Registered users    
MembershipMembership:
Latest New UserLatest:Chris Naylor
New TodayNew Today:12
New YesterdayNew Yesterday:10
User CountOverall:23325
Private messaging    
You must be logged in to use this module.
Top 10 posters    
NamePosts
Mariette Knap12894
Marina Roos12507
Eriq Neale2114
Stan Guinn1913
Michael Patrick1912
Robert Pearman1771
Nick Pieters1425
Stewart Brown616
william warren600
Kevin D.579
Welcome unauthorized visitor    
If you want to join us in the discussions on this forum you need to register first. Registration is free! If you are already a registered user please login to join the forum.
Small Business Server Support Forum    
Forums > Microsoft Small Business Server 2003 & 2000 > ISA Server 2004
Subject: AllPort Scan attacks? Intrusion detection!
Prev Next
You are not authorized to post a reply.

Author Messages
Angus Crampton Smith User is Offline
Australia
Member since
2/21/2006

Registered Users
Posts: 7
10/21/2006 12:09 AM  
Dear All
 
On a regular basis I get the follwoing messages from ISA.
 
Subject: ISA Server alert: An intrusion was attempted by an external user.
Message Body: ISA Server name: WHATEVER
ISA Server detected an all port scan attack from Internet Protocol (IP) address xxx.xxx.xxx.xxx
 
There is an associated Event Log report
 
Event Type:      Warning
Event Source:      Microsoft Firewall
Event Category:      Packet filter
Event ID:      15105
Date:            21/10/2006
Time:            07:36:12
User:            N/A
Computer:      WHATEVER
Description: ISA Server detected an all port scan attack from Internet Protocol (IP) address xxx.xxx.xxx.xxx.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
I get these regularly. They are from a small group of IP addresses and I am happy that it is not an actual attack.
I get the following each time my children log into Club Penguin (www.clubpenguin.com)
 
ISA Server detected an all port scan attack from Internet Protocol (IP) address 209.213.108.135.
 
This will also occur during the time they are playing. The IP address is registered in DNS as belonging to club penguin. I have also received a similar "attack" when they have played a certain game in Neopets and I have received it once when I did something with my online banker.
 
Each time a DNS lookup on the IP address has provided me with enough assurance that I am not being attacked.
 
I believe it has something to do with the sites attempting to find a free port to set up a connection to play the game or allow my connectivity to the site application. I also believe it is to do with the java apps they are using.
 
What I would like to know is how I tell ISA that if an intrusion "all port scan" is detected from certain IP addresses, then do not report. I do not want to turn off Intrusion Detection just to stop getting these false positives by email.
 
I have looked at the General config under Configuration, but here all I can do is turn off specific attack types.
 
I have looked at the alert definitions in Monitoring, but they allow me to set up the alerts should the event happen but not filter which IP addresses are allowed to "scan" me.
 
Is there a policy I can create that will let these selected IP addresses connect to my internal clients without causing a false positive??
Amy Babinchak User is Offline
Michigan, United States
Member since
5/23/2005

Microsoft MVP
Posts: 204
10/21/2006 12:20 AM  
No and I wouldn't turn off the intrustion detection just to eliminate false positives.
 
Not sure what to add to that. Here's the explanation for why some sites throw false positives.
 
Amy Babinchak
for ThirdTier.net

Need additional help?
http://www.thirditer.net
Angus Crampton Smith User is Offline
Australia
Member since
2/21/2006

Registered Users
Posts: 7
10/21/2006 01:44 AM  
Amy

Thanks for that. I am with you on not a good idea to shut it off. I had a look at the article from Microsoft, and it is a good explanation of why it might occur and would probably explain why it occurs during their sessions too. http://www.microsoft.com/technet/community/columns/sectip/st1205.mspx

It does not tell us how to fix it, nor how to fix it for specific IP addresses.

I may be able to do something by increasing the timeout for connections which is mentioned in passing:

"Generally, if no traffic is received from either end of the connection within two minutes, ISA Server closes the connection and forgets it. This behavior can be changed, but it involves some scripting and ISA COM skills and that’s not part of today’s discussion. This behavior is also dependent on protocol-specific settings, such as the Web proxy connection timeout, which can override this default if it’s set to a larger or smaller value."

I will now need to have a look at the Web Proxy Connection Timeout and see if I can up that....

Anyone else have any more?

Gus
Angus Crampton Smith User is Offline
Australia
Member since
2/21/2006

Registered Users
Posts: 7
10/22/2006 12:23 AM  
I have upped the connection timeout, (4 minutes) and this did not fix. I am trying 10 minutes, but this is just a way of changing ISA's behaviour when what I want to do is stop the reporting for some sites.

Can I do this another way?

Gus
Amy Babinchak User is Offline
Michigan, United States
Member since
5/23/2005

Microsoft MVP
Posts: 204
10/22/2006 09:16 PM  
You can't specify which sites are false positives and which are not. Might be nice feature request though. You should send it to microsoft wish. http://support.microsoft.com/?kbid=114491  Note: I just checked the kb has gone missing. I'll let you know if I discover where it went. Meanwhile it might reappear.
Amy Babinchak
for ThirdTier.net

Need additional help?
http://www.thirditer.net
Andy Adams User is Offline
United States
Member since
2/6/2008

Registered Users
Posts: 4
3/28/2008 05:12 PM  
ok, it's been over two years since microsoft published http://www.microsoft.com/technet/community/columns/sectip/st1205.mspx ... has anyone figured out a workaround to avoid messages for IP's that are safe?
You are not authorized to post a reply.
Forums > Microsoft Small Business Server 2003 & 2000 > ISA Server 2004 > AllPort Scan attacks? Intrusion detection!


ActiveForums 3.7
Forum policy    
These Discussion Forums are dedicated to the discussion of the Small Business Server and related server and client software. For the benefit of the community please observe the following posting guidelines:
  1. No Advertising. This includes promotion of commercial products and non-commercial products which are not directly related to Small Business Server and related server and client software.
  2. No Flaming or Trolling.
  3. No Profanity, Racism, or Prejudice.
  4. Site Moderators have the final word on approving/removing a thread or post or comment.
Copyright 2002-2008 Concentrix b.v.    :   Page generated in 0.312502 seconds.   :   Terms Of Use   :   Privacy Statement