Security Incidents mailing list archives
Re: Template Admin Notification
From: David Kennedy CISSP <david.kennedy () ACM ORG>
Date: Wed, 24 Jan 2001 21:22:23 -0500
-----BEGIN PGP SIGNED MESSAGE----- At 01:55 PM 1/24/01 -0600, Martin Hoz Salvador -CITI Soporte wrote:
Basicaly, things I think a notification letter should contain, are: - Polite language: keep in mind "the other" sysadmin may have no time to check security issues, or even there's not a securitY function in the area. or even worse, the other sysadmin doesn't have any knowledge about security. - PGP SIGNED. This is serious. - Source Ip's, ports, destination ips and ports, giving times (start and ending times), giving also the timezone (this is pretty important). - How did you realized about the attack (IDS, firewall logs, casuality, etc...) - The kind of attack you think are dealing with... - A message saying "I could help you if you want. Let me know if that's the case". And of course, be ready to back this statement. ;-) Important: If you don't get an answer in a reasonable time (i.e. 2 or 3 days), resend the message, and this time, send a copy to the carrier of your "attack source". You can fiugure out this using traceroute and whois. :-)
Good advice. Some of the other templates seem a bit strident to me. Some other bullets to consider: - - Reader may not read the same language you use. Minimize contractions, abbreviations, acronyms and jargon. ("IP" is ok but I avoid "dest" and "src.") Will babelfish mangle the sentence too badly? - - Use "may" or "appears" and other conditional expressions to allow for spoofing and error. You don't *know* it came from IP such-and-such, it just looks that way from your end of the wire. WHOIS can be wrong; no really there are mistakes in there! - - You cannot compel them to do anything, a kind word goes farther than a demand for action. - - The reader may be hostile, either the probe was the true intention of the system's operator or the system is so 0wned that the intruder is going to get, read and delete your complaint. - - With the above in mind, confine information to the remote system, not your own. They don't need to know if you're running snort, blackice, Real Secure, ZA or whatever. - - If I were using a "personal" firewall as the basis for a complaint I certainly would not reveal that. There are *way* to many yo-yo's out there already sending complaints every time DHCP makes their IP the target of Half-Life UDP connections or PC Anywhere pings. - - Mention that the activity may be an Acceptable Use Policy/Terms of Service violation. If they don't have one, maybe the complaint will make them think about creating one. If the activity is not in violation, change the policy so that it is. - - I say, "I do not expect a reply." Actually I don't *want* a reply. Either they're going to do something or they aren't. If they do, great, but I don't have so much free time to donate it to helping someone who can't fix things themselves. If they don't do anything about my report, I don't need to know I've been ignored, I'd rather not know. - - I do not cut-and-paste directly from the log. It can reveal the nature of the system that created the log, it can be confusing to those unfamiliar with the format, or it can necessitate too much documentation to explain (see previous post including blackice doc's.) Making the log readable to the clue-challenged also helps to make it intelligible to non-English speakers. - - Sometimes, like the surge in RPC/FTP probes associated with Ramen lately, I'll connect on FTP to collect their header. If the header is an obviously vulnerable wu-ftp, I'll paste in the CERT advisory URL and suggest the system be re-built and include the CERT "recovering from a compromise" URL. YMMV -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: How long has it been since you backed up your hard drive? iQCVAwUBOm+Nz/GfiIQsciJtAQHtTwP/RjyLKXQIcfnSfeeMBlutWtjhQqUes+pu IPomXZ1pa5SX+EbLRd7LcZPUkGHVyj0Drqc5GwP59RPV6MYpixNoHANpGAJwQlmp QF+cz7KxAwOXNuJr9u+KyvRc3tS5sf5Brh0M9P4MwViQR13EfNl0qj4ILMoSrpM3 Mf58J8WcAJA= =IoYz -----END PGP SIGNATURE----- -- Regards, David Kennedy CISSP Director of Research Services, TruSecure Corp. http://www.trusecure.com Protect what you connect. Look both ways before crossing the Net.
Current thread:
- Template Admin Notification Alfred Huger (Jan 24)
- Re: Template Admin Notification) David Kennedy CISSP (Jan 24)
- Re: Template Admin Notification Martin Hoz Salvador -CITI Soporte (Jan 24)
- Re: Template Admin Notification Terje Bless (Jan 25)
- Re: Template Admin Notification Jose Nazario (Jan 25)
- Re: Template Admin Notification David Kennedy CISSP (Jan 25)
- Re: Template Admin Notification Valdis Kletnieks (Jan 25)
- Re: Template Admin Notification Terje Bless (Jan 25)
- Re: Template Admin Notification Jay D. Dyson (Jan 24)
- Re: Template Admin Notification Glenn Forbes Fleming Larratt (Jan 24)
- Re: Template Admin Notification Kent Engström (Jan 24)
- <Possible follow-ups>
- Re: Template Admin Notification Oxenreider, Jeff (Jan 24)
- Re: Template Admin Notification Irwin R. Naumann (Jan 24)
- Re: Template Admin Notification Robert G. Ferrell (Jan 24)
- Re: Template Admin Notification Jim Littlefield (Jan 24)
- Re: Template Admin Notification Rick Ballard (Jan 24)
- Re: Template Admin Notification Timothy Lyons (Jan 24)
(Thread continues...)