This Rule generates alerts when The number of denied connections from a specific source IP address exceeded the configured limit
ISA Server reduced the number of records of denied packets that are written in the log because the number of denied TCP and non-TCP packets per second exceeded the system limit.
One or many zombie hosts may be attempting an attack against a victim server, but ISA Server blocks the attack traffic.
Query the ISA Server logs to identify the zombie hosts, and then remove the malicious code from them.
See the product documentation for more information about ISA Server flood resiliency.
Target | Microsoft.ISAServer.2006.ServerRole |
Category | EventCollection |
Enabled | True |
Alert Generate | False |
Remotable | True |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.ISAServer.2006.Rule.AlertGenerate.DS | Default |
WA | WriteAction | Microsoft.ISAServer.2006.Rule.AlertGenerate.WA | Default |
<Rule ID="Microsoft.ISAServer.2006.The_number_of_denied_connections_from_a_specific_source_IP_address_exceeded_the_configured_limit.Rule" Enabled="onEssentialMonitoring" Target="Microsoft.ISAServer.2006.ServerRole" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>EventCollection</Category>
<DataSources>
<DataSource ID="DS" TypeID="Microsoft.ISAServer.2006.Rule.AlertGenerate.DS">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<EventsPattern>^(21284)$</EventsPattern>
<EventType>1</EventType>
<SourcePattern>Microsoft Firewall</SourcePattern>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="WA" TypeID="Microsoft.ISAServer.2006.Rule.AlertGenerate.WA">
<AlertMessageId>$MPElement[Name="Microsoft.ISAServer.2006.The_number_of_denied_connections_from_a_specific_source_IP_address_exceeded_the_configured_limit.AlertMessage"]$</AlertMessageId>
<DomainName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/DomainDnsName$</DomainName>
<Priority>1</Priority>
<Severity>2</Severity>
</WriteAction>
</WriteActions>
</Rule>