Reports of likely intruder use of your machine

• Level of certainty
  • reports about the observed state of your machine
    • contents of your web server or ftp server
    • response to a finger connection
    • response to a systat or netstat connection
  • logs showing completed TCP connections
  • other logs, such as ones showing UDP traffic
  • reports without evidence or without specificity
• Level of credibility
  • sent by a recognized incident-response team
  • sent by an administrator of a large site
  • are there multiple independent reports?
  • could the evidence be created by DNS spoofing?