RTIR does a great job in handling incidents for static IP allocations,
but what about dynamically address allocation.
Imagine a new table that RTIR could query, that had stored it it IP
address, start, stop, owner … (created from a radius server, or
whatever)
This table could be queried just like the whois server click links…
Better still, if RTIR is able to parse an IP address, why not a time
reference? The ability to search this data would be invaluable.
Then: Some additional logic when a new ticket is created
For each IP address in the incident report
For each time reference in the incident report
Scan the dynamic table
if a match is found
Add a new entry to result set
If the result set has only one entry, paste the result into the incident
report as a comment…
Just a thought…
Greg Kuhnert wrote:
RTIR does a great job in handling incidents for static IP allocations,
but what about dynamically address allocation.
Imagine a new table that RTIR could query, that had stored it it IP
address, start, stop, owner … (created from a radius server, or
whatever)
You could make a custom script that would do that, I guess. Your suggestion:
Better still, if RTIR is able to parse an IP address, why not a time
reference? The ability to search this data would be invaluable.
Then: Some additional logic when a new ticket is created
For each IP address in the incident report
For each time reference in the incident report
Scan the dynamic table
if a match is found
Add a new entry to result set
will cause some problems. Imagine you receive a scan report with 300
lines. That’s 301 IP addresses (1 source and 300 destinations) and 300
timestamps, all together 301*300 combinations. Now if one single query
takes only 1 second (probably much more if you have a large
database/log of dynamic allocations). This amounts to 90,300 seconds,
which is more than one day (86,400 sec) for processing…
The script could be improved so that it would only take the nearest
timestamp and have a table of address space which you own and is part of
your dynamic allocation pool so it would ignore all other IPs.
Regards,
Gorazd
Gorazd Bozic gorazd.bozic@arnes.si
ARNES SI-CERT, Jamova 39 p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 88 22, fax: +386 1 479 88 99