Does anyone know a good resource to refer to for reporting attacks?

jballay · ‎09-16-2002

I'm really in search of the answers to a few questions. Thought I'd post it here and see what you have to say. Here goes......

What could you use from a 4210 in the way of log files to report malicious activity to abuse@whoever.com?

What do you have to do to the sensor to get it to generate logs? And at the same time keep them to a minimum so you don't break the sensor?

Also, what should you include/omit in your report to get someone's attention and cooperation?

Thanks for your help.

jekrauss · ‎09-16-2002

1) To generate logs, enable logging on the logging tab on the sensor in CSPM. Once you push this configuration change out to the sensor, you will subsequently see the logging daemon running when you do an nrstatus. This information is essentially a text version of what you see in the event viewer.

2) You can also enable "ip logging" on specific signatures. This is essentially a hex dump of 15 minutes (by default) of all the traffic generated for a particular alarm from a particular source. So, if you know that you are receiving a particular attack, you can enable ip logging for that particular signature. The output from the ip loging can be viewed using a freeware sniffer program called "ethereal." CAUTION: Use iplogging judiciously! There is a tendency to enable it for a large number of signatures (hey, I don't want anyone attacking me anytime and if they do, I'm going to get the info and bust them!) . If you enable it carelessly, you may end up collecting so many logs in a short period of time that the automated file archiving daemon (sapd) on the sensor can't keep up.

3) What the folks want at abuse@whatever.com may vary somewhat. You should be able to find out exactly what they want by asking them.

HTH

Jeff