RE: Subseven Scans; Standardized Reporting

From: Dial Joe (Joe.Dialat_private)
Date: Thu Aug 15 2002 - 06:40:37 PDT

  • Next message: H C: "Standardized Reporting"

    Hello,
    As a dedicated reader and occasional poster, I agree with all you both say,
    except for the quote copied below from Brooke.  MHO is that we encourage
    the use of a template and lead by example, but never "require" a specific
    format, or even content, as that will serve more to discourage than include
    some whose input may be useful.  In any case, H C (currently) provides
    excellent specific inquiries when the Original Poster may have left out
    some detail.
    
    Just my $0.02,
    Joe Dial
    
    |would have to be done in a specific template. This may make it 
    
    |-----Original Message-----
    |From: Brooke, O'neil (EXP) [mailto:o'neil.brookeat_private]
    |Sent: Wednesday, August 14, 2002 4:59 PM
    |To: 'H C'; Robert Buckley; 'Baribault, Gary'; grdnwsl; Rob Keown
    |Cc: incidentsat_private
    |Subject: RE: Subseven Scans; Standardized Reporting
    |
    |
    |[SNIP]
    |I am simply pointing out that on the lists,
    |when an incident like this occurs, very often we take
    |some steps, but don't go far enough.  In the long
    |wrong, going half way and speculating about the rest
    |of the issue is actually more harmful to the community
    |as a whole than simply ignoring the SYN packets in the
    |first place.
    |
    |All I'm suggesting is that if you're going to
    |investigate a situation, do so, but do so fully and
    |completely.  The reason I suggest this is b/c for the
    |most part, we (as a community) aren't all that good at
    |detecting and investigating incidents...let alone
    |reporting them. 
    |[SNIP]
    |
    |	Excellent point and a worthwhile objective HC. I have an idea
    |(certainly not original) to achieve these results on a 
    |sustained basis. I
    |picked up a book called Incident Response awhile ago and they had some
    |rudimentary incident checklists which were a great starting 
    |point and I went
    |on to develop my own template that was appropriate to my 
    |specific situation.
    |
    |
    |	What if we were to have a checklist for the incidents list? When
    |submitting a 'Are you experiencing this too?' or 'What is 
    |this?' message, it
    |would have to be done in a specific template. This may make it 
    |easier for
    |both posters and readers of this list. When composing a 
    |message I'm sure
    |people are thinking 'What information should be included?', 
    |'How much detail
    |should go into it?', 'Am I being to verbose?'. Readers are 
    |looking at this
    |information on the other hand in piecemeal fashion. As the investigator
    |gains additional detail, he'll post it, but not necessarily with the
    |original information, so now you have to remember this 
    |particular case, what
    |facts were already disclosed and the implication of this new 
    |information.
    |Whereas with a standardized incident response form plain 
    |language in the
    |header would explain the version change and the detail lines 
    |within the form
    |would simply contain the new information; all available 
    |information would be
    |available for subsequent reviews.
    |
    |	We will never stop people from making assumptions based 
    |on limited
    |information (nor should we in some cases in can be a critical 
    |skill) but
    |this may give us a metric for evaluating any of the assumptions made.
    |(simplistic example; only 10% of the template is filled out means
    |speculation may be prone to wild inaccuracies.)
    |
    |	I do not know if any generic incident response 
    |checklists exist in
    |the public domain, do you? Anyone feel like getting together 
    |and working on
    |one?
    |
    |O'Neil.
    |
    |---------------------------------------------------------------
    |-------------
    |This list is provided by the SecurityFocus ARIS analyzer service.
    |For more information on this free incident handling, management 
    |and tracking system please see: http://aris.securityfocus.com
    |
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Aug 15 2002 - 11:02:39 PDT