Security Incidents mailing list archives
Re: Template Admin Notification
From: "Jay D. Dyson" <jdyson () TREACHERY NET>
Date: Wed, 24 Jan 2001 13:43:47 -0800
-----BEGIN PGP SIGNED MESSAGE----- On Wed, 24 Jan 2001, Alfred Huger wrote:
Does anyone on the list have a default template email they use to notify admins of attacks from their networks? I would be interested in seeing them posted to the list (or to myself directly if that's not possible).
My template is pretty sparse compared to some. I stick with a "Jack Webb" approach (Just the facts, ma'am). I first receive the notice myself and, based on the severity of the scan or earnest nature of the attack, decide whether to forward it directly to the postmaster@, abuse@ and security@ contacts, as well as those designated in the ARIN, APNIC, RIPE (et al) database. As an example, I scanned an internal system and generated this report: On Wed Jan 24 13:12:06 2001, the following scan was noted: Connect from host: 192.168.10.201/192.168.10.201 to TCP port: 23 Connect from host: 192.168.10.201/192.168.10.201 to TCP port: 79 Connect from host: 192.168.10.201/192.168.10.201 to TCP port: 81 Connect from host: 192.168.10.201/192.168.10.201 to TCP port: 109 Connect from host: 192.168.10.201/192.168.10.201 to UDP port: 161 The owner of the offending network is identified in ARIN as: IANA (IANA-CBLK-RESERVED) Internet Assigned Numbers Authority Information Sciences Institute University of Southern California 4676 Admiralty Way, Suite 330 Marina del Rey, CA 90292-6695 Netname: IANA-CBLK1 Netblock: 192.168.0.0 - 192.168.255.255 Coordinator: Internet Corporation for Assigned Names and Numbers (IANA-ARIN) iana () IANA ORG (310) 823-9358 Domain System inverse mapping provided by: BLACKHOLE.ISI.EDU 128.9.64.26 BLACKHOLE.EP.NET 198.32.1.116 These blocks are reserved for special purposes. Please see RFC 1918 for additional information. Record last updated on 30-Aug-2000. Database last updated on 24-Jan-2001 07:54:28 EDT. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information. - -Jay ( ______ )) .-- "There's always time for a good cup of coffee" --. >===<--. C|~~| (>------- Jay D. Dyson -- jdyson () treachery net -------<) | = |-' `--' `------ ...You can have my absence of faith... ------' `-----' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: E-mail me for my PGP Public Key. iQCVAwUBOm9MmtCClfiU/BIVAQHqlwP/XmoWZ0GJ4jM8TmihCamYUeNTj/9P+HuU 9KuEDmW7z41IQ6oGBRd4a6yoyaf+8Fe6dy1yOaA3mjxmLaWgH8E0YqO6d5bIY4eq DVNzec29NeAcfSAUQg88gHxcaNl4mgSvJBoCHnTNRuspulwvhOooSaHmLqmCh5wz yTJwAC9IRB8= =Nv+C -----END PGP SIGNATURE-----
Current thread:
- Template Admin Notification Alfred Huger (Jan 24)
- Re: Template Admin Notification) David Kennedy CISSP (Jan 24)
- Re: Template Admin Notification Martin Hoz Salvador -CITI Soporte (Jan 24)
- Re: Template Admin Notification Terje Bless (Jan 25)
- Re: Template Admin Notification Jose Nazario (Jan 25)
- Re: Template Admin Notification David Kennedy CISSP (Jan 25)
- Re: Template Admin Notification Valdis Kletnieks (Jan 25)
- Re: Template Admin Notification Terje Bless (Jan 25)
- Re: Template Admin Notification Jay D. Dyson (Jan 24)
- Re: Template Admin Notification Glenn Forbes Fleming Larratt (Jan 24)
- Re: Template Admin Notification Kent Engström (Jan 24)
- <Possible follow-ups>
- Re: Template Admin Notification Oxenreider, Jeff (Jan 24)
- Re: Template Admin Notification Irwin R. Naumann (Jan 24)
- Re: Template Admin Notification Robert G. Ferrell (Jan 24)
- Re: Template Admin Notification Jim Littlefield (Jan 24)
- Re: Template Admin Notification Rick Ballard (Jan 24)
- Re: Template Admin Notification Timothy Lyons (Jan 24)
- Re: Template Admin Notification Tim (Jan 25)
- Re: Template Admin Notification Glenn Forbes Fleming Larratt (Jan 25)
(Thread continues...)