[Rtir] Questions about the Scripted Actions in Tools

John Green j.green at ukerna.ac.uk
Thu Mar 11 05:53:34 EST 2004


Marc Boix wrote:
> Hello guys,
> 
> I'm learning about RTIR features to understand the whole of it (I'm learning
> english too...:P)
> 
> I've problems to understand the _ADDR_ and _IP_ parameters in
> Tools->Scripted Action.
> Somebody know why was made for? and how use its?

It was made to cope with the "list of 100 machines compromised with 
XYZ".  Paste in the list of IP and it will look up the correct email 
address, create an incident and investigation for each IP and send of a 
preformatted email.

> Besides I can't use the By IP address Scrip, it returns always
> ADDRESS_UNKNOWN.

It works for me.  It is only of real benefit when you run an internal 
whois server containing your customers contact data. (with the same key).

Contact field should be the key (without ':').   Pressing "Test" should 
show you what email address each IP's maps to.

> I've the WHOIS server right configured, because I can use traceroute and
> whois without problems.
> Normally I try with Contact Field = Email (because this field is the field
> we want to know from Whois Server, isn't?)

That should work.  Internally we use "cert-mail" as a key and it works 
fine.   A more complex algorithmn may be needed if you are using RIPE 
directly or you will need some sort of local preparser (geektools or 
cyberabuse for example).

Cheers
John
JANET-CERT



More information about the Rtir mailing list