[Rtir] creating large numbers of investigations

Rudolph Pereira rudolph at usyd.edu.au
Sun Aug 15 21:27:32 EDT 2004


Hello,

I'm currently looking into/using RTIR for our incident
tracking/response. One of the issues that have come up is that of bulk
creation of investigations; we're a pretty decentralised institution and
so most incidents go something like

- detect issue (e.g port scans, etc)
- verify
- send out mail notification to "system owner"

We have tools to do all the above, but I'd like to use RTIR to tie it
all together. At the same time, we usually deal with clusters of
incidents, some of which have to be dealt with very quickly.
Hence, using the web interface to go through the workflow (modified from
above)

1. get incident report/detection
2. look up system owner
3. look up/insert related information (e.g port scan details, flow logs,
switchport information)
4. send off notification to system owner

is quite time consuming, and hard to aggregate (e.g sending one
notification per system owner regardless of number of systems), 
not to mention doesn't include the
actual shutdown of switchport, etc (which again, isn't likely to be done
optimally through a web interface)

So my question is: for those in similar situations (or others), how are
you dealing with similar situations? The best idea I've come up with is
configuring RTIR to allow investigation creation via email (with some
kind of authentication) so that one could insert whatever output in the
mail, prepend a few field tags (e.g "Incident: n" to attach to an
incident) and RTIR could be used as (at least) the starting point for
these kinds of things

Any suggestions/ideas?

thanks


More information about the Rtir mailing list