Security Incidents mailing list archives
Re: Template Admin Notification
From: "Forrester, Mike" <mforrester () HSACORP NET>
Date: Thu, 25 Jan 2001 12:30:45 -0700
We get quite a few of compliant emails on a daily basis as we have over 100K broadband users (mostly cable modem). David Kennedy and Martin Hoz Salvador seem to have the best general advice IMHO. I'd like to add a few comments:
- Polite language
Very important. Most admins have quite a lot to do and an attitude moves your message to the bottom of the priority list or the bit bucket. Telling me how to do my job is not necessary. We have company policy for dealing with compliants and that's how they are handled. You may want their head, but you'll have to do that on your own without any help from me.
- PGP SIGNED
Not super important to me. Since I don't *know* you personally and you did not *personally* give me your key, what difference does it make?
- Source Ip's, ports, destination ips and ports, giving times (start and ending times), giving also the timezone (this is pretty important).
All this is good. The accuracy of your timestamps and timezone info are very important. Especially the timezone. Also, remember that there's a good chance the remote system is compromised or the IP is spoofed. Keep your logs short and to the point. If you send me a 5MB log file mostly irrelevent info, chances are I'll save it from when I have time.
- How did you realized about the attack (IDS, firewall logs, casuality, etc...)
Sometimes helpful in determining what actually happened, but logs are always required.
- The kind of attack you think are dealing with...
Proof of this is good. Just because your firewall said it was a certain type of attack doesn't work for me. Logs, logs, logs.
- A message saying "I could help you if you want. Let me know if that's the case". And of course, be ready to back this statement. ;-)
Depends on the problem, but good to know.
Important: If you don't get an answer in a reasonable time (i.e. 2 or 3 days), resend the message, and this time, send a copy to the carrier of your "attack source". You can fiugure out this using traceroute and whois. :-)
If you expect immediate response, then provide immediate contact info. If you want more than an automated response, then say so, but don't always expect a reply. Don't SPAM with compliants. If you (or your users) get 20 of the same SPAM message, only one copy of the message is necessary. Odds are the admin hates SPAM as much as or more than you and will deal with the matter swiftly and decisively. I was going to say alot more, but I won't (*applause from the crowd*). Basically, be short, polite, and provide enough relevant information to help fix the problem. If you want or need details, say so but be reasonable in your expectations. Work with them and not against them. Depending on the incident, they don't have to do anything and being an a$$ won't get you anywhere. Mike
Current thread:
- Re: Template Admin Notification, (continued)
- Re: Template Admin Notification Oxenreider, Jeff (Jan 24)
- Re: Template Admin Notification Irwin R. Naumann (Jan 24)
- Re: Template Admin Notification Robert G. Ferrell (Jan 24)
- Re: Template Admin Notification Jim Littlefield (Jan 24)
- Re: Template Admin Notification Rick Ballard (Jan 24)
- Re: Template Admin Notification Timothy Lyons (Jan 24)
- Re: Template Admin Notification Tim (Jan 25)
- Re: Template Admin Notification Glenn Forbes Fleming Larratt (Jan 25)
- Re: Template Admin Notification Dave Salovesh (Jan 25)
- Re: Template Admin Notification Irwin R. Naumann (Jan 25)
- Re: Template Admin Notification Forrester, Mike (Jan 25)
- Re: Template Admin Notification Russell Fulton (Jan 25)
- Unknown Broadcast Traffic claymore (Jan 29)
- Re: Unknown Broadcast Traffic Daniel Martin (Jan 29)
- Re: Template Admin Notification Russell Fulton (Jan 25)
- Re: Template Admin Notification Forrester, Mike (Jan 29)