Security Incidents mailing list archives
Re: Incident tracking database
From: Chris Adams <chris () improbable org>
Date: Thu, 5 Dec 2002 22:24:25 -0800
On Wednesday, December 4, 2002, at 06:15 PM, Russell Fulton wrote:
The features are: 1/ the ability to log tickets directly from programs (preferably across the network) in a straight forward manner. 2/ the ability to produce standard emails from standard templates and stuff stored as part of the ticket. Eg. incident notification to sites.3/ the ability to add things like whois lookups that extract informationand add it to the ticket which can then be used in 2.
You might want to look at RT (http://www.bestpractical.com/) - it has a public Perl API which we've used for all sorts of management functions (e.g. I've written simple scripts to do things like email admins with their open / stalled tickets or modify certain tickets to fit a couple odd wrinkles in our environment). The system uses per-queue templates and allows you to fire off certain actions on various events so you can frequently do everything with the web-interface. The system is designed to be extended and it's pretty hackable - it didn't take very long to add the code to authenticate local users against our NIS server (remote users still get the default password in RT's database).
While you can put tickets in using perl we almost always use the web interface or email for that. The wrinkle we have is a perl script which I wrote which takes inbound mail, determines whether it's from a user with an account on our system and if so routes it into the queue for their lab instead of the general helpdesk queue. It'd be pretty easy to modify this to do things like your whois mentions - I'd have it toss the message in and automatically add a comment (which only admins see) containing the extra data - in addition to preserving the original message intact, this would allow lengthy stuff to be done asynchronously if you have some complex processing to do.
Chris ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Incident tracking database Danny (Dec 03)
- Re: Incident tracking database Chip Mefford (Dec 04)
- what else you can do with worm networks...fun, profit, etc Anton A. Chuvakin (Dec 09)
- Re: Incident tracking database Paul Gillingwater (Dec 04)
- Re: Incident tracking database Steven Hong (Dec 04)
- Re: Incident tracking database james (Dec 04)
- <Possible follow-ups>
- Re: Incident tracking database Holger Kipp (Dec 04)
- Re: Incident tracking database Russell Fulton (Dec 05)
- Re: Incident tracking database Chris Adams (Dec 08)
- Re: Incident tracking database Russell Fulton (Dec 05)
- Re: Incident tracking database Chip Mefford (Dec 04)