Skip to content
Perl HTML Perl6 Other
Pull request Compare This branch is 4 commits ahead, 2389 commits behind 3.2-trunk.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


RT for Incident Response is an open source, industrial-grade
incident-handling tool designed to provide a simple, effective
workflow for members of CERT and CSIRT teams. It allows team members
to track, respond to and deal with reported incidents and features a
number of tools to make common operations quick and easy.  RTIR is
built on top of "RT," which is also available for free from Best
Practical Solution at

To purchase commercials support, training or custom development for RT
or RTIR, please contact Best Practical at


This is a development version of RTIR.  Before using this version of
RTIR, back up your database and any local modifications.

If you intend to deploy RTIR, or any other software, in a production
environment, we recommend that you first install and test it in a
staging environment to ensure that it meets your needs.

Changes since RTIR 1.0.x

Full integration with RT 3.4.

New Search UI

	This includes a 3.4-style search UI, and menu changes to
	accomodate this.  Instead of search results and criteria being
	displayed on a single page, you can now choose the 'Refine'
	menu option to refine your search and re-run it after you've
	added all of your criteria.

Configurable Search Results

	Search result formats are configurable in, so you
	can easily choose which fields you would like to have displayed
	for RTIR searches.

Standardized Components

	RTIR 1.2 uses more of RT's core components, making it easier
	to customize and maintain.


	Scrip actions and conditions are now in perl modules, so that
	they're easier to customize.


	Service Level Agreement (SLA) calculations are now handled by
	the Business::SLA module, which offers more flexibility.  You
	can specify SLAs with business minutes, real minutes, or both.


o   RT 3.4.0 or later, configured, installed and tested.

o   The Business::Hours module (version 0.05 or later)

o   The Business::SLA module

o   The Net::Whois::RIPE module

Upgrade instructions:

If you've installed a prior version of RTIR, you may need to follow
special steps to upgrade.  See the UPGRADING file for detailed

Installation instructions:

1) Once RT 3.4 and other required package have been installed and
   appear to be working properly, cd to the directory into which you
   unpacked RTIR into.

2) Run "perl Makefile.PL" to generate a makefile for RTIR. 

3) Type "make install".

4) Add the following lines to your file:

   # The RTIR config file

   $RTIR_CONFIG_FILE = $RT::LocalEtcPath."/IR/";

   require $RTIR_CONFIG_FILE
     || die ("Couldn't load RTIR config file '$RTIR_CONFIG_FILE'\n$@");

5) If you are installing RTIR for the first time, initialize the RTIR
   database by typing "make initdb".

   WARNING: Do not attempt to re-initialize the database if you are

6) Stop and start your web server.  

Configuring RTIR

1) Using RT's configuration interface, add the email address
   of the Network Operations Team (the people who will handle
   activating and removing Blocks) as AdminCC on the Blocks queue.

2) You may want to modify the email messages that are automatically
   sent on the creation of Investigations and Blocks.  The templates
   are "LaunchMessage" in the Investigations queue and "NewMessage" in
   the Blocks queue.

3) By default, RT ships with a number of global Scrips.  You should use 
   RT's configuration interface to look through them, and disable any 
   that aren't apropriate in your environment.

4) Add staff members who handle incidents to the DutyTeam group.

5) You can override values in the in your file. Just add your customizations after the "require" 
   line mentioned above.


An alias for the Incident Reports  queue will need to be made in either 
your global mail aliases file (if you are using NIS) or locally on your
Add the following lines to /etc/aliases (or your local equivalent) :

rtir:         "|/opt/rt3/bin/rt-mailgate --queue 'Incident Reports' --action correspond --url http://localhost/"

You should substitute the URL for RT's web interface for "http://localhost/".


To report a bug, send email to
Something went wrong with that request. Please try again.