----- Original Message ----- From: "Ben Schorr" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 25, 2002 9:35 PM Subject: Port scan reporting?
> Our ISA server reported a number of attempted port scans of our server over > the weekend; no biggie, but the log files indicate the IP address they Did you set it up on Friday ? I get syslog entry�s about portscans nearly every hour. The IP�s are saved in a textfile and compared - if the scan appears more than one time or the host issues more complex actions it is blocked in the firewall. Most scans are started from dynamic IP�s, Therefore I request some additional infos from the hosts ( arp if possible ) and an nmap fingerprint :) If it seems to be a qualified attack, you have to contact the net maintainer of the attackers isp ( usually [EMAIL PROTECTED] ) or your local cert http://www.cert.org/ you may also take a look at http://www.dshield.org might be possible that their clients are compatible with your "I"�m "S"ecure "A"bit > -Ben- > Ben M. Schorr, MVP-Outlook, CNA, MCPx3 don�t bother too much Michael
