Security Incidents mailing list archives
Re: Template Admin Notification
From: Terje Bless <link () TSS NO>
Date: Thu, 25 Jan 2001 00:32:51 +0100
On 24.01.01 at 13:55, Martin Hoz Salvador -CITI Soporte <mhoz () CITI CITI COM MX> wrote:
- PGP SIGNED. This is serious.
Very! Anything not PGP Signed will potentially make me take it a little less seriously. It's that "Reasonable Assumption of Non-Refutability" thing again. You may also consider giving phone-numbers so I can reach you in a hurry if the situation warrants it.
- Source Ip's, ports, destination ips and ports, giving times (start and ending times), giving also the timezone (this is pretty important).
I may have 1K+ potential sources in my care. Lack of detailed info makes my task impossible as the one on the recieveing end of the Notification. Relate all times to GMT or, even better, UTC. While I /can/ figure out what DST is in Nowehere, Michigan; I'd just as soon not have to.
- Polite language: - How did you realized about the attack (IDS, firewall logs, casuality, etc...) - The kind of attack you think are dealing with...
So how many form-letters have you got from some cabel-modem user with a "Personal Firewall" with a shoddy configuration? I thougth so. Make sure I understand that you're for real from the get-go. Make sure I understand that you're interested in solving the problem and not just venting steam at me (i.e. the "Be Polite" bit). If you have a good guess as to the attack, I may know it's traffick pattern and be able to find the offender in 5 minutes. If I have to actually slog through logs the time increases exponentially. And set a realistic level of severity! If my users have knocked out Microsoft's DNS I'll do what it takes to fix it. If one of your users get kicked from IRC by a bot from one of mine, I'll deal with it after I placate Microsoft's network people. Well, it being MS.... :-)
Current thread:
- Template Admin Notification Alfred Huger (Jan 24)
- Re: Template Admin Notification) David Kennedy CISSP (Jan 24)
- Re: Template Admin Notification Martin Hoz Salvador -CITI Soporte (Jan 24)
- Re: Template Admin Notification Terje Bless (Jan 25)
- Re: Template Admin Notification Jose Nazario (Jan 25)
- Re: Template Admin Notification David Kennedy CISSP (Jan 25)
- Re: Template Admin Notification Valdis Kletnieks (Jan 25)
- Re: Template Admin Notification Terje Bless (Jan 25)
- Re: Template Admin Notification Jay D. Dyson (Jan 24)
- Re: Template Admin Notification Glenn Forbes Fleming Larratt (Jan 24)
- Re: Template Admin Notification Kent Engström (Jan 24)
- <Possible follow-ups>
- Re: Template Admin Notification Oxenreider, Jeff (Jan 24)
- Re: Template Admin Notification Irwin R. Naumann (Jan 24)
- Re: Template Admin Notification Robert G. Ferrell (Jan 24)
- Re: Template Admin Notification Jim Littlefield (Jan 24)
(Thread continues...)