Skip to content

rommelfs/ticket-tools

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

92 Commits
leakix
leakix
 
 
old
old
 
 
templates
templates
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
close-bulk-tickets.sh
close-bulk-tickets.sh
 
 
close-ticket.sh
close-ticket.sh
 
 
config.py-example
config.py-example
 
 
create-bulk-tickets.inc
create-bulk-tickets.inc
 
 
create-bulk-tickets.sh
create-bulk-tickets.sh
 
 
create_bulk_ticket_with_template-by-abusemail.py
create_bulk_ticket_with_template-by-abusemail.py
 
 
create_bulk_ticket_with_template-by-domain.py
create_bulk_ticket_with_template-by-domain.py
 
 
create_bulk_ticket_with_template.py
create_bulk_ticket_with_template.py
 
 
create_investigations.sh
create_investigations.sh
 
 
create_ticket_with_template.py
create_ticket_with_template.py
 
 
create_weekly_event.py
create_weekly_event.py
 
 
get-ms-urls.sh
get-ms-urls.sh
 
 
get-netcraft-reports.sh
get-netcraft-reports.sh
 
 
get-phishlab-reports.sh
get-phishlab-reports.sh
 
 
get-reports.inc
get-reports.inc
 
 
get-reports.replacements-email-example
get-reports.replacements-email-example
 
 
get-reports.replacements-example
get-reports.replacements-example
 
 
get-reports.sh
get-reports.sh
 
 
get-screenshot.sh
get-screenshot.sh
 
 
get-urlmon-urls.sh
get-urlmon-urls.sh
 
 
get-urlquery-urls.sh
get-urlquery-urls.sh
 
 
inc_external.conf-example
inc_external.conf-example
 
 
inc_gpg.conf-example
inc_gpg.conf-example
 
 
inc_rt.conf-example
inc_rt.conf-example
 
 
inc_xmpp.conf-example
inc_xmpp.conf-example
 
 
ipfs.py
ipfs.py
 
 
misp_add_attribute.py
misp_add_attribute.py
 
 
parse_certificates.sh
parse_certificates.sh
 
 
phish2asn.sh
phish2asn.sh
 
 
phishtank_server.sh
phishtank_server.sh
 
 
process-proxy-list.sh
process-proxy-list.sh
 
 
process_reports.py
process_reports.py
 
 
process_reports.sh
process_reports.sh
 
 
requirements.txt
requirements.txt
 
 
start-get-urls.sh
start-get-urls.sh
 
 
update_config.sh
update_config.sh
 
 
xarf.sh
xarf.sh
 
 

Repository files navigation

ticket-tools

Description

A collection of tools interfacing with RT/RTIR in order to interact with the world (e.g. send out take-down requests or other notifications)

Dependencies

Outlook

More tools are likely to be released

Description of the tools

get-reports.sh

get-reports.sh is a standalone tool to iterate through defined submission types. Submission types can be defined as an RT/RTIR search. It keeps a list of definitions in get-reports.inc. There are two modes of operation:

  • Automatic processing of the incoming tickets (e.g. any 30 minutes with a cronjob: 30 * * * * cd /home/rommelfs/ticket-tools && ./get-reports.sh shadowserver)
  • Semi-automatic processing (automatic display of a list of open tickets from one category. One-key decision and processing: The submission is checked by UrlAbuse and offers the possibility to
  • automatically create a take-down request based on templates (from ./templates), the source ticket will be moved to the incident queue. A classification will be added according to the take-down type.
  • Pre-defined are these types of submissions: phishing, malware, defacement, webshell
  • Possible actions are:
    • ignore the ticket (keep it open for next run), and continue
    • ignore and close the ticket (ticket will be closed without further action, leaving a comment in the ticket)
    • exit the program (start next time at the ticket where exited)
  • When set up, an external screenshot taking tool can produce a screenshot of the offending site. It will be attached as comment to the ticket.

The tool relies on a working version of create_ticket_with_template.py

create_ticket_with_template.py

create_ticket_with_template.py Usage: create_ticket_with_template.py Incident-ID Templatename URL [Onlinecheck:True|False] [Queue]

This tools creates a take-down request as an investigation to an incident (Incident-ID). It uses the given Templatename (from ./templates). The input is based on the given URL, which is checked with UrlAbuse. The verification of the content being online can be skipped (False). A specific queue can be mentioned (default is 5).

It can also send the contents to a MISP instance.

Requires UrlAbuse from https://github.com/CIRCL/url-abuse

get-urlabuse-reports.sh (deprecated)

get-urlabuse-reports.sh is a standalone tool to iterate through new UrlAbuse submissions (https://www.circl.lu/urlabuse/ and https://www.circl.lu/services/urlabuse/) from users to the ticket system. The submission is checked by UrlAbuse and offers the possibility to

  • automatically create a take-down request based on templates (from ./templates), the source ticket will be closed
  • ignore the ticket (ticket will be closed without further action)
  • exit the program (start next time at the ticket where exited)

The tool relies on a working version of create_ticket_with_template.py

get-phishlab-reports.sh (deprecated)

get-phishlab-reports.sh is a standalone tool to iterate through new Phishlab reports to the ticket system. The submission is checked by UrlAbuse and offers the possibility to

  • automatically create a take-down request based on templates (from ./templates), the source ticket will be closed
  • ignore the ticket (ticket will be closed without further action)
  • exit the program (start next time at the ticket where exited)

The tool relies on a working version of create_ticket_with_template.py

create_bulk_ticket_with_template.py

create_bulk_ticket_with_template.py Usage: create_bulk_ticket_with_template.py Incident-ID Templatename csv-file

This tool creates a take-down request as an investigation to an incident (Incident-ID). It uses the given Templatename (from ./templates). The input is based on a CSV list as in the following format (example data):

Format: ASN,IP,Country code,Last seen (UTC),Malware,Source Port,Destination IP,Destination Port,Destination Hostname

"12345","1.2.3.4","2018-06-17 16:11:33","necurs","6789","2.3.4.5","80","","tcp"

Entries are grouped by ASN and only one notification per AS number is sent.

get-urlquery-urls.sh

get-urlquery-urls.sh fetches the content of new urlquery reports and sends the entries to an XMPP chatroom

get-urlmon-urls.sh

get-urlmon-urls.sh fetches the content of new urlquery reports and sends the entries to an XMPP chatroom

get-ms-urls.sh

get-ms-urls.sh fetches the content of new urlquery reports and sends the entries to an XMPP chatroom

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

7 stars

Watchers

3 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages