Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New alarms #41

Closed
MarcOverIP opened this issue Aug 14, 2020 · 3 comments
Closed

New alarms #41

MarcOverIP opened this issue Aug 14, 2020 · 3 comments
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@MarcOverIP
Copy link
Member

MarcOverIP commented Aug 14, 2020
edited
Loading

I would like to see the following alarms added as part of alarm.py:

  1. alarm for status change of domain classifications in bluecheck index. Alarm on any change!
  2. alarm when a domain has a 'bad' classification. Bad is defined in the list that is already added as comment to alarm_check4 in alarm.py. This list of bad words comes from a review of classes defined by the domain checkers as currently supported by chameleon.py
  3. alarm when an ip listed in /etc/redelk/iplist_blueteams.conf touches any part of our infra, so regardless of proxy destiantion. As one may have collected a list of egress IPs of blue teams during the years, this alarm may serve as an early warning for any type of investigation. Im not sure this list should be pre-populated as part of the RedELK package. But having the option to have alarms from a specific IP can be very useful
  4. alarm when any connection is sent to proxy destionation 'alarm'. This is a hardcoded name. But is allows the red team operators to still get an alarm fromout redelk when specific logical on the redirector has determined this should get an alarm.

Desired modifications to alarm.py are:

  1. when reading config files, adhere to comments mid-line. So stop reading after a # character
  2. be able to read IP subnets in config files and translate as such in ES queries. This should not be that hard as ES is IP and subnet aware.
@MarcOverIP MarcOverIP added enhancement New feature or request help wanted Extra attention is needed labels Aug 14, 2020
@fastlorenzo
Copy link
Collaborator

PR #58 adds support for Microsoft Teams connector to send notifications

@MarcOverIP MarcOverIP added this to the v2.0.0-beta.4 milestone Nov 4, 2020
@fastlorenzo
Copy link
Collaborator

Let's make the following alarm names:

  1. alarm_domainchange

  2. alarm_baddomain

  3. alarm_bttraffic

  4. alarm_httpstatic

  5. should be an enhancement of existing alarms

  6. same as 5.

xychix pushed a commit that referenced this issue Nov 17, 2020
Issue #41 item 4 added an alarm, patched a few others
e2b3558 
Issue #41 item 4 added an alarm, patched a few others
Alarm is alarm_backendalarm, which alarms if there are new lines related to a backend with *alarm* in it's name,
@xychix xychix mentioned this issue Nov 17, 2020
Merged
MarcOverIP added a commit that referenced this issue Nov 27, 2020
@MarcOverIP
Merge pull request #118 from outflanknl/Alarm-Module-issue41-item4
cf55dff 
Issue #41 item 4 added an alarm, patched a few others
@MarcOverIP MarcOverIP removed this from the v2.0.0-beta.4 milestone Nov 27, 2020
@xychix
Copy link
Collaborator

xychix commented Nov 27, 2020

1,2,4 moved to separate issues.

@xychix xychix closed this as completed Nov 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xychix @fastlorenzo @MarcOverIP