RedELK icon indicating copy to clipboard operation
RedELK copied to clipboard

Published 20 hours ago verified publisher icon outflanknl

New alarm: Abuse.ch SSLBL SSL Certificate Blacklist

Open fastlorenzo opened this issue 4 years ago • 2 comments

Create new alarm for Abuse.ch SSLBL SSL Certificate Blacklist

fastlorenzo avatar Nov 20 '20 20:11 fastlorenzo

The question is what do we check and compare to the blacklist. Right now, RedELK has no config option or no automated way for knowing the certificate used in the operation. This should be included as well before we can check against a black list.

Getting that info is prolly not straight-forward. Also, the chance of a red team ops cert being marked by abuse.ch is small (they mostly collect certs from bigger malware/worms/cryptolockers/etc). So this alarm should be regarded as low priority for now.

MarcOverIP avatar Nov 27 '20 15:11 MarcOverIP

After discussion with @fastlorenzo we are moving this out of the beta6 milestone, lower prio.

MarcOverIP avatar Aug 19 '22 11:08 MarcOverIP