New alarm: Abuse.ch SSLBL Botnet C2 IP Blacklist

outflanknl / RedELK

Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.

BSD 3-Clause "New" or "Revised" License

2.35k stars 371 forks source link

New alarm: Abuse.ch SSLBL Botnet C2 IP Blacklist #125

Open fastlorenzo opened 3 years ago

fastlorenzo commented 3 years ago

Create new alarm to check for Abuse.ch SSLBL Botnet C2 IP Blacklist

MarcOverIP commented 3 years ago

The question is what do we check and compare to the blacklist. Right now, RedELK has no clear view on what IPs are part of the red team infra, e.g. iplist_entireredteaminfraops.conf (bad name but you get the point). This should be created first, and I see options to automate this.

MarcOverIP commented 2 years ago

Would make sense to import all the IPs from Abuse etc into ES and query from there, match with imported IPs from red team (infra) and alarm when matched. Some work to do. Lower prio for now.

MarcOverIP commented 2 years ago

After discussion with @fastlorenzo we are moving this out of the beta6 milestone, lower prio.