Easily see what a ticket is about

Intevation / intelmq-fody

Web interface to IntelMQ

9 stars 3 forks source link

Easily see what a ticket is about #64

Closed bernhardreiter closed 6 years ago

bernhardreiter commented 6 years ago

Notified people might ask back giving just the ticket number as information. The intelmq-cb-mailgen operator want to see roughly what this ticket is about to decide if she needs to inquire further or can just send a short reply back pointing to an FAQ entry.

bernhardreiter commented 6 years ago

Analysis

If the number of the events is below loadingLimit (in Tickets.vue, current 50000) the events will be loaded into a table and can be inspected. Drawbacks: May take a few seconds in case of many events or may not work at all if over loadingLimit.

Sometimes the infos given for the recipient are already enough, fody calls /api/tickets/getRecipient?ticketnumber=? and displays recipient.notification_format and recipient.medium if available.

Solution ideas

Always display some events, even when over the loading limit. Needs extension of fody-backend.

Check if more details can be transported via /api/tickets/getRecipient? which would be faster than loading lot of events.

bernhardreiter commented 6 years ago

More recipient infos

recipient is a full directives objects, and carries the following infos

CREATE TABLE directives (
    id BIGSERIAL UNIQUE PRIMARY KEY,
    events_id BIGINT NOT NULL,
    sent_id BIGINT,

    medium VARCHAR(100) NOT NULL,
    recipient_address VARCHAR(100) NOT NULL,
    template_name VARCHAR(100) NOT NULL,
    notification_format VARCHAR(100) NOT NULL,
    event_data_format VARCHAR(100) NOT NULL,
    aggregate_identifier TEXT[][],
    notification_interval INTERVAL NOT NULL,
    endpoint ip_endpoint NOT NULL,

    inserted_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP,

    FOREIGN KEY (events_id) REFERENCES events(id),
    FOREIGN KEY (sent_id) REFERENCES sent(id)
);

Candidates for solving could be template_name and event_data_format, depending on the uniqueness of those values to solve the use case.

bernhardreiter commented 6 years ago

The limiting solution has to change https://github.com/Intevation/intelmq-fody-backend/blob/master/checkticket_api/checkticket_api/serve.py#L119 to accept an optional limiting parameter and use https://www.postgresql.org/docs/9.5/static/queries-limit.html in the sql query.

bernhardreiter commented 6 years ago

Both ways will be implemented.

f05ec8c574efcf25bd3b3a3ea993fbdb0522455b implements the behaviour to always display at least 10k events. (Needs an updated fody-backend.)

bernhardreiter commented 6 years ago

Implemented a better display, now displaying a table with

===================
To: abuse@example.net
Medium: email (2017-08-09 14:57:16 UTC)        <- medium ( sent_at )
Format: unknown/csv_malware                    <- notification_format/event_data_format
Template:   shadowserver_csv_malware
===================

bernhardreiter commented 6 years ago

implemented with b0437cffc8f52aaff6eaccd7b3ca19c86b5b8160