Re: Incident tracking database

From: Chris Adams (chrisat_private)
Date: Thu Dec 05 2002 - 22:24:25 PST

Next message: ohnononoat_private: "netbios vuln"

Previous message: Curt Wilson: "Black Ice small segment size FTP attack caused by FX-scanner"
In reply to: Russell Fulton: "Re: Incident tracking database"
Next in thread: Paul Gillingwater: "Re: Incident tracking database"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wednesday, December 4, 2002, at 06:15  PM, Russell Fulton wrote:
> The features are:
> 1/ the ability to log tickets directly from programs (preferably across
> the network) in a straight forward manner.
> 2/ the ability to produce standard emails from standard templates and
> stuff stored as part of the ticket. Eg. incident notification to sites.
> 3/ the ability to add things like whois lookups that extract 
> information
> and add it to the ticket which can then be used in 2.

You might want to look at RT (http://www.bestpractical.com/) - it has a 
public Perl API which we've used for all sorts of management functions 
(e.g. I've written simple scripts to do things like email admins with 
their open / stalled tickets or modify certain tickets to fit a couple 
odd wrinkles in our environment). The system uses per-queue templates 
and allows you to fire off certain actions on various events so you can 
frequently do everything with the web-interface. The system is designed 
to be extended and it's pretty hackable - it didn't take very long to 
add the code to authenticate local users against our NIS server (remote 
users still get the default password in RT's database).

While you can put tickets in using perl we almost always use the web 
interface or email for that. The wrinkle we have is a perl script which 
I wrote which takes inbound mail, determines whether it's from a user 
with an account on our system and if so routes it into the queue for 
their lab instead of the general helpdesk queue. It'd be pretty easy to 
modify this to do things like your whois mentions - I'd have it toss 
the message in and automatically add a comment (which only admins see) 
containing the extra data - in addition to preserving the original 
message intact, this would allow lengthy stuff to be done 
asynchronously if you have some complex processing to do.

Chris

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: ohnononoat_private: "netbios vuln"
Previous message: Curt Wilson: "Black Ice small segment size FTP attack caused by FX-scanner"
In reply to: Russell Fulton: "Re: Incident tracking database"
Next in thread: Paul Gillingwater: "Re: Incident tracking database"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Dec 08 2002 - 19:18:46 PST