RE: Standardized Reporting

From: H C (keydet89at_private)
Date: Fri Aug 16 2002 - 07:00:59 PDT

  • Next message: David Hhn: "Re: [Whitehat] BIND scan from"

    > 	+ A generic report that can be used to document
    > virtually any
    > computer incident investigation.
    Good start.  Let's start w/ the document/format, b/c
    we may decide along the way that we need to define
    "incident".  For example, do several (many??) SYN
    packets dropped at the firewall constitute an
    "incident"?  Since many folks post inquiring as to the
    intent of the scan, I would suggest that such things
    are not, in fact, incidents. 
    > 	+ Document a methodical approach to the incident
    > investigation.
    By way of a checklist, I would suggest the following
    as a start:
    1.  Have the following tools on-hand:
    - handle.exe, pslist.exe, listdlls.exe (SysInternals)
    - fport.exe (Foundstone...2.0 for Win2K, v 1.3 for NT)
    - netstat (native)
    2.  Run these five tools, redirecting their output to
    3.  If you don't want to walk through the files by
    hand, mapping everything out, use pd.exe (zipped
    archive at to
    automate it into an HTML file.
    > 	+ Operating System specific sections. We could make
    > the form
    > operating system independant, but then we lose a
    > great opportunity for
    > providing newcomers a practicle how-to investigate
    > and incident.
    One of the biggest things missing when someone posts
    is the simple stuff...os, patches, applications,
    running processes/services, etc.  This information
    could be provided on a host basis w/o having to
    divulge private info, like IP addresses.
    Do You Yahoo!?
    HotJobs - Search Thousands of New Jobs
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Fri Aug 16 2002 - 09:09:43 PDT