Вот что я накопал по этой теме на http://forums.isaserver.orghttp://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000283
И вот еще из справки ISA:
IP half scan attack
This alert notifies that repeated attempts to send TCP packets with invalid flags were made.
During a normal TCP connection, the source initiates the connection by sending a SYN packet to a port on the destination system. If a service is listening on that port, the service responds with a SYN/ACK packet. The client initiating the connection then responds with an ACK packet, and the connection is established. If the destination host is not waiting for a connection on the specified port, it responds with an RST packet. !!!Most system logs do not log completed connections until the final ACK packet is received from the source.!!! Sending other types of packets that do not follow this sequence can elicit useful responses from the target host, without causing a connection to be logged. This is known as a TCP half scan, or a stealth scan, because it does not generate a log entry on the scanned host.
If this alert occurs, log the address from which the scan occurs. If appropriate, configure the ISA Server rules to block traffic from the source of the scans.
Может поможет... Удачи!