[unisog] RTIR (RT for Incident Response)

Andrew Cormack A.Cormack at ukerna.ac.uk
Thu Dec 22 12:46:17 GMT 2005


I've not used it, but it may be worth looking at AIRT, see
http://chiht.dfn-cert.de/functions/csirt_procedures.html

Cheers
Andrew

--------------------
Andrew Cormack
Chief Security Advisor 
UKERNA, Atlas Centre, Chilton, Didcot, Ox11 0QS, UK

Phone: +44 (0)1235 822302
Fax: +44 (0)1235 822399

> -----Original Message-----
> From: unisog-bounces at lists.sans.org 
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Reed Loden
> Sent: Friday 16 December 2005 00:21
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] RTIR (RT for Incident Response)
> 
> 
> On Thu, 15 Dec 2005 16:18:56 -0500
> Erik Fichtner <emf at obfuscation.org> wrote:
> 
> > Guy Dickinson wrote:
> > > * RTIR is designed for the (very rigid!) workflow of its 
> creators. It
> > > may or may not translate well into your organization. For example,
> > > each conversation with an external party generates an "Incident
> > > Report". This must be linked to an "Incident", which is 
> like a parent
> > > ticket under which several Incident Reports can be 
> housed. (confused
> > > yet?). Day-to-day, this is a pretty big headache if you 
> have abuse@
> > > going into RTIR, since you spend a lot of time making 
> parent tickets
> > > for every single email. It turned out to be too clunky 
> for daily use
> > > here.
> > 
> > 
> > You know, this brings up a topic that's been bothering me 
> for a little
> > while now; often in the guise of incident tracking for SANS 
> ISC-- Tools
> > like RT and RTIR are designed for response desks with internal and
> > external parties complaining to them to do something about resources
> > they directly control.      There does not seem to be a 
> tool available
> > for a response desk that wants to track communications 
> between yourself
> > ('The complaintant') and various third parties who have 
> resources that
> > you'd like them to do something about.      Tracking all those empty
> > responses to messages sent to abuse@ for various sites gets 
> extremely
> > tedious at times.  (particularly the ones where replying 
> with the proper
> > ticket number just generates a new ticket anyway.  You know who you
> > are.)
> 
> heh... This is -exactly- what I am looking for. I send out 
> lots of mail to
> abuse@ (and the like) addresses to report drones, and I really need
> something that I can use to track these outgoing reports so I can tell
> what bots have been taken care of and which ones have not.
> 
> It would also be nice if this tool could allow me just to enter the
> host/ip and the log, and it would find the appropriate abuse 
> address and
> submit it itself.
> 
> If you find anything that does something like this or 
> anything related to
> it, please let me know.
> 
> ~reed
> Freelance Drone Cleaner/Killer/Hunter
> 
> -- 
> Reed Loden - <reed at reedloden.com>
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 



More information about the unisog mailing list