[Rtir] Question About RT-IR
wcyoung at buffalo.edu
Fri Mar 6 06:38:24 EST 2009
I wrote some code that parses the ArcSight XML a few years ago. I'm in
the process of changing it though. Right now it uses the
RT::Client::REST to search for existing tickets based on tickets open
with the right IP address.
I'm changing it up to clean up the ArcSight XML and translate it to
IDMEF, wrap it up in PGP and send it to the RTIR system for processing
as an "Incident Report".
The arcsight XML (the way it comes out) is really wanky, so I use a
bunch of XML::Simple type stuff to re-hash it out and then the REST
client to search for open tickets, and do the ... rest. Been working
"ok" for the last two years, still a bit clunkier than i'd like it to
be (which is why i'm moving to the email model to offload some of the
code). I'd use the straight up ArcSight emails, but it's much easier
to parse out their XML than their emails.
I had to add a few custom fields like _RTIR_Address (in addition to
_RTIR_IP), allowing me to open a ticket for a single address and
search on it when that "attacker" re-surfaced in the same time-span as
the ticket was open.
Drop me a note offlist, i'll send you the raw Arcsight XML parsing
code if you want it. It's awful, but it should get you moving in the
On Mar 5, 2009, at 9:22 PM, Martin Fontanez wrote:
> Thanks for the information. Arcsight handles my incident handling
> by consolidating logs fm multiple places. I can generate .xml
> extracts of the incidents. I guess I would need to figure out a way
> to import the .xml data into rt-ir so that the analysts can fill in
> the rest of the information. I was hopping someone out there have
> worked on hooks-in fm Arcsight.
> --- On Thu, 3/5/09, Ruslan Zakirov <ruslan.zakirov at gmail.com> wrote:
> From: Ruslan Zakirov <ruslan.zakirov at gmail.com>
> Subject: Re: [Rtir] Question About RT-IR
> To: jdmfontz at yahoo.com
> Cc: rtir at lists.bestpractical.com
> Date: Thursday, March 5, 2009, 8:36 PM
> I'm not sure what type of integration you're looking for.
> However, as far as I know people mostly fill RTIR with incident
> reports (IRs) from external tool using emails, but it's possible to
> use RT/RTIR perl API (scripts) or REST API (remote) to create IRs with
> details filled into custom fields.
> RTIR has optional Blocks queue to initiate and disable network blocks.
> There are too many ways to implement automation of blocks, so RTIR is
> not shipped with any specific solution, but if you have a command line
> tool or anything else that can be called then it's pretty easy to
> automate blocks.
> Of course Best Practical Solutions is ready to provide companies
> support in integrating RTIR with their workflow.
> On Fri, Mar 6, 2009 at 12:19 AM, Martin Fontanez <jdmfontz at yahoo.com>
> > I am new to rt-ir and looking to implement it as my CERT ticketing
> > (just about to install). I am however, curious as to how it
> > (snmp support, etc) with other products such as ArcSight to bring in
> > information.
> > Regards,
> > Martin
> > _______________________________________________
> > Rtir mailing list
> > Rtir at lists.bestpractical.com
> > http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rtir
> Best regards, Ruslan.
> Rtir mailing list
> Rtir at lists.bestpractical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2444 bytes
Desc: not available
Url : http://lists.bestpractical.com/pipermail/rtir/attachments/20090306/a464c0f5/attachment.bin
More information about the Rtir