New alarm: Abuse.ch SSLBL Botnet C2 IP Blacklist #125
Labels
alarm
Related to RedELK alarms
elkserver
Related to RedELK server components
enhancement
New feature or request
Comments
fastlorenzo
changed the title
|
The question is what do we check and compare to the blacklist. Right now, RedELK has no clear view on what IPs are part of the red team infra, e.g. iplist_entireredteaminfraops.conf (bad name but you get the point). This should be created first, and I see options to automate this. |
fastlorenzo
added
elkserver
|
Would make sense to import all the IPs from Abuse etc into ES and query from there, match with imported IPs from red team (infra) and alarm when matched. Some work to do. Lower prio for now. |
|
After discussion with @fastlorenzo we are moving this out of the beta6 milestone, lower prio. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Create new alarm to check for Abuse.ch SSLBL Botnet C2 IP Blacklist
The text was updated successfully, but these errors were encountered: