ir-scripts

ir-scripts copied to clipboard

#+TITLE: Incident Management and Response Tools

• Overview I have a large number of systems, security, operations, and otherwise with some role in the incident management process. They sit there, blinking lights at each other, but none of them communicate. The scripts in this directory aim to fix that, likely in the most superficial way possible. This repository is a set of scripts I have created and use for performing incident management activities. To me, this covers everything from vulnerability analysis to open source research to incident response activities, and as a result, this is a pretty varied toolset.

However, this is fairly tailored to my own workflows and tools, so you may not be able to run it directly out-of-the-box. I hope these are of some use.

** Preparing your envionment Most things can be run straight away or with slight modification to the code itself. However, some of the scripts ahve configuration settings and they default to looking in ~/.incmgmt for relevant configuration files

** TODO Methodology In the future, I will separate the basic execution and script description documentation from the documentation around methodology. But until I get this sorted, it will be mixed in with the rest of the documentation. At the moment, it i merely disorganized snippets to remind me what I want to write about.

*** Vulnerability Management

**** Using Overrides

**** Reporting After a task has run, I perform a quick review of the results and edit out

*** Creating work tickets Once the general report information is saved to my data storage, I go back to the report in the OpenVAS web interface and create some more, usually temporary, overrrides. This is to prevent creating a number of duplicate tickets. For example, if there is vulnerability in Apache, and the server is configured to listen on multiple ports such as 80 and 443, then OpenVAS will report two discrete vulnerabilities. However, both of these will liklely be fixed at the same time by updating Apache. And on a subnetwork devoted to web servers, there will likely be a large number of these duplicates. So, I will create a temporary override for that particular task that ignores one of the two ports for all hosts on that task and modifying the detection to 'log', rather than a vuln. The override duration should be just a bit longer than your scan cycle or expected remediation. Another way to handle this would be to modify the script to create only a single ticket when the host and short description are the same.

• The Scripts The scripts and toolsin this repository are organized into folders by use or purpose.

** Vulnerability Analysis and Management Located in ./VulnMgmt Scripts to help implement a vulnerability management program

*** Vuln-tickets.py This creates tickets on both Redmine[fn:1] and Service Now[fn:2] ticketing systems so that operational teams can work on the issues.

** Research Located in ./Research Random scripts for log mining, intel gathering, network querying, and other incident response-ish activities. Unless otherwise indicated, all files in this project are governed by the GPLv3 license.
*** ioc-intel.sh This script performs some quick lookups against a list of ip address or FQDN IOCs *** reverselook.sh performs reverse lookups on a list of IP addresses *** cif-lookup.sh performs lookups on multiple cif servers and reports on hit or no hit cif servers are based on local user's .cif* files

• License See the LICENSE file in this repository for the license of everything it contains

• Footnotes

[fn:1] [[https://www.redmine.org][Redmine]] is a Project management tool and the script uses the [[https://pypi.python.org/pypi/python-redmine/0.4.0][python-redmine library]]

[fn:2] http://wiki.servicenow.com/index.php?title=Table_API_Python_Examples