Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 15108 Source: MicrosoftISAServerControl

Level
Description
ISA Server detected a spoof attack from the Internet Protocol (IP) address <ip address>. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the packet filter log.
Comments
 
See ME840681 and ME884496 for details on why this event occurs and how to fix the problem.
As per ME326116, on an ISA server having the external interface configured to have its IP address dynamically assigned from DHCP, you may not be able to renew the IP address on the interface.

This event may appear in the log if the packet filter is currently handling a packet while the IP address was renewing. This causes routing table changes in the operating system. Because ISA Server does spoof detection by comparing the interface on which the packet was received to the interface from which a reply to the originating source would be sent, it would consider this to be a spoofed packet if the two interfaces are different. A hotfix is available.

Some newsgroup posts suggest that this event may occur when you have an internal computer infected with a virus or worm. It is also recommended if possible to run a network sniffer (i.e. MS Network Monitor) and detect the source of the spoof.
Occurs when I make a terminal server connection to the server from an external location.
This can occur for several reasons:
1. An attack is being attempted from an outside source.
2. A lot of external networks sends out ping requests to see who is out there, this will be registered.
3. A client connects via VPN and is not correctly connected.
Make sure that the defined external interface is not routable by the internal clients except through the ISA server. You can put the External Interface on the DMZ with a network address clearly different from your internal routing network (LAT).
Also, make sure that the external NIC does not have any WINS settings and the NIC is not set to register to the AD DNS. Verify that there is no entry on your WINS server that pertains to the external NIC. The reason for this is that if the external NIC registers to the Wins or the AD DNS, internal nodes will try to connect to the ISA server via the external NIC. ISA will in turn refuse the connection and generate a spoofing error.


Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...