====== Incident report guideline ======

The best way to report a problem is to send an e-mail to [[certs@cesnet.cz]] and include a complete description of the problem. CESNET-CERTS members will deal with the reported incident as soon as possible and will inform you that the problem, if any, has been solved and removed. You will receive a reply from [[certs@cesnet.cz]] and the e-mail will be signed by our [[https://csirt.cesnet.cz/publickey.asc|PGP Key]].


===== Basic rules for creating an incident report =====

  * The report should be a **simple text-based e-mail**, with an attachment if necessary.
  * Only one **IP address** or **address block** per report, please.
  * The **Subject** should contain the **IP address** or **address block** and **incident type** (spam, virus, scanning, DDOS, hacking, phishing, pharming, alleged misuse of copyrighted work, ...).
  * A **report about scanning** must contain a small extract from a log showing the problem, e.g.,
    * timestamp, time zone and time accuracy
    * source and destination IP addresses
    * source and destination ports
    * protocol used (TCP/UDP/ICMP).
  * A **report about spam or virus** must contain a copy of the mail header from the alleged infected or spamming e-mail. The header should not be changed in any way.
  * A **report about spam** (unsolicited commercial email) should contain both the full mail header and the original body text.
  * A **report about an alleged misuse of copyrighted work** must contain the following details:
    * timestamp, time zone, and whether NTP is used
    * IP address where the copyrighted work is stored
    * services used to publish or share the copyrighted work (BitTorrent, FTP, ...)
    * type (name...) of copyrighted work
  * A **report about phishing or pharming** should contain the URL and source of the web page if possible.
  * Every report must contain your name and organization name. For urgent matters please include your phone number.
  * A **report must be sent from a valid e-mail address**.
  * Please indicate whether the message is informative only or if you expect an answer.
===== Basic incidents CESNET-CERTS deals with =====
Any offence against the Czech law, e.g.,
  * threats to physical safety of human beings,
  * compromise of restricted confidential service accounts or software installations, in particular those with authorised access to confidential data,
  * denial of service attacks,
  * large-scale attacks of any kind, e.g., phishing attacks, password cracking attacks, virus and spam dissemination,
  * compromise of individual user accounts, i.e., unauthorised access to a user or service account,
  * alleged misuse of copyrighted work.

===== To report or not to report? =====

We do not expect everyone to be a computer security expert. That is a role of the CESNET-CERTS team.

We do not even expect everyone to be able to properly recognize, classify and describe a security incident. So if you hesitate whether to report or not to report, **report it**. Any missing information will be asked for if necessary.

Thanks for your cooperation!

**The CESNET-CERTS Team**