j.green at ukerna.ac.uk
Tue Jul 8 13:01:39 EDT 2003
Jason Alexander wrote:
> I was wondering if anyone can tell me what RTIR adds to RT over the base
> install. We have a customized verions of RT3 that we are using as an IR
> database and were about to go production with it. I was wondering if I
> should rethink that. What extra features would we be getting by install RTIR.
The development of RTIR was done to add some features to RT which
JANET-CERT needed before we felt we could use it for Incident Response
work (JANET is the Education and Research network in the UK).
Some of the features may need tuning to match your needs.
* We have 4 queues, Incident, Incident Reports, Investigations and Blocks.
All new work enters the Incident Report queue.
Investigations are a queue for conversations initiated by the team.
Blocks are used to track the block we place on the borders of the network.
Investigations don't hold any correspondence, they just act as a
container object to hold the other three ticket types.
Lots of interface work has been done to make these dependencies easier
A really nice feature where all mail becomes clickable (its matches
various regexps, such as IPs). Clicking on an IP gives you a whois
result (possibly from your own local datasource/contact info),
traceroute, and a list of the other tickets containing this IP.
We have to do reporting to our funding body on a number of things, so
each Incident has a number of classification, which can be reported on.
This includes SLA stuff, like answering reports within 1 hour.
* Scripted action
Web interface to do the same thing for N IP's. eg list of 100 CodeRed
infected machines - it looks up the contact, send them an email as an
Investigation, and links it to a newly created Incident.
* Due dates
Ownership is carried out on Incidents, each member of the team owns the
Incident, and deals with all the work held within it. Each child has a
due date, which is shown on the main screen by the parent incident
(sorted by due date). New mail entering a child ticket sets due date to
now, so it can be dealt with.
I'm probably not describing it very well. Its easy enough to install,
and should cooexist with any current RT installation (as long as the
queue names are unique).
There are some screenshots, from our (me and Jesse) presentation at
FIRST available from my website.
I hope this makes sense.
Any questions please ask.
More information about the Rtir