Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 15105 Source: MicrosoftFirewall

ISA Server detected an all port scan attack from Internet Protocol (IP) address <ip address>.
To identify what type of traffic caused this event lookup the IP address mentioned in the event in the ISA logs. The logs can be queried in different ways, depending on their format.

In one instance, the ISA logs identified the source of the port scan a computer on the internal network on port UDP/1434 (used by SQL management utilities). Running a sniffier (Ethereal) on that computer revealed that in fact it was the ISA server that was broadcasting on UDP/1434 and the internal computer (running MSDE) was answering to this broadcast. Upon further investigation, wer realized that the ISA was running the SQL Server Service Manager utility (ISA installs MSDE for logging purposes) and this utility was broadcasting on every 5 seconds looking for SQL servers. While doing that was recording the answers from the other computers as potential network scans! Stopping the SQL Server Service Manager on the ISA fixed the problem.

ME319381 describes a condition when this message can be recorded when the Windows Media Player client tries to reuse the UDP port before it has been properly freed at the ISA server. A post-SP1 hotfix is available.

In many situations, normal Internet packet delays may result in this type of message.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.