[Rtir] Question About RT-IR

Wes Young wcyoung at buffalo.edu
Fri Mar 6 06:38:24 EST 2009

I wrote some code that parses the ArcSight XML a few years ago. I'm in  
the process of changing it though. Right now it uses the  
RT::Client::REST to search for existing tickets based on tickets open  
with the right IP address.

I'm changing it up to clean up the ArcSight XML and translate it to  
IDMEF, wrap it up in PGP and send it to the RTIR system for processing  
as an "Incident Report".

The arcsight XML (the way it comes out) is really wanky, so I use a  
bunch of XML::Simple type stuff to re-hash it out and then the REST  
client to search for open tickets, and do the ... rest. Been working  
"ok" for the last two years, still a bit clunkier than i'd like it to  
be (which is why i'm moving to the email model to offload some of the  
code). I'd use the straight up ArcSight emails, but it's much easier  
to parse out their XML than their emails.

I had to add a few custom fields like _RTIR_Address (in addition to  
_RTIR_IP), allowing me to open a ticket for a single address and  
search on it when that "attacker" re-surfaced in the same time-span as  
the ticket was open.

Drop me a note offlist, i'll send you the raw Arcsight XML parsing  
code if you want it. It's awful, but it should get you moving in the  
right direction.

On Mar 5, 2009, at 9:22 PM, Martin Fontanez wrote:

> Thanks for the information.   Arcsight handles my incident handling  
> by consolidating logs fm multiple places.  I can generate .xml  
> extracts of the incidents.  I guess I would need to figure out a way  
> to import the .xml data into rt-ir so that the analysts can fill in  
> the rest of the information.   I was hopping someone out there have  
> worked on hooks-in fm Arcsight.
> --- On Thu, 3/5/09, Ruslan Zakirov <ruslan.zakirov at gmail.com> wrote:
> From: Ruslan Zakirov <ruslan.zakirov at gmail.com>
> Subject: Re: [Rtir] Question About RT-IR
> To: jdmfontz at yahoo.com
> Cc: rtir at lists.bestpractical.com
> Date: Thursday, March 5, 2009, 8:36 PM
> Hi,
> I'm not sure what type of integration you're looking for.
> However, as far as I know people mostly fill RTIR with incident
> reports (IRs) from external tool using emails, but it's possible to
> use RT/RTIR perl API (scripts) or REST API (remote) to create IRs with
> details filled into custom fields.
> RTIR has optional Blocks queue to initiate and disable network blocks.
> There are too many ways to implement automation of blocks, so RTIR is
> not shipped with any specific solution, but if you have a command line
> tool or anything else that can be called then it's pretty easy to
> automate blocks.
> Of course Best Practical Solutions is ready to provide companies
> support in integrating RTIR with their workflow.
> On Fri, Mar 6, 2009 at 12:19 AM, Martin Fontanez <jdmfontz at yahoo.com>
> wrote:
> > I am new to rt-ir and looking to implement it as my CERT ticketing  
> system
> > (just about to install).  I am however, curious as to how it  
> interfaces
> > (snmp support, etc) with other products such as ArcSight to bring in
> > information.
> >
> > Regards,
> >
> > Martin
> >
> >
> > _______________________________________________
> > Rtir mailing list
> > Rtir at lists.bestpractical.com
> > http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rtir
> >
> >
> -- 
> Best regards, Ruslan.
> _______________________________________________
> Rtir mailing list
> Rtir at lists.bestpractical.com
> http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rtir


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2444 bytes
Desc: not available
Url : http://lists.bestpractical.com/pipermail/rtir/attachments/20090306/a464c0f5/attachment.bin 

More information about the Rtir mailing list