Detect port scan

TheMSsForum.com: The Microsoft Software Forum

Hi,
I've just been checking in a spare moment (rare) and doing
a port scan of my server from the outside. I can see in
the ISA logs that ISA is blocking all the probes, but I
thought I had set ISA to report such a port scan to me
through email and the event log, but this is not happening.

What do I need to do to set this up? eg tp get emails
showing a port scan has occurred.

Keith
Top

Re: Detect port scan by Tommy

Tommy
Wed Jul 30 10:27:18 CDT 2003

Are you meaning you want to configure alerts to send email to a specified
account if that particular alert is 'activated'
If so, then what port do you have your smtp service listening on? and if you
try to do a test email from within the alert configuration, what happens?

Tommy Addison

"keith" <one@one.com> wrote in message
news:0cdc01c356a4$a3db7640$a401280a@phx.gbl...
> Hi,
> I've just been checking in a spare moment (rare) and doing
> a port scan of my server from the outside. I can see in
> the ISA logs that ISA is blocking all the probes, but I
> thought I had set ISA to report such a port scan to me
> through email and the event log, but this is not happening.
>
> What do I need to do to set this up? eg tp get emails
> showing a port scan has occurred.
>
> Keith
>


Top

Re: Detect port scan by Tommy

Tommy
Wed Jul 30 15:32:42 CDT 2003

intrusion detection is what you want to select, this alert tells you about
the all-port scan attacks and email you when they happen, although
personally, I have this feature turned off.
My setup is that I have a lot of users using remote desktop from home into
work systems and it seems to pick this up as port scan attack.
Another thing it likes to report as a scan attack is the ip address of my
isp dns servers!! they dont know why and I truly dont either.
Way I see it, and I may be being naive here, is that if packet filters /
publishing rules are tied down correctly, nothing untoward will get in
anyways

so to sum up, I dont find that port scan attack alert relevant. i used to
end up trying to track down who it was, only to discover it was home users
etc...

sorry I cant be more help

if anyone else knows if I SHOULD be using this alert, please tell.

Tommy

"Keith" <one@one.com> wrote in message
news:008501c356c6$40eb6d70$a601280a@phx.gbl...
> Tommy,
> When I do a test email it works fine, eg I get the email.
> What I'm not clear on is which of the logging options in
> ISA should I set up to email me in the event of a port
> scan. I can see items such as "DNS Attack", "Intrusion
> Detection" on the ISA logging pages, but I cannot
> see "Port Scan attack" or anything I recognise as this.
>
> cheers
> Keith
>
>
> >-----Original Message-----
> >Are you meaning you want to configure alerts to send
> email to a specified
> >account if that particular alert is 'activated'
> >If so, then what port do you have your smtp service
> listening on? and if you
> >try to do a test email from within the alert
> configuration, what happens?
> >
> >Tommy Addison
> >
> >"keith" <one@one.com> wrote in message
> >news:0cdc01c356a4$a3db7640$a401280a@phx.gbl...
> >> Hi,
> >> I've just been checking in a spare moment (rare) and
> doing
> >> a port scan of my server from the outside. I can see in
> >> the ISA logs that ISA is blocking all the probes, but I
> >> thought I had set ISA to report such a port scan to me
> >> through email and the event log, but this is not
> happening.
> >>
> >> What do I need to do to set this up? eg tp get emails
> >> showing a port scan has occurred.
> >>
> >> Keith
> >>
> >
> >
> >.
> >


Top