[Rtir] Questions about the Scripted Actions in Tools

Marc Boix mboix at cesca.es
Fri Mar 12 04:04:16 EST 2004


Morning,

Thank you for your comments and explanations.
I thought the arguments was some thing like:
  _IP_= 1.2.3.1, 1.2.3.2, 1.2.3.3, 1.2.3.4
  _IP_= 2.2.3.1, 2.2.3.2, 2.2.3.3, 2.2.3.4
  _IP_= 3.2.3.1, 3.2.3.2, 3.2.3.3, 3.2.3.4
and etc...

and the same for _ADDR_.

I've tried all the option before the mail to use the arguments like
variables or separators...
(wherever I think the used way to explain the tool's usage isn't very clear,
I thought _IP_ indicate a different feature something silly :))

Thanks,
Marc


-----Mensaje original-----
De: John Green [mailto:j.green at ukerna.ac.uk]
Enviado el: jueves, 11 de marzo de 2004 11:54
Para: Marc Boix
CC: rtir at lists.bestpractical.com
Asunto: Re: [Rtir] Questions about the Scripted Actions in Tools


Marc Boix wrote:
> Hello guys,
>
> I'm learning about RTIR features to understand the whole of it (I'm
learning
> english too...:P)
>
> I've problems to understand the _ADDR_ and _IP_ parameters in
> Tools->Scripted Action.
> Somebody know why was made for? and how use its?

It was made to cope with the "list of 100 machines compromised with
XYZ".  Paste in the list of IP and it will look up the correct email
address, create an incident and investigation for each IP and send of a
preformatted email.

> Besides I can't use the By IP address Scrip, it returns always
> ADDRESS_UNKNOWN.

It works for me.  It is only of real benefit when you run an internal
whois server containing your customers contact data. (with the same key).

Contact field should be the key (without ':').   Pressing "Test" should
show you what email address each IP's maps to.

> I've the WHOIS server right configured, because I can use traceroute and
> whois without problems.
> Normally I try with Contact Field = Email (because this field is the field
> we want to know from Whois Server, isn't?)

That should work.  Internally we use "cert-mail" as a key and it works
fine.   A more complex algorithmn may be needed if you are using RIPE
directly or you will need some sort of local preparser (geektools or
cyberabuse for example).

Cheers
John
JANET-CERT




More information about the Rtir mailing list