New alarms #41
Description
I would like to see the following alarms added as part of alarm.py:
- alarm for status change of domain classifications in bluecheck index. Alarm on any change!
- alarm when a domain has a 'bad' classification. Bad is defined in the list that is already added as comment to alarm_check4 in alarm.py. This list of bad words comes from a review of classes defined by the domain checkers as currently supported by chameleon.py
- alarm when an ip listed in /etc/redelk/iplist_blueteams.conf touches any part of our infra, so regardless of proxy destiantion. As one may have collected a list of egress IPs of blue teams during the years, this alarm may serve as an early warning for any type of investigation. Im not sure this list should be pre-populated as part of the RedELK package. But having the option to have alarms from a specific IP can be very useful
- alarm when any connection is sent to proxy destionation 'alarm'. This is a hardcoded name. But is allows the red team operators to still get an alarm fromout redelk when specific logical on the redirector has determined this should get an alarm.
Desired modifications to alarm.py are:
- when reading config files, adhere to comments mid-line. So stop reading after a # character
- be able to read IP subnets in config files and translate as such in ES queries. This should not be that hard as ES is IP and subnet aware.