Re: Template Admin Notification

[David Kennedy CISSP <david.kennedy () ACM ORG>]

-----BEGIN PGP SIGNED MESSAGE-----

At 01:55 PM 1/24/01 -0600, Martin Hoz Salvador -CITI Soporte wrote:
> Basicaly, things I think a notification letter should contain,
> are:
> - Polite language: keep in mind "the other" sysadmin may have
> no time to check security issues, or even there's not a securitY
> function in the area. or even worse, the other sysadmin doesn't
> have any knowledge about security.
> - PGP SIGNED. This is serious.
> - Source Ip's, ports, destination ips and ports, giving times
>  (start and ending times), giving also the timezone (this
>  is pretty important).
> - How did you realized about the attack (IDS, firewall logs,
>  casuality, etc...)
> - The kind of attack you think are dealing with...
> - A message saying "I could help you if you want. Let me know
>  if that's the case". And of course, be ready to back this
>  statement. ;-)
>
> Important: If you don't get an answer in a reasonable time
> (i.e. 2 or 3 days), resend the message, and this time, send
> a copy to the carrier of your "attack source". You can
> fiugure out this using traceroute and whois. :-)

Good advice.  Some of the other templates seem a bit strident to me.

Some other bullets to consider:

- -  Reader may not read the same language you use.  Minimize
contractions, abbreviations, acronyms and jargon.  ("IP" is ok but I
avoid "dest" and "src.")  Will babelfish mangle the sentence too
badly?
- -  Use "may" or "appears" and other conditional expressions to allow
for spoofing and error.  You don't *know* it came from IP
such-and-such, it just looks that way from your end of the wire.
WHOIS can be wrong; no really there are mistakes in there!
- -  You cannot compel them to do anything, a kind word goes farther
than a demand for action.
- -  The reader may be hostile, either the probe was the true intention
of the system's operator or the system is so 0wned that the intruder
is going to get, read and delete your complaint.
- -  With the above in mind, confine information to the remote system,
not your own.  They don't need to know if you're running snort,
blackice, Real Secure, ZA or whatever.
- -  If I were using a "personal" firewall as the basis for a complaint
I certainly would not reveal that.  There are *way* to many yo-yo's
out there already sending complaints every time DHCP makes their IP
the target of Half-Life UDP connections or PC Anywhere pings.
- -  Mention that the activity may be an Acceptable Use Policy/Terms of
Service violation.  If they don't have one, maybe the complaint will
make them think about creating one.  If the activity is not in
violation, change the policy so that it is.
- -  I say, "I do not expect a reply."  Actually I don't *want* a
reply.  Either they're going to do something or they aren't.  If they
do, great, but I don't have so much free time to donate it to helping
someone who can't fix things themselves.  If they don't do anything
about my report, I don't need to know I've been ignored, I'd rather
not know.
- -  I do not cut-and-paste directly from the log.  It can reveal the
nature of the system that created the log, it can be confusing to
those unfamiliar with the format, or it can necessitate too much
documentation to explain (see previous post including blackice
doc's.)  Making the log readable to the clue-challenged also helps to
make it intelligible to non-English speakers.
- -  Sometimes, like the surge in RPC/FTP probes associated with Ramen
lately, I'll connect on FTP to collect their header.  If the header
is an obviously vulnerable wu-ftp, I'll paste in the CERT advisory
URL and suggest the system be re-built and include the CERT
"recovering from a compromise" URL.


YMMV


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: How long has it been since you backed up your hard drive?

iQCVAwUBOm+Nz/GfiIQsciJtAQHtTwP/RjyLKXQIcfnSfeeMBlutWtjhQqUes+pu
IPomXZ1pa5SX+EbLRd7LcZPUkGHVyj0Drqc5GwP59RPV6MYpixNoHANpGAJwQlmp
QF+cz7KxAwOXNuJr9u+KyvRc3tS5sf5Brh0M9P4MwViQR13EfNl0qj4ILMoSrpM3
Mf58J8WcAJA=
=IoYz
-----END PGP SIGNATURE-----

--
Regards,

David Kennedy CISSP
Director of Research Services, TruSecure Corp. http://www.trusecure.com
Protect what you connect.
Look both ways before crossing the Net.