To kick things off, I'd like to introduce a question that I posed in a reply to Sven in the ShieldsUp! newsgroup:

WHAT MERITS REPORTING (TO WHEREVER) AND CONVERSELY WHAT DOES NOT?

Now, the 'to wherever' is important. What kind of log events should you report to your own ISP? What kind to ISPs (other than your own) of the suspected intruder? What kind to some centralized reporting authority? And finally, what kind of firewall log events are so puzzling that you should ask for assistance in interpreting them? (Like, say, at Shields Up! or comp.security.firewalls.)

I have some thoughts of my own on this subject, but I thought it might be best to get some responses from others first.

I think this would be a subject much worth discussion. In developing a database of log events, users need to be able to decide when something becomes 'serious enough' to report.

Actually, I think this would be used to flesh out a 'Help' topic on the subject for any application that results from this project.

-- Anonymous, August 24, 2000