Re: Block Attacker showing wierd name - not just IP...
From: Jim Harrison [MSFT] (jmharr_at_online.microsoft.com)
Date: 03/02/04
- Next message: glen: "The page cannot be displayed"
- Previous message: darthbaggins: "Re: Block Attacker showing wierd name - not just IP..."
- In reply to: darthbaggins: "Re: Block Attacker showing wierd name - not just IP..."
- Next in thread: darthbaggins: "Re: Block Attacker showing wierd name - not just IP..."
- Reply: darthbaggins: "Re: Block Attacker showing wierd name - not just IP..."
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 2 Mar 2004 11:34:22 -0800
Since you have a single-server scenario, it's because the script is trying to create filters that already exist.
-- Jim Harrison [ISASE] Read the help, books and articles! This posting is provided "AS IS" with no warranties, and confers no rights. "darthbaggins" <spam?@nothanks.com> wrote in message news:OxKcCKIAEHA.2480@TK2MSFTNGP12.phx.gbl... Jim: Thanks for the reply. Does your initial comment still apply even if it's a single-server network running ISA as part of SBS2000 (dual-NIC configuration)? That's quite an article and it's more helpful than you realize. This whole thing is due to an odd event that happened last week. Initially it was thought to have been specifically virus related but we're still not sure. All the users know is that server access was sluggish then ground to a halt over a period of an hour and, during the hour it sat idle, the users could access no server resources - including the internet. There were 0 log entries until I had rebooted the box but the last 'telling' entries were reported ISA attacks that related to the IP address that had multiple records with wierd names. The box came back up fine. I double checked that all the patches were there - it was squeaky clean according to Shavlik. I'm still searching for other clues. db "Jim Harrison [MSFT]" <jmharr@online.microsoft.com> wrote in message news:OpfctQHAEHA.2072@TK2MSFTNGP11.phx.gbl... > It means you have the script running on more than one ISA in an array and both instances of the script are trying to create > identical packet filters. > This is yet another example of why using this script as a "think for me" mechanism is a bad idea. > Think about it: > 1 - the script is fired from an "intrusion detected" alert action > 2 - if the alert fired, ISA already blocked the traffic > > Since ISA is already blocking the traffic it deems "invasive", adding a PF to block what was already blocked only adds rule > processing time to ISA default behavior. > > Solution: > 1 - ditch the script > 2 - delete the PF it created > 3 - start using a log analysis tool to see what's really an "attack" and what isn't. Mark Burnett has a good article on how you can > do that here: > http://www.securityfocus.com/infocus/1712 > -- > Jim Harrison [ISASE] > Read the help, books and articles! > > This posting is provided "AS IS" with no warranties, and confers no rights. > > > "darthbaggins" <spam?@nothanks.com> wrote in message news:OqVa2dFAEHA.692@TK2MSFTNGP11.phx.gbl... > What does it mean when, instead of just an IP address, block attacker > displays the IP address followed by hex codes in the following pattern: > {11A1A1A1-1111-1A11-11AA-1AA1AA1AA11A} ? > > I noted this all relative to a single IP but with about 20 or so different > variations on the same code. The name is the only thing that changes, the > actual IP under the properties is still the same. > > Thanks in advance. > > > >
- Next message: glen: "The page cannot be displayed"
- Previous message: darthbaggins: "Re: Block Attacker showing wierd name - not just IP..."
- In reply to: darthbaggins: "Re: Block Attacker showing wierd name - not just IP..."
- Next in thread: darthbaggins: "Re: Block Attacker showing wierd name - not just IP..."
- Reply: darthbaggins: "Re: Block Attacker showing wierd name - not just IP..."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
Loading
