[Rtir] Questions about the Scripted Actions in Tools
John Green
j.green at ukerna.ac.uk
Thu Mar 11 05:53:34 EST 2004
Marc Boix wrote:
> Hello guys,
>
> I'm learning about RTIR features to understand the whole of it (I'm learning
> english too...:P)
>
> I've problems to understand the _ADDR_ and _IP_ parameters in
> Tools->Scripted Action.
> Somebody know why was made for? and how use its?
It was made to cope with the "list of 100 machines compromised with
XYZ". Paste in the list of IP and it will look up the correct email
address, create an incident and investigation for each IP and send of a
preformatted email.
> Besides I can't use the By IP address Scrip, it returns always
> ADDRESS_UNKNOWN.
It works for me. It is only of real benefit when you run an internal
whois server containing your customers contact data. (with the same key).
Contact field should be the key (without ':'). Pressing "Test" should
show you what email address each IP's maps to.
> I've the WHOIS server right configured, because I can use traceroute and
> whois without problems.
> Normally I try with Contact Field = Email (because this field is the field
> we want to know from Whois Server, isn't?)
That should work. Internally we use "cert-mail" as a key and it works
fine. A more complex algorithmn may be needed if you are using RIPE
directly or you will need some sort of local preparser (geektools or
cyberabuse for example).
Cheers
John
JANET-CERT
More information about the Rtir
mailing list