Administrivia...

From: Dan Hanson (dhansonat_private)
Date: Tue Jul 08 2003 - 08:31:29 PDT

Next message: Christopher Kunz: "Re: Strange DoS / new halflife server bug? (1st update:worm?)"

Previous message: Paweł Stochliński: "Missrouted - once more - what happens?"
Next in thread: glenn.blairat_private: "Re: Administrivia..."
Reply: glenn.blairat_private: "Re: Administrivia..."
Reply: Bernie Cosell: "Re: Administrivia..."
Reply: Brandon Butterworth: "Re: Administrivia..."
Reply: Brian Eckman: "Re: Administrivia..."
Reply: David Vincent: "RE: Administrivia..."
Reply: Paul J. Morris: "Re: Administrivia..."
Reply: James C. Slora, Jr.: "RE: Administrivia..."
Reply: Mayo, Brad: "RE: Administrivia..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi list.

I have been doing some thinking over the last week, specifically over the
increasing number of "I think my machine got owned, what do I do" or "My
IDS told me that I have a trojan, how do I clean it" messages.

In many cases, I will reject the messages with pointers to some of the
securityfocus articles, sans practicals, and "tool" sites (like
sysinternals, nc, tcpdump, etc) that I am aware of. In some cases, the
poster responds with more information, but still not enough. In others,
they simply repost what they posted the first time. Occasionally, if the
description sounds like something possibly novel, I let it through the
first time in interests of speed.

In the interests of trying to increase the level of discussion on this
list, I would like to minimize these posts. I thought that a weekly
"Incidents-Basics FAQ"  might be useful.

As I see all the posts I reject, I think I have a pretty good idea of what
would be helpful, but the community on this list gives the value,
therefore I would like to open this up to everyone. Feel free to respond
to the list, or me privately, with suggestions. What I am hoping to
develop is some of the most common questions, the simple answers, and
where to go for more information.

The thing I would like to keep in mind is that for many people thrust into
a security response role from a standard admin role are unprepared, and
don't even have a good idea of where to start. The goal of this FAQ is to
give them a place to start.

Thanks for the time.
D

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Christopher Kunz: "Re: Strange DoS / new halflife server bug? (1st update:worm?)"
Previous message: Paweł Stochliński: "Missrouted - once more - what happens?"
Next in thread: glenn.blairat_private: "Re: Administrivia..."
Reply: glenn.blairat_private: "Re: Administrivia..."
Reply: Bernie Cosell: "Re: Administrivia..."
Reply: Brandon Butterworth: "Re: Administrivia..."
Reply: Brian Eckman: "Re: Administrivia..."
Reply: David Vincent: "RE: Administrivia..."
Reply: Paul J. Morris: "Re: Administrivia..."
Reply: James C. Slora, Jr.: "RE: Administrivia..."
Reply: Mayo, Brad: "RE: Administrivia..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 08:54:51 PDT