Summary

The Abusehandler.com project offers a simple, out of the box abuse incident handling solution for small ISPs / network operators.

Motivation

Small ISPs and network operators often lack the resources, time, interest to have a developer fully work on just abuse incident handling automation.

More details in Motivation.

What is inside?

(And what are the needed pre-requisites before you can start?)

• IntelMQ, an open source tool for creating incident response automation workflows.
• Shadowserver Data feeds
• CRM connector - a stub code for looking up customer data in your CRM. (needs to be adjusted to your CRM)

How do I get it?

See Installation.

Package details

IntelMQ

The package includes IntelMQ, a de-facto standard amongst the national CERTs for automating feeds of vulnerabilities and threat intel data.

IntelMQ is highly flexible and this setup was tailed especially for small ISPs with a pre-defined runtime configuration for processing shadowserver feeds. Before you can start IntelMQ, however you will need to register at Shadowserver. Getting their feeds is cost free, however you need to sign up.

Shadowserver data feeds

The Shadowserver Foundation is a nonprofit security organization working altruistically behind the scenes to make the Internet more secure for everyone.

Amongst the global security teams they have a stellar reputation of

1. providing very high quality (near 0 false positive rate!) intel feeds on vulnerable systems or hacked systems.
2. providing very high quality scanning data
3. offering this data - for the good of the internet - to the respective network owners.

You can read more about what shadowserver offers in their What we do description.

For our purposes of Abusehandler.com, we will need an API key from Shadowserver. This needs to be configured and given to IntelMQ.

You can get an API key here.

Note: it is essential that you provide your ASNs and CIDR blocks in the form, these will be tied to your API key.

Once you are finished with getting your API key, please continue at the section Configuring IntelMQ.

Note: for those who want to understand exactly how the pre-packaged solution was built from the standard IntelMQ installation, we have a section called Detailled installation and configuration from scratch

A stub connector to your CRM

The final component which will be needed is that you take a look at the stub code for connecting to your Customer database (CRM System). Unfortunately, there is