[Dshield] Standard Reporting

Tony Earnshaw tonye at billy.demon.nl
Fri Mar 26 19:18:11 GMT 2004


fre, 26.03.2004 kl. 03.36 skrev Pete Cap:

> In the interests of brevity, and getting replies and
> analysis done a lot sooner, might it not be a good
> idea to standardize the way in which people alert the
> list to (possibly) malicious activity?
> 
> I just want to avoid, if possible, the following:
> 
> User1: I'm seeing weird traffic, anyone else getting
> this?
> User2: What port?
> User1: xxx.
> User2: Is that tcp? or UDP?
> User3: What IDS solution recorded the data?
> User2: And can we please see some records?
> User1: Here you go.
> User4: Ok, can we get packet captures now?
> 
> etc. ad nauseum.
> 
> I have a basic idea but I'm open to suggestions...

MySQL used to have a mandatory report list for reporting this kind of
thing. One had to fill out a multitude of details before it would be
considered. Though since becoming an LDAP convert, I've little to do
with MySQL.

Basically I agree entirely. On other lists I refuse to answer any
questions without people having supplied at least:

OS, OS version, possibly Linux distro
Utility, utility version
configuration details
log details

_-Tonni

-- 

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl




More information about the list mailing list