This Rule generates alerts when The number of TCP connections allowed from a specific source IP address exceeded the configured limit
ISA Server will not allow the creation of new TCP connections from a specific source IP address during a system-defined time period because the connection limit that restricts the number of TCP connections per minute from a single IP address was exceeded. By default, the time period during which no new TCP connections are created from a specific IP address is 1 min.
This IP address may belong to a host that is infected by a worm and is attempting to propagate the worm by scanning the network to find other vulnerable hosts.
Clean the client computer with this IP address if it is infected. If an excessive connection rate is legitimate, for example when the client computer is a server or a proxy that acts on behalf of many client computers, add the IP address to the list of computers that use the custom connection limitsClean the client computer with this IP address if it is infected, or add the IP address to the list of computers that use the custom connection limits if this IP address belongs to a server that generates a high rate of traffic.
See the product documentation for more information about ISA Server flood resiliency.
Target | Microsoft.ISAServer.2006.ServerRole |
Category | EventCollection |
Enabled | True |
Alert Generate | False |
Remotable | True |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.ISAServer.2006.Rule.AlertGenerate.DS | Default |
WA | WriteAction | Microsoft.ISAServer.2006.Rule.AlertGenerate.WA | Default |
<Rule ID="Microsoft.ISAServer.2006.The_number_of_TCP_connections_allowed_from_a_specific_source_IP_address_exceeded_the_configured_limit.Rule" Enabled="onEssentialMonitoring" Target="Microsoft.ISAServer.2006.ServerRole" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Microsoft.ISAServer.2006.Rule.AlertGenerate.DS">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<EventsPattern>^(15120)$</EventsPattern>
<EventType>2</EventType>
<SourcePattern>Microsoft Firewall</SourcePattern>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WA" TypeID="Microsoft.ISAServer.2006.Rule.AlertGenerate.WA">
<AlertMessageId>$MPElement[Name="Microsoft.ISAServer.2006.The_number_of_TCP_connections_allowed_from_a_specific_source_IP_address_exceeded_the_configured_limit.AlertMessage"]$</AlertMessageId>
<DomainName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/DomainDnsName$</DomainName>
<Priority>1</Priority>
<Severity>2</Severity>
</WriteAction>
</WriteActions>
</Rule>