I have set an Intrusion Detection alert in the ISA server, and I have
received quite a lot of alert message as following:
Subject: ISA Server alert: An intrusion was attempted by an
ISA Server name: ISA
ISA Server detected an all port scan attack from Internet
Protocol (IP) address 22.214.171.124.
For more information about this event, see ISA Server Help.
The ISA server is behind a SonicWall. At the beginning I though that
some hacker could go through the SonicWall to scan the ports at ISA server.
However, after I unplugged the network cable between SonicWall and ISA
Server for a few minutes, I found that there are even more those message
from ISA server. Most of the time, those IP addresses in the messages are
different. Some of them from different ISP. Could anyone tell me how to
figure out which alert message is true and how to stop those false messages?