[unisog] RTIR (RT for Incident Response)

Edgecombe, Jason jwedgeco at email.uncc.edu
Fri Dec 16 13:29:30 GMT 2005


Hi there,

You might want to look at tattle. It's a perl script that reports ssh
brute for attacks. It does whois lookups to find the contact info.

Here is a link to the code:
http://www.opennet.ru/base/netsoft/1118335083_106.txt.html

Unfortunately, it looks like the author's domain has changed hands.

I hope this helps.

Jason Edgecombe
TST Web Developer
Dean's Office, College of Arts & Sciences
UNC-Charlotte
Phone: (704) 687-4686 

 

> -----Original Message-----
> From: unisog-bounces at lists.sans.org 
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Reed Loden
> Sent: Thursday, December 15, 2005 7:21 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] RTIR (RT for Incident Response)
> 
> On Thu, 15 Dec 2005 16:18:56 -0500
> Erik Fichtner <emf at obfuscation.org> wrote:
> 
> > Guy Dickinson wrote:
> > > * RTIR is designed for the (very rigid!) workflow of its 
> creators. It
> > > may or may not translate well into your organization. For example,
> > > each conversation with an external party generates an "Incident
> > > Report". This must be linked to an "Incident", which is 
> like a parent
> > > ticket under which several Incident Reports can be 
> housed. (confused
> > > yet?). Day-to-day, this is a pretty big headache if you 
> have abuse@
> > > going into RTIR, since you spend a lot of time making 
> parent tickets
> > > for every single email. It turned out to be too clunky 
> for daily use
> > > here.
> > 
> > 
> > You know, this brings up a topic that's been bothering me 
> for a little
> > while now; often in the guise of incident tracking for SANS 
> ISC-- Tools
> > like RT and RTIR are designed for response desks with internal and
> > external parties complaining to them to do something about resources
> > they directly control.      There does not seem to be a 
> tool available
> > for a response desk that wants to track communications 
> between yourself
> > ('The complaintant') and various third parties who have 
> resources that
> > you'd like them to do something about.      Tracking all those empty
> > responses to messages sent to abuse@ for various sites gets 
> extremely
> > tedious at times.  (particularly the ones where replying 
> with the proper
> > ticket number just generates a new ticket anyway.  You know who you
> > are.)
> 
> heh... This is -exactly- what I am looking for. I send out 
> lots of mail to
> abuse@ (and the like) addresses to report drones, and I really need
> something that I can use to track these outgoing reports so I can tell
> what bots have been taken care of and which ones have not.
> 
> It would also be nice if this tool could allow me just to enter the
> host/ip and the log, and it would find the appropriate abuse 
> address and
> submit it itself.
> 
> If you find anything that does something like this or 
> anything related to
> it, please let me know.
> 
> ~reed
> Freelance Drone Cleaner/Killer/Hunter
> 
> -- 
> Reed Loden - <reed at reedloden.com>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 
> 



More information about the unisog mailing list