Re: Template Admin Notification

["Oxenreider, Jeff" <jox () SAFELITE COM>]

This is what I use:

Dear Sir or Ma'am,

Our Intrusion Detection System (IDS) this past <time of day> picked up a
series of <IDS Result> from your host <Attacker> on <Day> at approximately
<TIME/TZ> that scanned my entire block of class C addresses.  IDS systems
are not perfect and can submit false positive messages, however, our
security policy states that we must follow up with the ISP of the offender
and request an explanation of the actions.  When you see the logs that I've
included below, I think you will agree that the false positive scenario
isn't very likely.  The offending host might possibly be compromised itself
and is being used as a launching point for other abuses.  Please look into
this problem and stop this against my, or any other network in the future.

I've CC'd my ISP so they are aware of the actions that I am taking and if
you have any questions, please feel free to contact me at the number in my
signature below.

Thank you for you time and cooperation in this matter.

I've only included a portion of the logs generated by my IDS and all times
below are listed in EST.

Thanks,

<INCLUDED PORTION OF LOGS>



Jeffrey A. Oxenreider
Network Security Analyst
Safelite Glass Corp
614-761-4836


-----Original Message-----
From: Alfred Huger [mailto:ah () SECURITYFOCUS COM]
Sent: Wednesday, January 24, 2001 11:10 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Template Admin Notification


Does anyone on the list have a default template email they use to notify
admins of attacks from their networks?

I would be interested in seeing them posted to the list (or to myself
directly if that's not possible).

Cheers,
-al

"Vae Victis"
SecurityFocus.com