The Incident Example set, draft 1.0

The Incident Example Set, draft 1.0

Introduction

This set of example incident reports have either been made up inspired by real life incident reports, or have been taken from real life and anonimized. These incident reports are only to be used for testing purposes.

Incident exampleset

Identifier Subject:
1.1-bombthreat-example Bomb threat mail. please help
1.2-false-sender-example False sender of email (MYUNI#22)
1.3-hatemail-example Hateful mail received from one of your users/subscribers
2.1-open-relay-example Spam trouble (10.1.1.3) LOWEST PRICES ON CELLULAR ACCESSORIES 783297
2.2-open-relay-example Re: One of your users is sending SPAM!
3.1-virus-example Attack(s) from your network (source address: 10.1.1.1).
3.2-virus-example 10.1.1.2 - Code Red Virus detected
3.3-virus-example virusmail
4.1-codered-nimda CodeRedII and Nimda Attack from Originating_Country [incidentID#666]
5.1-dos-example DoS (flooding) against our network from 10.30.145.0/24
5.2-ftp-dos-example Denial of service attack from Originating_Country [ourcustomer#36891]
5.3-dos-example unknown ICMP packets
5.4-icmp-dos-example ICMP dos traffic
6.1-root-compromise-example Root comrpromise from your network [OtherCERT #00000000]
7.1-portscan-example Suspicious Activity From 10.0.0.200
7.2-portscan-example EaStMAN probed from host: 10.0.0.1 (OUR_CONSTITUENCY IP)
7.3-portscan-example ABUSE!

Contributions

If you would like to add to this set of example reports, please mail them to jan.meijer@surfnet.nl, and take these guidelines into consideration:

I would favour original incident reports, as that would be what we all would be using to create an incident description object. As no-one can probably release original origin/victim names/ipnumbers/hostnames, these would be anonimized.

For readability of the examples however, it is practical to have them not anonimized with x.x.x.x or x@x.x, so I would like to suggest to use the private address space 10.0.0.0 - 10.255.255.255 (10/8 prefix) for attackers, 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) for victims, and 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) for intermediate hosts. This should cover most possibilities and keep up readability.

If you have any incidents where the private addressess are an essential part of the incident itself, please mention this in the example.

email addresses are very well standardized using xxx.yyy@mydomain.dom.

Please send the reports in English, with full message headers.

Acknowledgements

These people have contributed to the set of incident examples:

Chelo Malagon, IRIS-CERT
Peter Bivesand, SESIC
Przemyslaw Jaroszewski, CERT Polska
Robert Morgan, JANET CERT
Torbjorn Wictorin, SUNET-CERT

Identifier	Subject:
1.1-bombthreat-example	Bomb threat mail. please help
1.2-false-sender-example	False sender of email (MYUNI#22)
1.3-hatemail-example	Hateful mail received from one of your users/subscribers
2.1-open-relay-example	Spam trouble (10.1.1.3) LOWEST PRICES ON CELLULAR ACCESSORIES 783297
2.2-open-relay-example	Re: One of your users is sending SPAM!
3.1-virus-example	Attack(s) from your network (source address: 10.1.1.1).
3.2-virus-example	10.1.1.2 - Code Red Virus detected
3.3-virus-example	virusmail
4.1-codered-nimda	CodeRedII and Nimda Attack from Originating_Country [incidentID#666]
5.1-dos-example	DoS (flooding) against our network from 10.30.145.0/24
5.2-ftp-dos-example	Denial of service attack from Originating_Country [ourcustomer#36891]
5.3-dos-example	unknown ICMP packets
5.4-icmp-dos-example	ICMP dos traffic
6.1-root-compromise-example	Root comrpromise from your network [OtherCERT #00000000]
7.1-portscan-example	Suspicious Activity From 10.0.0.200
7.2-portscan-example	EaStMAN probed from host: 10.0.0.1 (OUR_CONSTITUENCY IP)
7.3-portscan-example	ABUSE!