Incident report guideline

The best way to report a problem is to send an e-mail to certs@cesnet.cz and include a complete description of the problem. CESNET-CERTS members will deal with the reported incident as soon as possible and will inform you that the problem, if any, has been solved and removed. You will receive a reply from certs@cesnet.cz and the e-mail will be signed by our PGP Key.

• A report must be sent from a valid e-mail address.
• Please indicate whether the message is informative only or if you expect an answer.
• Every report must contain your name and organization name. For urgent matters please include your phone number.
• The report should be a simple text-based e-mail, with an attachment if necessary.
• Only one network identifier (e.g., IP address or prefix) per report, please.
• Use a clear, self-explanatory, and informative subject line that reflects the reported issue and allows for quick triage.

For each type of incident, we would appreciate the following information:

• A report about scanning must contain a small extract from a log showing the problem, e.g.,
  • timestamp, time zone and time accuracy
  • source and destination IP addresses
  • source and destination ports
  • protocol used (TCP/UDP/ICMP).
• A report about spam or virus must contain a copy of the mail header from the alleged infected or spamming e-mail. The header should not be changed in any way.
• A report about spam (unsolicited commercial email) should contain both the full mail header and the original body text.
• A report about an alleged misuse of copyrighted work must contain the following details:
  • timestamp, time zone, and whether NTP is used
  • IP address where the copyrighted work is stored
  • services used to publish or share the copyrighted work (BitTorrent, FTP, …)
  • type (name…) of copyrighted work
• A report about phishing or pharming should contain the URL and source of the web page if possible.

Any offence against the Czech law, e.g.,

• compromise of restricted confidential service accounts or software installations, in particular those with authorised access to confidential data,
• denial of service attacks,
• large-scale attacks of any kind, e.g., phishing attacks, password cracking attacks, virus and spam dissemination,
• compromise of individual user accounts, i.e., unauthorised access to a user or service account,
• alleged misuse of copyrighted work.

We do not expect everyone to be a computer security expert. That is a role of the CESNET-CERTS team.

We do not even expect everyone to be able to properly recognize, classify and describe a security incident. So if you hesitate whether to report or not to report, report it. Any missing information will be asked for if necessary.

Thanks for your cooperation!

The CESNET-CERTS Team