[Rtir] Scripted Action: Variable substitution in RTIR Templates?

[Gorazd Bozic]

John Green wrote:
> Yes. _ADDR_ or _IP_ in this field are subsituted to the current email or
> IP and can be reference from the Template (by $Argument I think, it is
> one of those features we haven't gotten around to using yet).

Examining the Scripted Actions code, I was thinking of modifying it to a
more general purpose templating engine. One common issue is that you
want to notify a large number of administrators that have (dos)bots on
their systems. While doing this, you would want to attach relevant flows
or log messages, but only those related to their systems.

One possibility would be to have a general-purpose "Scripted Action by
CSV file". You would supply a CSV file with a first line being a header
line naming all the parameters, like:

_IP_,_DATETIME_,_FILE_
1.2.3.4,22 Mar 2004 12:23:34,+/tmp/flow-1.2.3.4.txt

Instead of using only _IP_ and _ADDR_ for template substitutions, this
SA would take variable names from the header, and substitute all the
named variables in the template with values from file. CSV file would of
course *have* to include either _IP_ or _ADDR_ in order to work properly.

The values beginning with a plus sign would represent attachments to the
messages sent out via this scripted action. One problem is that the
attachment have to be present on the system running RTIR.

Another solution (easier to implement) would be to add a Scripted Action
with attachment. The attachment name supplied in RTIR would include
either _ADDR_ or _IP_. This would get replaced before the file is
attached...

Cheers,
Gorazd

-- 
Gorazd Bozic <gorazd.bozic at arnes.si>
ARNES SI-CERT, Jamova 39 p.p. 7, SI-1001 Ljubljana, Slovenia
tel: +386 1 479 88 22, fax: +386 1 479 88 99