[rt-devel] IP tracking in RTIR

Damian Gerow freebsd at coal.sentex.ca
Wed Dec 3 15:55:34 EST 2003 

Thus spake Tremaine Lea (tremaine.lea at sjrb.ca) [03/12/03 13:57]:
> Perhaps an addendum to the above?  Our system uses DHCP as well, however the
> assignments change rarely.  Short of an IP block move or the customer
> changing NIC's the IP remains the same.  In our case, I suppose the scrip/t
> or module would look for unresolved tickets containing the IP.  We then
> manage to avoid investigating previously investigated IP's that have moved
> for one reason or another.
> 
> Thoughts?  Additionally, we also have the ability to drop the MAC address
> associated with the IP at the time of offense which can also be checked
> against.  

For DHCP, it would work relatively smoothly.  You'd still have the odd
report that would be grafted into the wrong Incident, but the occurrence
would be relatively low.

However, we don't use DHCP -- we use PPPoE.  So our IP assignment can change
as frequently as every ten seconds, depending on how often our users
connect, disconnect, and reconnect.

> The other challenge perhaps is having the IP/MAC address placed in the
> ticket via POST or some other method.  Obviously I'm looking for a high
> level of automation here.  My team deals with a very high volume of inbound
> mail and it's simply not realistic to handle it by hand.  We handle abuse@
> complaints for a cable network of close to a million internet subscribers,
> so we have some significant challenges in ticketing.

Well, RTIR was written to do automation, so it /should/ be possible.  And my
condolences to you -- I man the abuse desk for, oh, a couple thousand
customers, and I find it overwhelming enough.

> Do you happen to have a 'working' version of the project you started on
> above?  I do have a perl coder I can go to internally to perhaps tweak it
> for our own needs or finish it off.  I'd be happy to then submit that back
> to the community.

Unfortunately, no.  I stopped working on it relatively early.

However, it shouldn't be hard to put in place the thought of linking to a
RADIUS lookup page (or whatever you use to look through your assignment
logs).  Just find a regex for an IP address
(/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/ perhaps?), and wrap it in an A HREF,
and you /should/ be okay.

Double-check that regex, though.  It might not work, and there's probably
*much* better regular expressions for finding IP addresses out there.

  - Damian

More information about the Rt-devel mailing list