diff --git a/README.md b/README.md index bc0dfea9..6457a67c 100644 --- a/README.md +++ b/README.md @@ -165,21 +165,11 @@ This blocklist includes domains only. This blocklist includes domains only. -### Install +Save the ruleset to "/usr/local/etc/dnsmasq/phishing-filter-dnsmasq.conf". Refer to this [guide](https://gitlab.com/malware-filter/malware-filter/wikis/update-filter) for auto-update. -``` -# Create a new folder to store the blocklist -mkdir -p /usr/local/etc/dnsmasq/ +Configure dnsmasq to use the blocklist: -# Create a new cron job for daily update -printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-dnsmasq.conf" -o "/usr/local/etc/dnsmasq/phishing-filter-dnsmasq.conf"\n' > /etc/cron.daily/phishing-filter - -# cron job requires execution permission -chmod 755 /etc/cron.daily/phishing-filter - -# Configure dnsmasq to use the blocklist -printf "\nconf-file=/usr/local/etc/dnsmasq/phishing-filter-dnsmasq.conf\n" >> /etc/dnsmasq.conf -``` +`printf "\nconf-file=/usr/local/etc/dnsmasq/phishing-filter-dnsmasq.conf\n" >> /etc/dnsmasq.conf` - https://malware-filter.gitlab.io/malware-filter/phishing-filter-dnsmasq.conf @@ -198,21 +188,11 @@ printf "\nconf-file=/usr/local/etc/dnsmasq/phishing-filter-dnsmasq.conf\n" >> /e This blocklist includes domains only. -### Install +Save the ruleset to "/usr/local/etc/bind/phishing-filter-bind.conf". Refer to this [guide](https://gitlab.com/malware-filter/malware-filter/wikis/update-filter) for auto-update. -``` -# Create a new folder to store the blocklist -mkdir -p /usr/local/etc/bind/ +Configure BIND to use the blocklist: -# Create a new cron job for daily update -printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-bind.conf" -o "/usr/local/etc/bind/phishing-filter-bind.conf"\n' > /etc/cron.daily/phishing-filter - -# cron job requires execution permission -chmod 755 /etc/cron.daily/phishing-filter - -# Configure BIND to use the blocklist -printf '\ninclude "/usr/local/etc/bind/phishing-filter-bind.conf";\n' >> /etc/bind/named.conf -``` +`printf '\ninclude "/usr/local/etc/bind/phishing-filter-bind.conf";\n' >> /etc/bind/named.conf` Add this to "/etc/bind/null.zone.file" (skip this step if the file already exists): @@ -266,21 +246,11 @@ This blocklist includes domains only. This blocklist includes domains only. -### Install +Save the rulesets to "/usr/local/etc/unbound/phishing-filter-unbound.conf". Refer to this [guide](https://gitlab.com/malware-filter/malware-filter/wikis/update-filter) for auto-update. -``` -# Create a new folder to store the blocklist -mkdir -p /usr/local/etc/unbound/ +Configure Unbound to use the blocklist: -# Create a new cron job for daily update -printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-unbound.conf" -o "/usr/local/etc/unbound/phishing-filter-unbound.conf"\n' > /etc/cron.daily/phishing-filter - -# cron job requires execution permission -chmod 755 /etc/cron.daily/phishing-filter - -# Configure Unbound to use the blocklist -printf '\n include: "/usr/local/etc/unbound/phishing-filter-unbound.conf"\n' >> /etc/unbound/unbound.conf -``` +`printf '\n include: "/usr/local/etc/unbound/phishing-filter-unbound.conf"\n' >> /etc/unbound/unbound.conf` - https://malware-filter.gitlab.io/malware-filter/phishing-filter-unbound.conf @@ -297,19 +267,7 @@ printf '\n include: "/usr/local/etc/unbound/phishing-filter-unbound.conf"\n' >> ## dnscrypt-proxy -### Install - -``` -# Create a new folder to store the blocklist -mkdir -p /etc/dnscrypt-proxy/ - -# Create a new cron job for daily update -printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-dnscrypt-blocked-names.txt" -o "/etc/dnscrypt-proxy/phishing-filter-dnscrypt-blocked-names.txt"\n' > /etc/cron.daily/phishing-filter -printf '\ncurl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-dnscrypt-blocked-ips.txt" -o "/etc/dnscrypt-proxy/phishing-filter-dnscrypt-blocked-ips.txt"\n' >> /etc/cron.daily/phishing-filter - -# cron job requires execution permission -chmod 755 /etc/cron.daily/phishing-filter -``` +Save the rulesets to "/etc/dnscrypt-proxy/". Refer to this [guide](https://gitlab.com/malware-filter/malware-filter/wikis/update-filter) for auto-update. Configure dnscrypt-proxy to use the blocklist: @@ -362,21 +320,11 @@ This blocklist includes domains only. This ruleset includes online URLs only. Not compatible with [Snort3](#snort3). -### Install +Save the ruleset to "/etc/snort/rules/phishing-filter-snort2.rules". Refer to this [guide](https://gitlab.com/malware-filter/malware-filter/wikis/update-filter) for auto-update. -``` -# Download ruleset -curl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-snort2.rules" -o "/etc/snort/rules/phishing-filter-snort2.rules" +Configure Snort to use the ruleset: -# Create a new cron job for daily update -printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-snort2.rules" -o "/etc/snort/rules/phishing-filter-snort2.rules"\n' > /etc/cron.daily/phishing-filter - -# cron job requires execution permission -chmod 755 /etc/cron.daily/phishing-filter - -# Configure Snort to use the ruleset -printf "\ninclude \$RULE_PATH/phishing-filter-snort2.rules\n" >> /etc/snort/snort.conf -``` +`printf "\ninclude \$RULE_PATH/phishing-filter-snort2.rules\n" >> /etc/snort/snort.conf` - https://malware-filter.gitlab.io/malware-filter/phishing-filter-snort2.rules @@ -395,18 +343,7 @@ printf "\ninclude \$RULE_PATH/phishing-filter-snort2.rules\n" >> /etc/snort/snor This ruleset includes online URLs only. Not compatible with [Snort2](#snort2). -### Install - -``` -# Download ruleset -curl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-snort3.rules" -o "/etc/snort/rules/phishing-filter-snort3.rules" - -# Create a new cron job for daily update -printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-snort3.rules" -o "/etc/snort/rules/phishing-filter-snort3.rules"\n' > /etc/cron.daily/phishing-filter - -# cron job requires execution permission -chmod 755 /etc/cron.daily/phishing-filter -``` +Save the ruleset to "/etc/snort/rules/phishing-filter-snort3.rules". Refer to this [guide](https://gitlab.com/malware-filter/malware-filter/wikis/update-filter) for auto-update. Configure Snort to use the ruleset: @@ -436,18 +373,7 @@ ips = This ruleset includes online URLs only. -### Install - -``` -# Download ruleset -curl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-suricata.rules" -o "/etc/suricata/rules/phishing-filter-suricata.rules" - -# Create a new cron job for daily update -printf '#!/bin/sh\ncurl -L "https://malware-filter.gitlab.io/malware-filter/phishing-filter-suricata.rules" -o "/etc/suricata/rules/phishing-filter-suricata.rules"\n' > /etc/cron.daily/phishing-filter - -# cron job requires execution permission -chmod 755 /etc/cron.daily/phishing-filter -``` +Save the ruleset to "/etc/suricata/rules/phishing-filter-suricata.rules". Refer to this [guide](https://gitlab.com/malware-filter/malware-filter/wikis/update-filter) for auto-update. Configure Suricata to use the ruleset: @@ -475,6 +401,8 @@ rule-files: A CSV file for Splunk [lookup](https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Aboutlookupsandfieldactions). This ruleset includes online URLs only. +Either upload the file via GUI or save the file in `$SPLUNK_HOME/Splunk/etc/system/lookups` or app-specific `$SPLUNK_HOME/etc/YourApp/apps/search/lookups`. Refer to this [guide](https://gitlab.com/malware-filter/malware-filter/wikis/update-filter) or [Getwatchlist](https://splunkbase.splunk.com/app/635) app for auto-update. + - https://malware-filter.gitlab.io/malware-filter/phishing-filter-splunk.csv