All Port Scan False Positives Explained
The security column of the month has produced a whammy of an article on Technet titled
ISA Server Port Scan Alerts. Not a catchy title but it is a must read. Here's a little snip from the beginning of the article:
Since the dawn of ISA Server time (2000, if you haven’t been watching), ISA Server administrators have received practical but often confusing notifications of “all port scan” and “port scan” intrusion attempt alerts.
Although the ability to notify administrators when potentially malicious traffic is detected is a useful feature of any firewall, these alerts in particular seem to cause more confusion than do other ISA Server alerts. It’s this confusion that we’ll try to eliminate today.
To keep things simple (and short), we’ll limit our examples to ISA Server 2004. The same general principles apply to ISA Server 2000, but the ISA Server user interface and log review examples differ greatly."