Re: Template Admin Notification

[Terje Bless <link () TSS NO>]

On 24.01.01 at 13:55, Martin Hoz Salvador -CITI Soporte
<mhoz () CITI CITI COM MX> wrote:

> - PGP SIGNED. This is serious.

Very! Anything not PGP Signed will potentially make me take it a little
less seriously. It's that "Reasonable Assumption of Non-Refutability" thing
again. You may also consider giving phone-numbers so I can reach you in a
hurry if the situation warrants it.


> - Source Ip's, ports, destination ips and ports, giving times
>  (start and ending times), giving also the timezone (this
>  is pretty important).

I may have 1K+ potential sources in my care. Lack of detailed info makes my
task impossible as the one on the recieveing end of the Notification.
Relate all times to GMT or, even better, UTC. While I /can/ figure out what
DST is in Nowehere, Michigan; I'd just as soon not have to.


> - Polite language:
> - How did you realized about the attack (IDS, firewall logs,
>  casuality, etc...)
> - The kind of attack you think are dealing with...

So how many form-letters have you got from some cabel-modem user with a
"Personal Firewall" with a shoddy configuration? I thougth so. Make sure I
understand that you're for real from the get-go. Make sure I understand
that you're interested in solving the problem and not just venting steam at
me (i.e. the "Be Polite" bit). If you have a good guess as to the attack, I
may know it's traffick pattern and be able to find the offender in 5
minutes. If I have to actually slog through logs the time increases
exponentially.

And set a realistic level of severity! If my users have knocked out
Microsoft's DNS I'll do what it takes to fix it. If one of your users get
kicked from IRC by a bot from one of mine, I'll deal with it after I
placate Microsoft's network people. Well, it being MS.... :-)