Incident report guideline
The best way to report a problem is to send an e-mail to certs@cesnet.cz and include a complete description of the problem. CESNET-CERTS members will deal with the reported incident as soon as possible and will inform you that the problem, if any, has been solved and removed. You will receive a reply from certs@cesnet.cz and the e-mail will be signed by our PGP Key.
Basic rules for creating an incident report
A report must be sent from a valid e-mail address.
Please indicate whether the message is informative only or if you expect an answer.
Every report must contain your name and organization name. For urgent matters please include your phone number.
The report should be a simple text-based e-mail, with an attachment if necessary.
Only one network identifier (e.g., IP address or prefix) per report, please.
Use a clear, self-explanatory, and informative subject line that reflects the reported issue and allows for quick triage.
For each type of incident, we would appreciate the following information:
A report about scanning must contain a small extract from a log showing the problem, e.g.,
timestamp, time zone and time accuracy
source and destination IP addresses
source and destination ports
protocol used (TCP/UDP/ICMP).
A report about spam or virus must contain a copy of the mail header from the alleged infected or spamming e-mail. The header should not be changed in any way.
A report about spam (unsolicited commercial email) should contain both the full mail header and the original body text.
A report about an alleged misuse of copyrighted work must contain the following details:
timestamp, time zone, and whether NTP is used
IP address where the copyrighted work is stored
services used to publish or share the copyrighted work (BitTorrent,
FTP, …)
type (name…) of copyrighted work
A
report about phishing or pharming should contain the
URL and source of the web page if possible.
Basic incidents CESNET-CERTS deals with
Any offence against the Czech law, e.g.,
compromise of restricted confidential service accounts or software installations, in particular those with authorised access to confidential data,
denial of service attacks,
large-scale attacks of any kind, e.g., phishing attacks, password cracking attacks, virus and spam dissemination,
compromise of individual user accounts, i.e., unauthorised access to a user or service account,
alleged misuse of copyrighted work.
To report or not to report?
We do not expect everyone to be a computer security expert. That is a role of the CESNET-CERTS team.
We do not even expect everyone to be able to properly recognize, classify and describe a security incident. So if you hesitate whether to report or not to report, report it. Any missing information will be asked for if necessary.
Thanks for your cooperation!
The CESNET-CERTS Team