Port Scan Warnings from ISA
From: John B (john.baccellieri_at_texstyleco.com)
Date: 07/19/04
- Next message: Kevin Weilbacher: "Re: KB Article 835734"
- Previous message: SuperGumby [SBS MVP]: "Re: Moving data to new drive"
- Next in thread: CRIS HANNA \(SBS-MVP\): "Re: Port Scan Warnings from ISA"
- Reply: CRIS HANNA \(SBS-MVP\): "Re: Port Scan Warnings from ISA"
- Reply: Anon: "Re: Port Scan Warnings from ISA"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 19 Jul 2004 10:45:54 -0500
About 1 week ago I began receiving warning emails from ISA with the
following text:
"ISA Server name: OURSERVER
ISA Server detected a well-known port scan attack from Internet Protocol
(IP) address 192.168.1.2. A well-known port is any port in the range of
1-2048. For more information about this event, see ISA Server Help."
CONFIGURATION
The total # of warnings has been less than 15, but they group 2 or 3 within
a couple of hours. Our ISA set up is vanilla, right out of the smallbiz
whitepapers (NAT router in front, 2 NICS, no custom ISA filters, rules,
protocols, etc.). SAV Enterprise up-to-date across network, all clients
fully patched, server will be this wknd.
QUESTION
How do I go about researching these "attacks". I looked at FWS, IPP, and
WEB logs, but nothing sticks out. Is there a good way to see what activity
is triggering ISA to alert? Second question, is the alert telling me that
ISA has successfully 'defended' the network from this port scan attack?
Thanks, John B
- Next message: Kevin Weilbacher: "Re: KB Article 835734"
- Previous message: SuperGumby [SBS MVP]: "Re: Moving data to new drive"
- Next in thread: CRIS HANNA \(SBS-MVP\): "Re: Port Scan Warnings from ISA"
- Reply: CRIS HANNA \(SBS-MVP\): "Re: Port Scan Warnings from ISA"
- Reply: Anon: "Re: Port Scan Warnings from ISA"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
