Security Incidents mailing list archives

Re: Incident Response Database

From: Lionel Ferette <lionel.ferette () belnet be>
Date: Thu, 18 Mar 2004 22:19:51 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In the wise words of Russell Fulton, on Thursday 18 March 2004 21:32:
[SNIP]

At the 2003 FIRST meeting someone described extensions to RT for
dealing with security incidents, including being smart abou IP
addresses etc (automatically make IPs and dn links that take you to
whois info), the ability to link large numbers of calls to a
particular incident so they can all be closed together and other
stuff.

I seem to remember they called the extended version IRT.  Dam! I
can't find the article in the proceedings.  From memory work was
done by Best Practice and commissioned by DFN CERT, the intention
was to release code under the same terms as RT.

Its RTIR (RT for Incident Response), and can be found at 
http://www.bestpractical.com/rtir/. If you're familiar with RT, and 
are already usign it, it's the solution that will give you the best 
bang for the buck.

I love the ability to have Incident Reports, Incidents and 
Investigations all linked to each other, while having each their own 
life-cycle. Even though you closed the incident - because the 
compromised box has been rebuilt, for example - you can still keep 
track of your investigation, while having the reference to all the 
history of the incident itself. Same for blocked ports.

The latest official version was released early February.

Cheers,

Lionel

- -- 
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." -- Benjamin Franklin

Lionel Ferette
BELNET CERT Coordinator

Rue de la Science 4                    Tel: +32 2 7903333
1000 Brussels                          Fax: +32 2 7903335
Belgium                                PGP Key Id: 0x5662FD4B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAWhJ9Dd3gqVZi/UsRAvXyAKDvFbxaNOhsfNsc2Yge4xtPYe3Y1gCfTZvn
uw6MtoajFRUZ3/DlMX+m75U=
=OL2n
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------

Current thread:

Incident Response Database Jason May (Mar 17)
- Re: Incident Response Database Jordan Wiens (Mar 17)
- Re: Incident Response Database Valdis . Kletnieks (Mar 18)
  - Re: Incident Response Database Jason M. Leonard (Mar 18)
    - RE: Incident Response Database Chris Krough (Mar 18)
    - Re: Incident Response Database Russell Fulton (Mar 18)
    - Re: Incident Response Database John Green (Mar 18)
    - Re: Incident Response Database Lionel Ferette (Mar 18)
    - Re: Incident Response Database Sebastian Jaenicke (Mar 18)
- iptables/netfilter logs viewer/analyzer Sabyasachi Chakrabarty (Mar 22)
  - Re: iptables/netfilter logs viewer/analyzer Tony Carter (Mar 22)
  - Re: iptables/netfilter logs viewer/analyzer Byron Sonne (Mar 23)
- <Possible follow-ups>
- Re: Incident Response Database wozz (Mar 18)