Security Incidents mailing list archives

Re: Incident tracking database

From: Chris Adams <chris () improbable org>
Date: Thu, 5 Dec 2002 22:24:25 -0800

On Wednesday, December 4, 2002, at 06:15  PM, Russell Fulton wrote:

The features are:
1/ the ability to log tickets directly from programs (preferably across
the network) in a straight forward manner.
2/ the ability to produce standard emails from standard templates and
stuff stored as part of the ticket. Eg. incident notification to sites.

3/ the ability to add things like whois lookups that extractinformation

and add it to the ticket which can then be used in 2.

You might want to look at RT (http://www.bestpractical.com/) - it has apublic Perl API which we've used for all sorts of management functions(e.g. I've written simple scripts to do things like email admins withtheir open / stalled tickets or modify certain tickets to fit a coupleodd wrinkles in our environment). The system uses per-queue templatesand allows you to fire off certain actions on various events so you canfrequently do everything with the web-interface. The system is designedto be extended and it's pretty hackable - it didn't take very long toadd the code to authenticate local users against our NIS server (remoteusers still get the default password in RT's database).

While you can put tickets in using perl we almost always use the webinterface or email for that. The wrinkle we have is a perl script whichI wrote which takes inbound mail, determines whether it's from a userwith an account on our system and if so routes it into the queue fortheir lab instead of the general helpdesk queue. It'd be pretty easy tomodify this to do things like your whois mentions - I'd have it tossthe message in and automatically add a comment (which only admins see)containing the extra data - in addition to preserving the originalmessage intact, this would allow lengthy stuff to be doneasynchronously if you have some complex processing to do.


Chris


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

Incident tracking database Danny (Dec 03)
- Re: Incident tracking database Chip Mefford (Dec 04)
  - what else you can do with worm networks...fun, profit, etc Anton A. Chuvakin (Dec 09)
- Re: Incident tracking database Paul Gillingwater (Dec 04)
- Re: Incident tracking database Steven Hong (Dec 04)
- Re: Incident tracking database james (Dec 04)
- <Possible follow-ups>
- Re: Incident tracking database Holger Kipp (Dec 04)
  - Re: Incident tracking database Russell Fulton (Dec 05)
    - Re: Incident tracking database Chris Adams (Dec 08)