HackDig : Dig high-quality web security articles for hacker

Querying the DShield API from RTIR, (Thu, Sep 3rd)

2015-09-03 18:30

A few days ago, Tom wrote a diary(1) about RTIR(2) and itsREST API. He explained how the tool can be fulfilled with external data. Being aDShield contributor for years (I submitmy firewall logs), I like to search for IP addresses information in the DShield database. By default,RTIRextracts IP addresses from tickets and has an interface to query services like WHOIS servers, to perform a traceroute or to query any third-party website.">beingextremely configurable, why not extend itto query the DShield database using the ISC API(3)!

If IP addresses can be queriedvia theURL https://isc.sans.edu/ipinfo.html?ip=x.x.x.x, dont do this.First of allfor performance reasons butthe page cannot be displayed in an iframe(thats the case in RTIR)because it sets the X-Frame-Options to SAMEORIGIN">https://isc.sans.edu/api/ip/x.x.x.x

Resultsarereturned in XML. To integrate DShield lookups into RTIR, follow this procedure.

1. Create a new page called isc_ipinfo.phpin your Apache server running RTIR (or any available HTTP server). This page will receive the IP address, query the DShield API and reformat (basically)">?php
$ip = $_GET[ip
if (!filter_var($ip, FILTER_VALIDATE_IP)) {
echo Invalid IP address!

}
$d = simplexml_load_file(https://isc.sans.edu/api/ip/
?
table
trtd align=rightbIP Address:/b/tdtd?php echo $d- ?(a href=https://isc.sans.edu/ipdetails.html?ip=?php echo $ip ? target=_blankDetails/a)/td/tr
trtd align=rightbNetwork:/b/tdtd?php echo $d- ?/td/tr
trtd align=rightbAS:/b/tdtd?php echo $d- ?/td/tr
trtd align=rightbAS Name:/b/tdtd?php echo $d- ?/td/tr
trtd align=rightbAS Size:/b/tdtd?php echo $d- ?/td/tr
trtd align=rightbCountry:/b/tdtd?php echo $d- ?/td/tr
trtd align=rightbCount:/b/tdtd?php echo $d- ?/td/tr
trtd align=rightbAttacks:/b/tdtd?php echo $d- ?/td/tr
trtd align=rightbMin Date:/b/tdtd?php echo $d- ?/td/tr
trtd align=rightbMax Date:/b/tdtd?php echo $d- ?/td/tr
trtd align=rightbLast Updated:/b/tdtd?php echo $d- ?/td/tr
trtd align=rightbAbuse Contact:/b/tdtd?php echo $d- ?/td/tr
trtd align=rightbComment:/b/tdtd?php echo $d- ?/td/tr
/table

2. Edit your $RTIRHOME/etc/RTIR_SiteConfig.pm and add the newservice in $RTIRIframeResearchToolConfig">Set($RTIRIframeResearchToolConfig, {
1 = { FriendlyName = SANS ISC IP Info, URL = http://xxxxxxxx/isc_ipinfo.php?ip=__SearchTerm__ },
3 = { FriendlyName = Google, URL = https://encrypted.google.com/search?q=__SearchTerm__ },
4 = { FriendlyName = CVE, URL = http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=__SearchTerm__},
5 = { FriendlyName = TrustedSource.org, URL = http://www.trustedsource.org/query/__SearchTerm__},
6 = { FriendlyName = McAfee SiteAdvisor, URL = http://www.siteadvisor.com/sites/__SearchTerm__},
7 = { FriendlyName = BFK DNS Logger, URL = http://www.bfk.de/bfk_dnslogger.html?query=__SearchTerm__#result" />

Its also easy to create new portlets to be used in dashboards. As a bonus, lets display the ISC Infocon status in a RTIR dashboard.

1. Create the new portlet in $RTIRHOME/local/html/Elements. Lets call it InfoconStatus">|/Widgets/TitleBox, title = loc(SANS ISC Status)
table
tr
td
img src=https://isc.sans.edu/images/status.gif alt=SANS ISC Infocon Status
/td
/tr
/table
/">Set(@RTIR_HomepageComponents, qw(
QuickCreate
Quicksearch
MyAdminQueues
MySupportQueues
MyReminders
RefreshHomepage
Dashboards
SavedSearches
InfoconStatus
/RTIR/Elements/NewReports
/RTIR/Elements/UserDueIncidents
/RTIR/Elements/NobodyDueIncidents
" />

(1)https://isc.sans.edu/forums/diary/Automating+Metrics+using+RTIR+REST+API/20087/
(2)https://www.bestpractical.com/rtir/
(3)https://isc.sans.edu/api/

Xavier Mertens
ISC Handler - Freelance Security Consultant
rootshell.be
truesec.be

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Source: ssr;pma&31102=diyrots?lmth.yraid/ude.snas.csi

Read:1561 | Comments:0 | Tags:No Tag

“Querying the DShield API from RTIR, (Thu, Sep 3rd)”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud