RINO IODEF

Notifications - Using RINO IODEF for Automated Processing

For sites that choose to automatically ingest REN-ISAC notifications to their incident handling or ticketing system, we heartily recommend that the IODEF attachment provided with the notification e-mail be processed rather than relying on parsing of the e-mail body text. The format of the body text will change over time. The IODEF should be consistently parseable.

That said, please note that our provision of the IODEF attachment is a beta implementation (as of June 2011), and as with all betas, there might be need for some tweaking.

If you would like to have advance notice of improvements or changes that we make to the notifications automation, send an e-mail to soc@ren-isac.net. Request to be added to our "notification-interest" distribution list. The list will be used only for distributing information about our notification processes and automation. List names and addresses will not be shared for any other purpose.

To facilitate processing of the notification IODEF attachments, a Perl module, RINO::Client, is available. The module can be used directly or as a sample for your own code. A command-line script employing the module is included in the distribution.

Pane 1 (below) shows the RINO::Client documentation.

Sample outputs from the command line script, utilizing 'table', 'csv', and 'json' options are provided in Panes 2, 3 and 4 respectively.

Pane 5 shows Data::Dumper sample results of the 'to_simple' method of RINO::Client, and Pane 6 the results of the 'to_hash' method.

Pane 7 shows the IODEF source used as input for the sample runs.

Pane 8 shows the notification e-mail body that would accompany the IODEF in Pane 7.

Click here for a text version of the all the following panes.

____________________________________________________________
Pane 1: RINO::Client documentation

____________________________________________________________

Pane 2: 'rino' script 'table' output

____________________________________________________________
Pane 3: 'rino' script 'csv' output

____________________________________________________________
Pane 4: 'rino' script 'json' output

____________________________________________________________
Pane 5: Data::Dumper 'to_simple' method output

____________________________________________________________
Pane 6: Data::Dumper of 'to_hash' method output

____________________________________________________________
Pane 7: IODEF source

____________________________________________________________
Pane 8: E-Mail Notification