Morning,
Thank you for your comments and explanations.
I thought the arguments was some thing like:
IP= 1.2.3.1, 1.2.3.2, 1.2.3.3, 1.2.3.4
IP= 2.2.3.1, 2.2.3.2, 2.2.3.3, 2.2.3.4
IP= 3.2.3.1, 3.2.3.2, 3.2.3.3, 3.2.3.4
and etc…
and the same for ADDR.
I’ve tried all the option before the mail to use the arguments like
variables or separators…
(wherever I think the used way to explain the tool’s usage isn’t very clear,
I thought IP indicate a different feature something silly :))
Thanks,
MarcDe: John Green [mailto:j.green@ukerna.ac.uk]
Enviado el: jueves, 11 de marzo de 2004 11:54
Para: Marc Boix
CC: rtir@lists.bestpractical.com
Asunto: Re: [Rtir] Questions about the Scripted Actions in Tools
Marc Boix wrote:
Hello guys,
I’m learning about RTIR features to understand the whole of it (I’m
learning
english too…:P)
I’ve problems to understand the ADDR and IP parameters in
Tools->Scripted Action.
Somebody know why was made for? and how use its?
It was made to cope with the “list of 100 machines compromised with
XYZ”. Paste in the list of IP and it will look up the correct email
address, create an incident and investigation for each IP and send of a
preformatted email.
Besides I can’t use the By IP address Scrip, it returns always
ADDRESS_UNKNOWN.
It works for me. It is only of real benefit when you run an internal
whois server containing your customers contact data. (with the same key).
Contact field should be the key (without ‘:’). Pressing “Test” should
show you what email address each IP’s maps to.
I’ve the WHOIS server right configured, because I can use traceroute and
whois without problems.
Normally I try with Contact Field = Email (because this field is the field
we want to know from Whois Server, isn’t?)
That should work. Internally we use “cert-mail” as a key and it works
fine. A more complex algorithmn may be needed if you are using RIPE
directly or you will need some sort of local preparser (geektools or
cyberabuse for example).
Cheers
John
JANET-CERT