxxxxxxxxxxxx]
Sent: Tuesday, August 19, 2003 2:10 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: port scan detected
http://www.ISAserver.org
Personally, I figure that a port scan on my site is someone up
to no good, and I ban the IP address (inbound). If the IP address if
resolvable and I can contact the owner, I will attempt to do so. If the
owner takes appropriate action (to my liking), I remove the packet
filter. Lately I seem to be getting a couple of scans per week. Perhaps
I should ban all incoming traffic! :-) :-) :-)
Mark
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
