Scripted Action: Variable substitution in RTIR Templates?

Hi all,

I was looking at Scripted Actions and was wondering what the meaning of
“Argument” field was. Can that be used for variable substitution in the
Template being used?

Gorazd Bozic gorazd.bozic@arnes.si
ARNES SI-CERT, Jamova 39 p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 88 22, fax: +386 1 479 88 99

Gorazd Bozic wrote:

Hi all,

I was looking at Scripted Actions and was wondering what the meaning of
“Argument” field was. Can that be used for variable substitution in the
Template being used?

Yes. ADDR or IP in this field are subsituted to the current email or
IP and can be reference from the Template (by $Argument I think, it is
one of those features we haven’t gotten around to using yet).

In theory to make it easy to write a template like

“The machine 1.2.3.4 is infected with Nimda”
“The machine 2.3.4.5 is infected with Nimda”

etc

John
JANET-CERT

John Green wrote:

Yes. ADDR or IP in this field are subsituted to the current email or
IP and can be reference from the Template (by $Argument I think, it is
one of those features we haven’t gotten around to using yet).

Examining the Scripted Actions code, I was thinking of modifying it to a
more general purpose templating engine. One common issue is that you
want to notify a large number of administrators that have (dos)bots on
their systems. While doing this, you would want to attach relevant flows
or log messages, but only those related to their systems.

One possibility would be to have a general-purpose “Scripted Action by
CSV file”. You would supply a CSV file with a first line being a header
line naming all the parameters, like:

IP,DATETIME,FILE
1.2.3.4,22 Mar 2004 12:23:34,+/tmp/flow-1.2.3.4.txt

Instead of using only IP and ADDR for template substitutions, this
SA would take variable names from the header, and substitute all the
named variables in the template with values from file. CSV file would of
course have to include either IP or ADDR in order to work properly.

The values beginning with a plus sign would represent attachments to the
messages sent out via this scripted action. One problem is that the
attachment have to be present on the system running RTIR.

Another solution (easier to implement) would be to add a Scripted Action
with attachment. The attachment name supplied in RTIR would include
either ADDR or IP. This would get replaced before the file is
attached…

Cheers,
Gorazd

Gorazd Bozic gorazd.bozic@arnes.si
ARNES SI-CERT, Jamova 39 p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 88 22, fax: +386 1 479 88 99

Well, here I go again… :slight_smile:

Gorazd Bozic wrote:

Another solution (easier to implement) would be to add a Scripted Action
with attachment. The attachment name supplied in RTIR would include
either ADDR or IP. This would get replaced before the file is
attached…

I have modified ScriptedAction.html now to accomodate SI-CERT needs. The
diffs are attached. I have done some testing and I believe that it works
as planned. Here is a list of modifications that I did:

  1. The HTML form part used to supply a list of email addresses/IPs
    always included the person’s signature (default behaviour of RT’s
    MessageBox); adding IncludeSignature => 0 when calling MessageBox
    corrected this.

  2. One major bug that I found was that the content of the template was
    not properly processed for substitutions of ADDR and/or IP
    placeholders. Also, if the Subject contained ADDR or IP, they
    were replaced only the first time, since the replacement was done
    directly to $ARGS{‘Subject’}. Because of that I have added a copy
    of %ARGS named %TARGS, which is declared inside the loop of
    emails/IPs processed, so you don’t have to worry about modifying
    “global” %ARGS.

  3. If a template was supplied but no manually typed message at the
    bottom of the form existed, the mail that was sent out contained an
    empty text/plain part and only then the text of the template.
    Modified ScriptedAction.html now checks for existance of this message
    and inserts it as the first text/plain part, otherwise the template
    text becomes the first part of the MIME message.

  4. The form now has another field, labeled “Attach files:”. In this
    field you enter the location of file(s) on the host running your
    copy of RTIR. The filename can include IP and ADDR strings
    (which is the whole point of it). Before the file is attached to
    the transaction, those strings are replaced and only then the
    relevant file is attached. This enables you to attach files with
    logs/netflow data that pertains to a particular host/net only. If
    you wish to report (=open investigations) to contacts of
    10.1.2.0 and 10.2.3.0, you can copy files log-10.1.2.0.txt and
    log-10.2.3.0.txt to the RTIR (let’s say to /tmp) and supply the
    filename pattern /tmp/log-IP.txt in this field.

  5. This version includes the earlier modification allowing you to
    explicitly name the incident number you want all these investigations
    linked to (as opposed to each investigation also having a unique
    parent incident).

I hope someone else will find this useful. I have tested it, but you (of
course) use it at your own risk.

Gorazd

Gorazd Bozic gorazd.bozic@arnes.si
ARNES SI-CERT, Jamova 39 p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 88 22, fax: +386 1 479 88 99

ScriptedAction.diff.txt (9.51 KB)