RedELK icon indicating copy to clipboard operation
RedELK copied to clipboard

Published 20 hours ago verified publisher icon outflanknl

New alarm: Abuse.ch SSLBL Botnet C2 IP Blacklist

Open fastlorenzo opened this issue 4 years ago • 3 comments

Create new alarm to check for Abuse.ch SSLBL Botnet C2 IP Blacklist

fastlorenzo avatar Nov 20 '20 20:11 fastlorenzo

The question is what do we check and compare to the blacklist. Right now, RedELK has no clear view on what IPs are part of the red team infra, e.g. iplist_entireredteaminfraops.conf (bad name but you get the point). This should be created first, and I see options to automate this.

MarcOverIP avatar Nov 27 '20 16:11 MarcOverIP

Would make sense to import all the IPs from Abuse etc into ES and query from there, match with imported IPs from red team (infra) and alarm when matched. Some work to do. Lower prio for now.

MarcOverIP avatar Jun 30 '22 10:06 MarcOverIP

After discussion with @fastlorenzo we are moving this out of the beta6 milestone, lower prio.

MarcOverIP avatar Aug 19 '22 11:08 MarcOverIP