• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How can I analyse an all port scan attack

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Logging and Reporting >> How can I analyse an all port scan attack Page: [1]
Login
Message << Older Topic   Newer Topic >>
How can I analyse an all port scan attack - 11.Mar.2006 11:10:01 AM   
meister

 

Posts: 7
Joined: 2.Nov.2005
Status: offline
Hi everybody!

After being confronted with some intrusions I wonder how to get more information about them

The "Alerts" tab in the container "Monitoring" shows some intrusions. In my case the description says: "ISA Server detected an all port scan attack from Internet Protocol (IP) address xxx.xxx.xxx.xxx"

I can configure how many well-known ports (1 - 2048) and how many ports  (don't know if it means all ports or all ports except well-known ports) must be scanned to be considerd as attack and I can configure two specific Alerts, "All port scan attack" and "Well-known port scan attack" which will send me a mail or make an entry in the eventlog or whatever.

How can I know how many ports were scanned? How can I know which ports were scanned?
How can I export the "Alerts" Tab including the discription?

Thanx in advance!

p.s.: The MSDEToText Tool for Internet Security and Acceleration (ISA) Server 2004 does not help because the intrusion detection won't be logged in the MSDE database :(
Post #: 1
RE: How can I analyse an all port scan attack - 17.Mar.2006 4:47:59 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Meister,

You can correlate the IP address and time in the Event logged with the entries in the ISA firewall's log files. Personally, I ignore port scans. Unless you're an experienced analyst, they're not much use to you.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to meister)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Logging and Reporting >> How can I analyse an all port scan attack Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts