A couple of questions

Hello everyone,

We are thinking about using RTIR as our primary tool in everyday’s work of
tracking and solving security incidents. We have been testing and
experimenting with it for a while to see if it fits our needs, but to get a
clearer picture of its capabilities - as we shall need some modification and
customization and nobody here is exactly a perl guru - we have a couple of
questions that we hope a kind soul on this list will try to answer.
Here they are:

  • how do we adjust RTIR to make queries to different custom databases
    instead of the default whois querying?
  • how do we issue an autoreply to the person who reported the incident, but
    on creation of new incident or on linking the report to the existing incident?
  • how do we fetch values stored in custom fields that are related to a
    particular incident?
  • how do we specify which template to use based on the type of incident or
    on the desired language of the reply?
  • how do we automate sending reminders after the involved party’s response
    time has expired?
  • how do we search existing incident reports and incidents by specific
    information stored in custom fields?

Thanks in advance and regards,
Natasa Glavor
CARNet CERT, www.CERT.hr

Natasa Glavor wrote:

Here they are:

  • how do we adjust RTIR to make queries to different custom databases
    instead of the default whois querying?

Hi Natasa,

We solved this by setting up our own simple whois server (or you might
call it a whois wrapper). The whois protocol is really simple: connect
to the server, send a single line query (usually an IP address) and read
back the response. If it is run from inetd.conf, you read from stdin and
write results to stdout, so it doesn’t need any networking stuff.

For instance, you create a simple perl script:

#!/usr/bin/perl

$request = <>; chomp($request);

if ($request =~ /… some pattern …/) {
# Based on value in query string, you can decide whether to query
# any locally available information.
}

system(“whois $request”);

If you name this script for instance “whois_wrapper”, put the following
(or modify) in /etc/inetd.conf:

nicname stream tcp nowait root /usr/local/bin/whois_wrapper
whois_wrapper

You can of course extend the perl script to perform all kinds of local
magic information digging. For instance, we check whether the IP is in
our constituency and then access MySQL databases via perl DBI module to
gather detailed information on our customer.

Hope this helps,
Gorazd

Gorazd Bozic gorazd.bozic@arnes.si
ARNES SI-CERT, Jamova 39 p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 88 22, fax: +386 1 479 88 99

Hello,

Gorazd Bozic wrote:

Natasa Glavor wrote:

  • how do we adjust RTIR to make queries to different custom databases
    instead of the default whois querying?
    […]
    We solved this by setting up our own simple whois server (or you might
    call it a whois wrapper). The whois protocol is really simple: connect
    to the server, send a single line query (usually an IP address) and read
    back the response. If it is run from inetd.conf, you read from stdin and
    write results to stdout, so it doesn’t need any networking stuff.

we have actually gone one step father, as we have more than one internal
query system. We are running the Geek-Tools proxy locally, as well as
some additional whois-like services. Now, with RTIR’s "Lookup.html"
tools, you can only have one whois service per system as there is no
possibility to query the service on another port (than 43/tcp).

We have modified Lookup.html to allow the “whois” variable to not only
hold server names, but “name:port”. Further, since no one can remember
what runs on port 43 and what on port 4321, we have added a second
variable holding the “beautified” names of the services. Here is what
you need to add:

in /opt/rt3/etc/RT_SiteConfig.pm
Set($whois, {2 => “localhost”,
1 => “localhost:4321”
} );

Set($bwhois, {2 => “GT-Whois”,
1 => “Internal Lookup”
} );

and the diff:
*** /opt/rt3/share/html/RTIR/Tools/Lookup.html
— /opt/rt3/local/html/RTIR/Tools/Lookup.html
*** 84,91 ****
— 84,95 ----
% if ($servers->{$s} eq $server) {
% $selected = " SELECTED";
% }

  • % if (exists($beauties->{$s})) {
  •     <option 
    

value="<%$servers->{$s}%>"<%$selected%>><%$beauties->{$s}%>

  • % } else {
    <option
    value="<%$servers->{$s}%>"<%$selected%>><%$servers->{$s}%>
    % }

  • % }



    *** 142,149 ****
    last;
    }

    use Net::Whois::RIPE;
    ! my $query = Net::Whois::RIPE->new($server);
    my ($iterator, $error);
    if ($query) {
    $iterator = $query->query_iterator($q);
    — 146,159 ----
    last;
    }

  • $beauty = ( exists($beauties->{ ({ reverse %$servers }->{$server}) })

  •   ? $beauties->{ ({ reverse %$servers }->{$server}) } ." (". 
    

$server .")"

  •   : $server );
    
    use Net::Whois::RIPE;
    ! my ($whois, $port) = split(/\s*:\s*/, $server, 2);
    ! $port = 43 unless($port =~ /^\d+$/);
    ! my $query = Net::Whois::RIPE->new($whois, Port => $port);
    my ($iterator, $error);
    if ($query) {
    $iterator = $query->query_iterator($q);
    *** 160,166 ****
    $session{‘tickets’} = RT::Tickets->new( $session{‘CurrentUser’} );
    }

! my $title = “Lookup $q using server $server”;
my $ticketcount;
$session{‘i’}++;
if ($session{‘tickets’}) {
— 170,176 ----
$session{‘tickets’} = RT::Tickets->new( $session{‘CurrentUser’} );
}

! my $title = “Lookup $q using server $beauty”;
my $ticketcount;
$session{‘i’}++;
if ($session{‘tickets’}) {
*** 194,199 ****
— 204,211 ----
<%args>
$servers => $RT::whois
$server => undef

  • $beauties => $RT::bwhois
  • $beauty => undef
    $handparse => 1
    $q => undef
    $type => undef

As usual, these chanegs are subject to Version 2 of the GNU General
Public License. Proper reference if this makes it into the RTIR source
would be appreciated :wink:

Best regards,

Ruediger Riediger

Dr. Ruediger Riediger Sun Microsystems GmbH
NSG - SunCERT Komturstr. 18a
mailto:Ruediger.Riediger@Sun.com D-12099 Berlin
NOTICE: This email message is for the sole use of the intended
recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited.
If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
PGP 2048RSA/0x2C5020E9 964C E189 0FF0 8882 2BAB 65E2 6912 1FF2

Hello,

Gorazd Bozic wrote:

Natasa Glavor wrote:

  • how do we adjust RTIR to make queries to different custom databases
    instead of the default whois querying?
    […]
    We solved this by setting up our own simple whois server (or you
    might call it a whois wrapper). The whois protocol is really simple:
    connect to the server, send a single line query (usually an IP
    address) and read back the response. If it is run from inetd.conf,
    you read from stdin and write results to stdout, so it doesn’t need
    any networking stuff.

we have actually gone one step father, as we have more than one
internal query system. We are running the Geek-Tools proxy locally, as
well as some additional whois-like services. Now, with RTIR’s
"Lookup.html" tools, you can only have one whois service per system as
there is no possibility to query the service on another port (than
43/tcp).

We have modified Lookup.html to allow the “whois” variable to not only
hold server names, but “name:port”. Further, since no one can remember
what runs on port 43 and what on port 4321, we have added a second
variable holding the “beautified” names of the services.

Do you have any objection to us rolling this patch or a variant into
the core of RTIR?

Best,
Jesse

I really like this idea as well, thanks for the input everyone.
Andy BFrom: rtir-bounces@lists.bestpractical.com
[mailto:rtir-bounces@lists.bestpractical.com] On Behalf Of Jesse Vincent
Sent: 16 September 2004 17:23
To: Ruediger Riediger
Cc: rtir@lists.bestpractical.com
Subject: Re: [Rtir] A couple of questions

Hello,

Gorazd Bozic wrote:

Natasa Glavor wrote:

  • how do we adjust RTIR to make queries to different custom
    databases

instead of the default whois querying?
[…]
We solved this by setting up our own simple whois server (or you
might call it a whois wrapper). The whois protocol is really simple:
connect to the server, send a single line query (usually an IP
address) and read back the response. If it is run from inetd.conf,
you read from stdin and write results to stdout, so it doesn’t need
any networking stuff.

we have actually gone one step father, as we have more than one
internal query system. We are running the Geek-Tools proxy locally, as

well as some additional whois-like services. Now, with RTIR’s
"Lookup.html" tools, you can only have one whois service per system as

there is no possibility to query the service on another port (than
43/tcp).

We have modified Lookup.html to allow the “whois” variable to not only

hold server names, but “name:port”. Further, since no one can remember

what runs on port 43 and what on port 4321, we have added a second
variable holding the “beautified” names of the services.

Do you have any objection to us rolling this patch or a variant into
the core of RTIR?

Best,
Jesse

Rtir mailing list
Rtir@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rtir

Jesse Vincent wrote:

Do you have any objection to us rolling this patch or a variant into the
core of RTIR?

not at all, go ahead.

Best regards,

Ruediger Riediger

Dr. Ruediger Riediger Sun Microsystems GmbH
NSG - SunCERT Komturstr. 18a
mailto:Ruediger.Riediger@Sun.com D-12099 Berlin
NOTICE: This email message is for the sole use of the intended
recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited.
If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
PGP 2048RSA/0x2C5020E9 964C E189 0FF0 8882 2BAB 65E2 6912 1FF2