Checking IP reputation via Information Floater

Jens Bothe10. Jan 2017 | AdministrationConsultingUse cases

One of the features of the OTRS 5s Security Toolbox is the information floater which allows to search for patterns in an article of a ticket. The feature was designed to enrich the content of a ticket without having to add static content to it. The main usage is to give security teams valuable information at a glance without the need to lookup the information in a separate browser tab.

Out of the box the possibility to search for CVE numbers is available via the Sysconfig settings in Ticket->Ticket::Frontend::ZoomCollectMetaFilters###CVE-Google and Ticket->Ticket::Frontend::ZoomCollectMetaFilters###CVE-Mitre. An additional use case I had to solve lately was to check whether IP addresses were listed on realtime blackhole lists (RBL).

Highlighting IP addresses in the TicketZoom

So first of all I had to add an additional ZoomCollectMetaFilter which would match on IP addresses. One possible way is to extend the XML which is rendered by the Sysconfig as already described in several posts (e.g. even more RSS feeds in SysConfig). This time I directly created a perl config file “Kernel/Config/Files/ZZZIPCheck.pm” which contains the needed configuration:

$Self->{'Ticket::Frontend::ZoomCollectMetaFilters'}->{'IP-Blacklist'} =  {
  'Meta' => {
    'Name' => 'IP-Blacklist',
    'Target' => '_blank',
    'URL' => 'dnsrb.pl?ip=<MATCH1>',
    'URLPreview' => 'dnsrbl.pl?ip=<MATCH1>',
  },
  'RegExp' => [
    '(\\d{1,3}\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3}))'
  ]
};

If an IP address is found in an article, the references will be displayed in the ticket zoom:

The Perl script

Next step is to create a perl cgi script in the bin/cgi-bin folder of the OTRS installation named dnsrbl.pl:

#!/usr/bin/perl
use strict;
use warnings;
use CGI qw(:standard);
use Net::RBLClient;
my $bl = ['ix.dnsbl.manitu.net','zen.spamhaus.org','b.barracudacentral.org','all.s5h.net','dnsbl-1.uceprotect.net','virbl.dnsbl.bit.nl','proxies.blackhole
s.easynet.nl','cbl.abuseat.org','blackholes.easynet.nl','relays.bl.kundenserver.de','agobot.bl.kundenserver.de'];
my $rbl = Net::RBLClient->new(
    lists => $bl,
    max_time => 5,
    timeout => 1,
    query_txt => 1,
    max_hits => 10,
    server => '8.8.8.8',
);
my $ip = param('ip');
print header(-type  =>  'text/html',
        'X-FRAME-OPTIONS' => 'SAMEORIGIN');
print start_html(-title  =>'IP Blacklist Check',
        -style=>{'src'=>'//cdn.jsdelivr.net/bootstrap/3.3.7/css/bootstrap.min.css'});
print '<div class="container">';
print '<div class="well">';
print h1("Checked IP: $ip");
print '</div>';
my $result = $rbl->lookup($ip);
my @listed_by = $rbl->listed_by;
my @listed_hash = $rbl->listed_hash;
my @listed_txt = $rbl->txt_hash;
 foreach my $list (keys @listed_by){
        print '<div class="alert alert-danger" role="alert">';
        print '<h4>';
        print b($listed_by[$list],": ");
        print p($listed_hash[$list]," ");
        print i($listed_txt[$list]," ");
        print '</h4>';
        print '</div>';
     }
if (! @listed_by) {
        print '<div class="alert alert-success" role="alert">';
        print '<h3>';
        print 'IP not found on blacklist';
        print '</h3>';
        print '</div>';
}
print '</div>';
print end_html;

As the script uses the Net::RBLClient class, it has to be installed first. I used CPAN:

root@otrs:/opt# cpan
cpan[1]> install Net::RBLClient

Floater Output

The floater now will lookup the ip address in the configured RBL and render the page:

Or if no match is found:

I would really like to see your use cases and ideas to use the Information Floater of OTRS 5s, so please leave a comment.

#3
René Kleffel at 18.07.2017, 12:41

Thank you very much. Now it works. The problem was that I only tested with "CVE-2017-058" in the article. Maybe it would be better to match it even if there are no letters before or after. My test with '.*(CVE|CAN)\\-(\\d{3,4})\\-(\\d{2,}).*' on the "CVE-2017-058" doesn't work.

#2
Jens Bothe at 18.07.2017, 10:54

Please check ZZZAuto.pm (thats your Sysconfig settings). Easiest for testing is to switch on the CVE default (Ticket->Ticket::Frontend::ZoomCollectMetaFilters###CVE-...) Collectors and to add an article (note) to the ticket containing some Text like "Test CVE-2017-058 Test". Please also check if 3rd party add ons are installed which overwrite the TicketZoom Template

#1
René Kleffel at 18.07.2017, 10:50

Hello Jens, I can not reproduce the function of the information floater at all. Are there any other configuration options which should be set? After Config::Rebuild the ZZZAAuto.pm shows Self->{'Ticket::Frontend::ZoomCollectMeta'} = '0'; # But it is set in SysConfig to 1 And also not any filter. the log does not show an error in debug mode. Thanks for your help.

Your email address will not be published. Required fields are marked *

This site uses cookies. By continuing to use the site, you agree to the use of cookies. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close