I had a few half-scan attacks and I found out how my ISA
Server can create automatic IP Packet Filter to block the
attacker.I did it.
If same one are looking for it the script are below.
Erasmo C Pilecco
Copy from help SDK of ISA Server with few modified to
create rule name with IP from attacker:
Environment Variable Example
The VBScript provided below creates a blocking packet
filter for an IP address received in an attack event. It's
based on the sample script StaticFilter.vbs.
In order to use the script as a response to an attack, you
should create a new alert with the following parameters:
Event - "Intrusion detected".
Additional condition - a condition of interest to you,
such as "Well-known port scan attack".
Select Run a program as the action.
Specify the following command line:
where %windir% is your Windows 2000 installation
directory, and StaticFilter.vbs is the full path to the
script you want to run.
'define the constants
const fpcBlockingPacketFilter = 2
const fpcCustomFilterType = 1
const fpcPfAnyProtocolIpIndex = 0
const fpcPfDirectionIndexBoth = 3
const fpcPfAnyPort = 1
const fpcPfAnyRemotePort = 1
const fpcPfDefaultProxyExternalIp = 1
const fpcPfSingleHost = 2
Private Sub SetStaticPacketFilter()
'Create the root object
Set ISA = CreateObject("FPC.Root")
'Get the containing array
Set MyArray = ISA.Arrays.GetContainingArray
' limited to only work with a specific attacker machine on
Set WshShell = WScript.CreateObject("WScript.Shell")
Set WshEnv = WshShell.Environment("Process")
Filter_Name = "Deny attacker " & WshEnv
' Create blocked filter to all traffic from the attacker IP
Set pf = MyArray.ArrayPolicy.IpPacketFilters.Add(
Filter_Name , fpcBlockingPacketFilter)
pf.Description = "Block all traffic from attacker"
' set the filter parameters
pf.Enabled = True
pf.AllServers = True
pf.FilterType = fpcCustomFilterType
pf.ProtocolNumber = fpcPfAnyProtocolIpIndex
' allow bidirectional traffic so packets can be sent and
pf.PacketDirection = fpcPfDirectionIndexBoth
' define the local host type
' set the local port type
pf.LocalPortType = fpcPfAnyPort
' set the protocol port type & number
pf.RemotePortType = fpcPfAnyRemotePort
'the environment variable 'ALERT_PARAMETER_1' contains the
pf.SetRemoteHost fpcPfSingleHost, WshEnv