OTRS-

otrs AG

• Incident tracking module
• Authoring tools for advisories
• Vulnerabilities database
• Artifact database
• Contacts database
• Ticket module
• WebWatcher
• Call module
• IDMEFConsole

Almost every attack affecting net security starts with an incident. The incident tracking module supports the flexible yet standardized description of the system parameters of the affected systems in order to guarantee a quick, cross-CERT exchange of the new information. The data exchange between the CERTs is based on the XML format IODEF. The module contains:

• Overview on all incidents logged in the system and their statuses
• Step-by-step creation and classification of new incidents
• Documentation of the contact data of the persons reporting incidents, those concerned and responsible
• Detail specification of the incident
• Documentation of attacks based on various event templates
• Search function for incidents
• Import/export of incident files on the basis of IODEF-compliant XML files

To top

The advisory module supports the creation and processing of notifications about identified incidents and vulnerabilities. The module allows for:

• Overview on all advisories available and their processing state
• Creation of new advisories based on the XML format EISPP/DAF and predefined forms
• Cross-system exchange of advisories
• Search for advisories
• Import/export of advisories

To top

Vulnerability is a combination of commands, application options or another flaw or weakness in a software, which attackers can exploit in certain circumstances to gain access to a computer with rights permitting an abuse. The module facilitates:

• Creation of vulnerability reports
• Further processing of vulnerability reports
• Search for vulnerability reports within the vulnerability database

To top

Artifacts are data, which have to be documented in connection with IT incidents (e.g. exploits). The module for documentation and processing of artifacts allows for:

• Creation, i.e. description and classification of artifacts
• Linkage of artifacts to other artifacts, tickets or vulnerability reports
• Further processing of artifacts
• Search for artifacts within the artifact database

To top

The module for contact administration facilitates the creation and administration of, and search for contact data. A search for contact data can be conducted in the local data pool of SIRIOS, in LDAP directories or linked SQL databases.

To top

The ticket module contains the main features for logging and processing inbound information:

• Logging and further classification of incidents based on pre-structured templates for phone and E-mail tickets
• Clear representation (queue view) of all transactions (tickets)
• Locking/assignment (unlocking) of tickets to individual employees
• Presentation of ticket content and all meta data connected to the transaction (e.g. escalation times, ticket age, contact data etc.)
• Presentation of ticket history, i.e. all actions, statuses, players and time stamps
• Change of ticket priority
• Planning and recording of activities via notes
• Ticket owner change during processing
• Merging of similar tickets or such with contents belonging together
• Planning of activities with the bring forward function
• Closing of tickets with a freely configurable status (such as closed successfully, closed unsuccessfully etc.)
• Syntactical and criterion-based full text searches in the complete ticket pool, queues, persons responsible etc.
• Personalization of user interface and system properties

To top

CERTs do not usually rely on user notifications alone when monitoring vulnerabilities but continuously check a number of information sources for news. In most cases, such sources are websites concentrating on holes in security and vulnerabilities but also news tickers from the IT field, etc.

WebWatcher is a powerful tool provided by SIRIOS to enable CERT operators to automate the checking of websites for relevant information and thus free valuable re-sources for other tasks within the CERT.

As the information about vulnerability published on one of the monitored websites is basically the same as an (E-mail) message from any person, the WebWatcher module makes sure that the information found is logged as new ticket and thus automatically included in the in-box.

To top

The call module facilitates the event and/or parameter controlled forwarding of alarms by phone from SIRIOS to the persons responsible. Various call triggers can be created, configured and administered in the call module. Whenever a call is triggered, SIRIOS transforms the text to language and sends it to the defined recipients (groups of recipients). All calls are documented and linked to the triggering ticket.

To top

Intrusion detection systems (IDS) have gained tremendous importance over the last few years. In order to standardize the output of the various IDSs' and allow for comparisons, the intrusion detection message exchange format (IDMEF) was developed. Usually, IDMEFs are evaluated automatically; it is, however, necessary to provide the possibility of manually processing IDMEF data as well. The IDMEF Console module provides the following features:

• Cross-database administration of intrusion detection messages
• Comparison of IDMEF data
• Linkage of IDMEF data belonging together
• IODEF format incident generation from IDMEF data
• Export and import
• Search for IDMEFs

To top