Question About RT-IR

I am new to rt-ir and looking to implement it as my CERT ticketing system (just about to install). I am however, curious as to how it interfaces (snmp support, etc) with other products such as ArcSight to bring in information.

Regards,

Martin

Hi,

I’m not sure what type of integration you’re looking for.

However, as far as I know people mostly fill RTIR with incident
reports (IRs) from external tool using emails, but it’s possible to
use RT/RTIR perl API (scripts) or REST API (remote) to create IRs with
details filled into custom fields.

RTIR has optional Blocks queue to initiate and disable network blocks.
There are too many ways to implement automation of blocks, so RTIR is
not shipped with any specific solution, but if you have a command line
tool or anything else that can be called then it’s pretty easy to
automate blocks.

Of course Best Practical Solutions is ready to provide companies
support in integrating RTIR with their workflow.On Fri, Mar 6, 2009 at 12:19 AM, Martin Fontanez jdmfontz@yahoo.com wrote:

I am new to rt-ir and looking to implement it as my CERT ticketing system
(just about to install). I am however, curious as to how it interfaces
(snmp support, etc) with other products such as ArcSight to bring in
information.

Regards,

Martin


Rtir mailing list
Rtir@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rtir

Best regards, Ruslan.

Thanks for the information. Arcsight handles my incident handling by consolidating logs fm multiple places. I can generate .xml extracts of the incidents. I guess I would need to figure out a way to import the .xml data into rt-ir so that the analysts can fill in the rest of the information. I was hopping someone out there have worked on hooks-in fm Arcsight.From: Ruslan Zakirov ruslan.zakirov@gmail.com
Subject: Re: [Rtir] Question About RT-IR
To: jdmfontz@yahoo.com
Cc: rtir@lists.bestpractical.com
Date: Thursday, March 5, 2009, 8:36 PM

Hi,

I’m not sure what type of integration you’re looking for.

However, as far as I know people mostly fill RTIR with incident
reports (IRs) from external tool using emails, but it’s possible to
use RT/RTIR perl API (scripts) or REST API (remote) to create IRs with
details filled into custom fields.

RTIR has optional Blocks queue to initiate and disable network blocks.
There are too many ways to implement automation of blocks, so RTIR is
not shipped with any specific solution, but if you have a command line
tool or anything else that can be called then it’s pretty easy to
automate blocks.

Of course Best Practical Solutions is ready to provide companies
support in integrating RTIR with their workflow.

I wrote some code that parses the ArcSight XML a few years ago. I’m in
the process of changing it though. Right now it uses the
RT::Client::REST to search for existing tickets based on tickets open
with the right IP address.

I’m changing it up to clean up the ArcSight XML and translate it to
IDMEF, wrap it up in PGP and send it to the RTIR system for processing
as an “Incident Report”.

The arcsight XML (the way it comes out) is really wanky, so I use a
bunch of XML::Simple type stuff to re-hash it out and then the REST
client to search for open tickets, and do the … rest. Been working
"ok" for the last two years, still a bit clunkier than i’d like it to
be (which is why i’m moving to the email model to offload some of the
code). I’d use the straight up ArcSight emails, but it’s much easier
to parse out their XML than their emails.

I had to add a few custom fields like _RTIR_Address (in addition to
_RTIR_IP), allowing me to open a ticket for a single address and
search on it when that “attacker” re-surfaced in the same time-span as
the ticket was open.

Drop me a note offlist, i’ll send you the raw Arcsight XML parsing
code if you want it. It’s awful, but it should get you moving in the
right direction.On Mar 5, 2009, at 9:22 PM, Martin Fontanez wrote:

Thanks for the information. Arcsight handles my incident handling
by consolidating logs fm multiple places. I can generate .xml
extracts of the incidents. I guess I would need to figure out a way
to import the .xml data into rt-ir so that the analysts can fill in
the rest of the information. I was hopping someone out there have
worked on hooks-in fm Arcsight.

— On Thu, 3/5/09, Ruslan Zakirov ruslan.zakirov@gmail.com wrote:
From: Ruslan Zakirov ruslan.zakirov@gmail.com
Subject: Re: [Rtir] Question About RT-IR
To: jdmfontz@yahoo.com
Cc: rtir@lists.bestpractical.com
Date: Thursday, March 5, 2009, 8:36 PM

Hi,

I’m not sure what type of integration you’re looking for.

However, as far as I know people mostly fill RTIR with incident
reports (IRs) from external tool using emails, but it’s possible to
use RT/RTIR perl API (scripts) or REST API (remote) to create IRs with
details filled into custom fields.

RTIR has optional Blocks queue to initiate and disable network blocks.
There are too many ways to implement automation of blocks, so RTIR is
not shipped with any specific solution, but if you have a command line
tool or anything else that can be called then it’s pretty easy to
automate blocks.

Of course Best Practical Solutions is ready to provide companies
support in integrating RTIR with their workflow.

On Fri, Mar 6, 2009 at 12:19 AM, Martin Fontanez jdmfontz@yahoo.com wrote:

I am new to rt-ir and looking to implement it as my CERT ticketing
system
(just about to install). I am however, curious as to how it
interfaces
(snmp support, etc) with other products such as ArcSight to bring in
information.

Regards,

Martin


Rtir mailing list
Rtir@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rtir


Best regards, Ruslan.


Rtir mailing list
Rtir@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rtir

Wes
http://claimid.com/wesyoung

smime.p7s (2.39 KB)

Hello,

we are implementing some constituents in rtir to separate incidents in
accordance with the existing working groups. I read the documentation
and added some groups with add_constituency, but can not set up so that
users of a particular group can modify (and if possible, only see) only
the tickets within its jurisdiction. What can I do to resolve this
situation?

Regards,
Fernando.

Have you read perldoc lib/RT/IR/Constituencies.pod?On Thu, Apr 23, 2009 at 10:55 PM, Fernando Fugita fugita@usp.br wrote:

Hello,

we are implementing some constituents in rtir to separate incidents in
accordance with the existing working groups. I read the documentation
and added some groups with add_constituency, but can not set up so that
users of a particular group can modify (and if possible, only see) only
the tickets within its jurisdiction. What can I do to resolve this
situation?

Regards,
Fernando.


Rtir mailing list
Rtir@lists.bestpractical.com
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rtir

Best regards, Ruslan.