Having multiple queues in RTIR?

RTIR
1

Hello,

I am new to this list. Currently i am implementing RTIR for a large
company in Europe with 11 different abusedesks. In RT I can define 11
abuse-queues, but in RTIR I only have the queues Blocks, Incidents,
Incident reports and Investigation. Is it possible to have f.e. multiple
Incident-queues?

Furthermore I was wondering if it’s possible to have sub-queues, or
queries within a queue. So that I can create some sort of tree-structure
within RTIR.

|- abusedesk NL
| |-scan
| |-spam
| |-other
|- abusedesk AT
| |-scan
| |-spam
| |-other
.

Anybody who could give me some advice on this one? Thanks in advance.

Regards,

Marcel Swinkels
chello abuse
UPC Nederland
mswinkels@upc.nl

2

Hello,

I am new to this list. Currently i am implementing RTIR for a large
company in Europe with 11 different abusedesks. In RT I can define 11
abuse-queues, but in RTIR I only have the queues Blocks, Incidents,
Incident reports and Investigation. Is it possible to have f.e.
multiple
Incident-queues?

Furthermore I was wondering if it’s possible to have sub-queues, or
queries within a queue. So that I can create some sort of
tree-structure
within RTIR.

Anybody who could give me some advice on this one? Thanks in advance.

Are you just looking for more categorization or do the different abuse
desks need different access controls?
If you just need categorization, RT’s custom fields may be an answer.
If you need the access control, plain-vanilla RTIR may not be what you
need.
We designed RTIR for JANET CERT in a way that we hoped would be useful
to a large number of incident response teams, but I know that it’s not
ideal for everyone. If you’re interested in more serious customization
to make RTIR fit your needs, it’s something that we at Best Practical
would be happy to talk with you about.

Best,
Jesse

3

Hello guys,

I’m learning about RTIR features to understand the whole of it (I’m learning
english too…:P)

I’ve problems to understand the ADDR and IP parameters in
Tools->Scripted Action.
Somebody know why was made for? and how use its?
Or, and I’ve misunderstud the idea and is only an explanatory not very
clear?

Besides I can’t use the By IP address Scrip, it returns always
ADDRESS_UNKNOWN.
I’ve the WHOIS server right configured, because I can use traceroute and
whois without problems.
Normally I try with Contact Field = Email (because this field is the field
we want to know from Whois Server, isn’t?)

The rest of RTIR runs perfect. Is a RTIR known problem? configuring problem?
I don’t find about it on RTIR user list or googleing.

Thanks!!
Marc

P.S.Jesse, now I’m in the right list! :slight_smile:

4

Marc Boix wrote:

Hello guys,

I’m learning about RTIR features to understand the whole of it (I’m learning
english too…:P)

I’ve problems to understand the ADDR and IP parameters in
Tools->Scripted Action.
Somebody know why was made for? and how use its?

It was made to cope with the “list of 100 machines compromised with
XYZ”. Paste in the list of IP and it will look up the correct email
address, create an incident and investigation for each IP and send of a
preformatted email.

Besides I can’t use the By IP address Scrip, it returns always
ADDRESS_UNKNOWN.

It works for me. It is only of real benefit when you run an internal
whois server containing your customers contact data. (with the same key).

Contact field should be the key (without ‘:’). Pressing “Test” should
show you what email address each IP’s maps to.

I’ve the WHOIS server right configured, because I can use traceroute and
whois without problems.
Normally I try with Contact Field = Email (because this field is the field
we want to know from Whois Server, isn’t?)

That should work. Internally we use “cert-mail” as a key and it works
fine. A more complex algorithmn may be needed if you are using RIPE
directly or you will need some sort of local preparser (geektools or
cyberabuse for example).

Cheers
John
JANET-CERT

5

Morning,

Thank you for your comments and explanations.
I thought the arguments was some thing like:
IP= 1.2.3.1, 1.2.3.2, 1.2.3.3, 1.2.3.4
IP= 2.2.3.1, 2.2.3.2, 2.2.3.3, 2.2.3.4
IP= 3.2.3.1, 3.2.3.2, 3.2.3.3, 3.2.3.4
and etc…

and the same for ADDR.

I’ve tried all the option before the mail to use the arguments like
variables or separators…
(wherever I think the used way to explain the tool’s usage isn’t very clear,
I thought IP indicate a different feature something silly :))

Thanks,
MarcDe: John Green [mailto:j.green@ukerna.ac.uk]
Enviado el: jueves, 11 de marzo de 2004 11:54
Para: Marc Boix
CC: rtir@lists.bestpractical.com
Asunto: Re: [Rtir] Questions about the Scripted Actions in Tools

Marc Boix wrote:

Hello guys,

I’m learning about RTIR features to understand the whole of it (I’m
learning
english too…:P)

I’ve problems to understand the ADDR and IP parameters in
Tools->Scripted Action.
Somebody know why was made for? and how use its?

It was made to cope with the “list of 100 machines compromised with
XYZ”. Paste in the list of IP and it will look up the correct email
address, create an incident and investigation for each IP and send of a
preformatted email.

Besides I can’t use the By IP address Scrip, it returns always
ADDRESS_UNKNOWN.

It works for me. It is only of real benefit when you run an internal
whois server containing your customers contact data. (with the same key).

Contact field should be the key (without ‘:’). Pressing “Test” should
show you what email address each IP’s maps to.

I’ve the WHOIS server right configured, because I can use traceroute and
whois without problems.
Normally I try with Contact Field = Email (because this field is the field
we want to know from Whois Server, isn’t?)

That should work. Internally we use “cert-mail” as a key and it works
fine. A more complex algorithmn may be needed if you are using RIPE
directly or you will need some sort of local preparser (geektools or
cyberabuse for example).

Cheers
John
JANET-CERT

6

Hi people,

After use the incident create without setting Function parameter, the page
is refreshed (and the message ‘Incident creation failed: Function must be
set.’ appears)
If there are values in the textboxs TimeLeft, TimeWorked and Due, quotes
are add in the %ARGS values. So, after two refresh the values are as
$ARGS{TimeWorked}=““VALUE””

Is correct my little patch or there is any reason to do this as done?

My diff is (First my new code, second old code)

132,135c128
< 

  <TD><input size=3 name="TimeWorked"<% $ARGS{TimeWorked} && "

VALUE="$ARGS{TimeWorked}"" || " VALUE=0" %>>

139,142c132
< 

  <TD><input size=3 name="TimeLeft"<% $ARGS{TimeLeft} && "

VALUE="$ARGS{TimeLeft}"" %>>

164,167c154
< 

  <TD><input size=10 name="Due"<% $ARGS{Due} && "

VALUE="$ARGS{Due}"" %>>

Bye!

Marc

7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks. Applied.

For next time, can you send patches in unified diff format?

diff -u old new

Thanks,
JesseOn Mar 15, 2004, at 10:09 AM, Marc Boix wrote:

132,135c128
< 

  <TD><input size=3 name="TimeWorked"<% $ARGS{TimeWorked} && "

VALUE="$ARGS{TimeWorked}"" || " VALUE=0" %>>

139,142c132
< 

  <TD><input size=3 name="TimeLeft"<% $ARGS{TimeLeft} && "

VALUE="$ARGS{TimeLeft}"" %>>

164,167c154
< 

  <TD><input size=10 name="Due"<% $ARGS{Due} && "

VALUE="$ARGS{Due}"" %>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFAVc92QaM/s3DrrJARAnu0AJ4j3IE6RoCBmzu5ji5uTGuZyWSBIwCgjBjz
r2YpaARwPSnzSOvCHafGNgc=
=aJ7B
-----END PGP SIGNATURE-----

8

Hello guys,

I’m learning about RTIR features to understand the whole of it (I’m learning
english too…:P)

I’ve problems to understand the ADDR and IP parameters in
Tools->Scripted Action.
Somebody know why was made for? and how use its?
Or, and I’ve misunderstud the idea and is only an explanatory not very
clear?

Besides I can’t use the By IP address Scrip, it returns always
ADDRESS_UNKNOWN.
I’ve the WHOIS server right configured, because I can use traceroute and
whois without problems.
Normally I try with Contact Field = Email (because this field is the field
we want to know from Whois Server, isn’t?)

The rest of RTIR runs perfect. Is a RTIR known problem? configuring problem?
I don’t find about it on RTIR user list or googleing.

Thanks!!
Marc

9

Hi people,

Anybody know about the Scrips features in Tools??
Please, give me some ideas!

Thanks!
Marc-----Mensaje original-----
De: rt-users-bounces@lists.bestpractical.com
[mailto:rt-users-bounces@lists.bestpractical.com]En nombre de Marc Boix
Enviado el: lunes, 08 de marzo de 2004 11:47
Para: rt-users@lists.bestpractical.com
Asunto: [rt-users] Questions about the Scripted Actions in Tools

Hello guys,

I’m learning about RTIR features to understand the whole of it (I’m learning
english too…:P)

I’ve problems to understand the ADDR and IP parameters in
Tools->Scripted Action.
Somebody know why was made for? and how use its?
Or, and I’ve misunderstud the idea and is only an explanatory not very
clear?

Besides I can’t use the By IP address Scrip, it returns always
ADDRESS_UNKNOWN.
I’ve the WHOIS server right configured, because I can use traceroute and
whois without problems.
Normally I try with Contact Field = Email (because this field is the field
we want to know from Whois Server, isn’t?)

The rest of RTIR runs perfect. Is a RTIR known problem? configuring problem?
I don’t find about it on RTIR user list or googleing.

Thanks!!
Marc

rt-users mailing list
rt-users@lists.bestpractical.com
http://lists.bestpractical.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm