[Rtir] RTIR

John Green j.green at ukerna.ac.uk
Tue Jul 8 13:01:39 EDT 2003


Jason Alexander wrote:
> Hello,
> 
> I was wondering if anyone can tell me what RTIR adds to RT over the base 
> install.  We have a customized verions of RT3 that we are using as an IR 
> database and were about to go production with it.  I was wondering if I 
> should rethink that.  What extra features would we be getting by install RTIR.

The development of RTIR was done to add some features to RT which 
JANET-CERT needed before we felt we could use it for Incident Response 
work (JANET is the Education and Research network in the UK).

Some of the features may need tuning to match your needs.

* We have 4 queues, Incident, Incident Reports, Investigations and Blocks.

All new work enters the Incident Report queue.
Investigations are a queue for conversations initiated by the team.
Blocks are used to track the block we place on the borders of the network.
Investigations don't hold any correspondence, they just act as a 
container object to hold the other three ticket types.

Lots of interface work has been done to make these dependencies easier 
to manage.

* MakeClicky

A really nice feature where all mail becomes clickable (its matches 
various regexps, such as IPs).  Clicking on an IP gives you a whois 
result (possibly from your own local datasource/contact info), 
traceroute, and a list of the other tickets containing this IP.

* Reporting

We have to do reporting to our funding body on a number of things, so 
each Incident has a number of classification, which can be reported on. 
  This includes SLA stuff, like answering reports within 1 hour.

* Scripted action

Web interface to do the same thing for N IP's.  eg list of 100 CodeRed 
infected machines - it looks up the contact, send them an email as an 
Investigation, and links it to a newly created Incident.

* Due dates
Ownership is carried out on Incidents, each member of the team owns the 
Incident, and deals with all the work held within it.  Each child has a 
due date, which is shown on the main screen by the parent incident 
(sorted by due date).  New mail entering a child ticket sets due date to 
now, so it can be dealt with.

I'm probably not describing it very well.  Its easy enough to install, 
and should cooexist with any current RT installation (as long as the 
queue names are unique).

There are some screenshots, from our (me and Jesse) presentation at 
FIRST available from my website.

http://kaizo.org/girona/ (*.png)

I hope this makes sense.

Any questions please ask.

John
JANET-CERT





More information about the Rtir mailing list