Handling an Incident
Its important to remember that reporting a security incident to the
right parties can mean a faster response to handle that incident, the
following steps are to be followed:
- By obtaining the Source IP address (from the router or firewall logs
or from any intrusion detection software).
- Go to http://www.ripe.net/db/whois.html,
enter the IP address obtained in (1) in the query window and press
"search".
- If the IP number is correct, the results are produced is composed of
three parts:
- Inetnum: This field provides information about the net block
containing the IP address queried.
- Route: This field provides information on the organization
providing the transit routing service for this IP block.
- Person: This field provides information about the contact person
in the organization that owns the IP block.
- E-mail the person listed in the person field and be sure to include
the IP address number and the exact timestamp of the incident. Only
the owner of the IP block can identify the user(s) using the offending
IP address at the time of the incident (e.g. using access logs).
Therefore, sending the information to the e-mails listed in the Inetnum
and Route fields is useless.
|
