Security Incidents mailing list archives
Re: Template Admin Notification
From: "Jay D. Dyson" <jdyson () TREACHERY NET>
Date: Wed, 24 Jan 2001 13:43:47 -0800
-----BEGIN PGP SIGNED MESSAGE----- On Wed, 24 Jan 2001, Alfred Huger wrote:
Does anyone on the list have a default template email they use to notify admins of attacks from their networks? I would be interested in seeing them posted to the list (or to myself directly if that's not possible).
My template is pretty sparse compared to some. I stick with a
"Jack Webb" approach (Just the facts, ma'am).
I first receive the notice myself and, based on the severity of
the scan or earnest nature of the attack, decide whether to forward it
directly to the postmaster@, abuse@ and security@ contacts, as well as
those designated in the ARIN, APNIC, RIPE (et al) database.
As an example, I scanned an internal system and generated this
report:
On Wed Jan 24 13:12:06 2001, the following scan was noted:
Connect from host: 192.168.10.201/192.168.10.201 to TCP port: 23
Connect from host: 192.168.10.201/192.168.10.201 to TCP port: 79
Connect from host: 192.168.10.201/192.168.10.201 to TCP port: 81
Connect from host: 192.168.10.201/192.168.10.201 to TCP port: 109
Connect from host: 192.168.10.201/192.168.10.201 to UDP port: 161
The owner of the offending network is identified in ARIN as:
IANA (IANA-CBLK-RESERVED)
Internet Assigned Numbers Authority
Information Sciences Institute
University of Southern California
4676 Admiralty Way, Suite 330
Marina del Rey, CA 90292-6695
Netname: IANA-CBLK1
Netblock: 192.168.0.0 - 192.168.255.255
Coordinator:
Internet Corporation for Assigned Names and Numbers (IANA-ARIN) iana () IANA ORG
(310) 823-9358
Domain System inverse mapping provided by:
BLACKHOLE.ISI.EDU 128.9.64.26
BLACKHOLE.EP.NET 198.32.1.116
These blocks are reserved for special purposes.
Please see RFC 1918 for additional information.
Record last updated on 30-Aug-2000.
Database last updated on 24-Jan-2001 07:54:28 EDT.
The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.
- -Jay
( ______
)) .-- "There's always time for a good cup of coffee" --. >===<--.
C|~~| (>------- Jay D. Dyson -- jdyson () treachery net -------<) | = |-'
`--' `------ ...You can have my absence of faith... ------' `-----'
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: E-mail me for my PGP Public Key.
iQCVAwUBOm9MmtCClfiU/BIVAQHqlwP/XmoWZ0GJ4jM8TmihCamYUeNTj/9P+HuU
9KuEDmW7z41IQ6oGBRd4a6yoyaf+8Fe6dy1yOaA3mjxmLaWgH8E0YqO6d5bIY4eq
DVNzec29NeAcfSAUQg88gHxcaNl4mgSvJBoCHnTNRuspulwvhOooSaHmLqmCh5wz
yTJwAC9IRB8=
=Nv+C
-----END PGP SIGNATURE-----
Current thread:
- Template Admin Notification Alfred Huger (Jan 24)
- Re: Template Admin Notification) David Kennedy CISSP (Jan 24)
- Re: Template Admin Notification Martin Hoz Salvador -CITI Soporte (Jan 24)
- Re: Template Admin Notification Terje Bless (Jan 25)
- Re: Template Admin Notification Jose Nazario (Jan 25)
- Re: Template Admin Notification David Kennedy CISSP (Jan 25)
- Re: Template Admin Notification Valdis Kletnieks (Jan 25)
- Re: Template Admin Notification Terje Bless (Jan 25)
- Re: Template Admin Notification Jay D. Dyson (Jan 24)
- Re: Template Admin Notification Glenn Forbes Fleming Larratt (Jan 24)
- Re: Template Admin Notification Kent Engström (Jan 24)
- <Possible follow-ups>
- Re: Template Admin Notification Oxenreider, Jeff (Jan 24)
- Re: Template Admin Notification Irwin R. Naumann (Jan 24)
- Re: Template Admin Notification Robert G. Ferrell (Jan 24)
- Re: Template Admin Notification Jim Littlefield (Jan 24)
- Re: Template Admin Notification Rick Ballard (Jan 24)
- Re: Template Admin Notification Timothy Lyons (Jan 24)
- Re: Template Admin Notification Tim (Jan 25)
- Re: Template Admin Notification Glenn Forbes Fleming Larratt (Jan 25)
(Thread continues...)