From 97cec9d0e810c6cda2d8fd3b8701a223fd75ae74 Mon Sep 17 00:00:00 2001
From: MDLeom <2809763-curben@users.noreply.gitlab.com>
Date: Sat, 17 Dec 2022 00:06:59 +0000
Subject: [PATCH] feat: add csv file for Splunk lookup

- https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Aboutlookupsandfieldactions
---
 README.md     | 21 ++++++++++++++++++++-
 src/script.sh | 33 +++++++++++++++++++++++----------
 2 files changed, 43 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index 3f97f765..e48548bc 100644
--- a/README.md
+++ b/README.md
@@ -16,6 +16,7 @@
   - [Snort2](#snort2)
   - [Snort3](#snort3)
   - [Suricata](#suricata)
+  - [Splunk](#splunk)
 - [Compressed version](#compressed-version)
 - [Reporting issues](#issues)
 - [See also](#see-also)
@@ -41,8 +42,9 @@ There are multiple formats available, refer to the appropriate section according
 - [Snort2](#snort2)
 - [Snort3](#snort3)
 - [Suricata](#suricata)
+- [Splunk](#splunk)
 
-Not sure which format to choose? See [Compatibility](https://gitlab.com/malware-filter/urlhaus-filter/wikis/compatibility) page.
+For other programs, see [Compatibility](https://gitlab.com/malware-filter/malware-filter/wikis/compatibility) page in the wiki.
 
 Check out my other filters:
 
@@ -468,6 +470,23 @@ rule-files:
 
 </details>
 
+## Splunk
+
+A CSV file for Splunk [lookup](https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Aboutlookupsandfieldactions). This ruleset includes online URLs only.
+
+- https://malware-filter.gitlab.io/malware-filter/phishing-filter-splunk.csv
+
+<details>
+<summary>Mirrors</summary>
+
+- https://curbengh.github.io/malware-filter/phishing-filter-splunk.csv
+- https://curbengh.github.io/phishing-filter/phishing-filter-splunk.csv
+- https://malware-filter.gitlab.io/phishing-filter/phishing-filter-splunk.csv
+- https://malware-filter.pages.dev/phishing-filter-splunk.csv
+- https://phishing-filter.pages.dev/phishing-filter-splunk.csv
+
+</details>
+
 ## Compressed version
 
 All filters are also available as gzip- and brotli-compressed.
diff --git a/src/script.sh b/src/script.sh
index 2c8e602e..deff1cd3 100644
--- a/src/script.sh
+++ b/src/script.sh
@@ -209,12 +209,12 @@ rm "phishing-url-top-domains.txt" "phishing-url-top-domains-raw.txt"
 set +x
 
 while read URL; do
-  HOST=$(echo "$URL" | cut -d"/" -f1)
-  URI=$(echo "$URL" | sed "s/^$HOST//")
+  DOMAIN=$(echo "$URL" | cut -d"/" -f1)
+  PATHNAME=$(echo "$URL" | sed "s/^$DOMAIN//")
 
-  if [ -z "$URI" ] || [ "$URI" = "/" ]; then
+  if [ -z "$PATHNAME" ] || [ "$PATHNAME" = "/" ]; then
     ## Separate host-only URL
-    echo "$HOST" | \
+    echo "$DOMAIN" | \
     cut -f 1 -d ":" >> "phishing-notop-domains-temp.txt"
   elif test "${URL#*safelinks.protection.outlook.com}" != "$URL"; then
     ## Parse hostname from O365 safelink
@@ -359,7 +359,8 @@ set +x
 ## Snort & Suricata rulesets
 rm "../public/phishing-filter-snort2.rules" \
   "../public/phishing-filter-snort3.rules" \
-  "../public/phishing-filter-suricata.rules"
+  "../public/phishing-filter-suricata.rules" \
+  "../public/phishing-filter-splunk.csv"
 
 SID="200000001"
 while read DOMAIN; do
@@ -369,27 +370,36 @@ while read DOMAIN; do
 
   SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"phishing-filter phishing website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:attempted-recon; sid:$SID; rev:1;)"
 
+  SP_RULE="\"$DOMAIN\",\"\",\"phishing-filter phishing website detected\",\"$CURRENT_TIME\""
+
   echo "$SN_RULE" >> "../public/phishing-filter-snort2.rules"
   echo "$SN3_RULE" >> "../public/phishing-filter-snort3.rules"
   echo "$SR_RULE" >> "../public/phishing-filter-suricata.rules"
+  echo "$SP_RULE" >> "../public/phishing-filter-splunk.csv"
 
   SID=$(( $SID + 1 ))
 done < "phishing-notop-domains.txt"
 
 while read URL; do
-  HOST=$(echo "$URL" | cut -d"/" -f1)
-  URI=$(echo "$URL" | sed -e "s/^$HOST//" -e "s/;/\\\;/g")
+  DOMAIN=$(echo "$URL" | cut -d"/" -f1)
+  # escape ";"
+  PATHNAME=$(echo "$URL" | sed -e "s/^$DOMAIN//" -e "s/;/\\\;/g")
 
   # Snort2 only supports <=2047 characters of `content`
-  SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"phishing-filter phishing website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$(echo $URI | cut -c -2047)\"; http_uri; nocase; content:\"$HOST\"; content:\"Host\"; http_header; classtype:attempted-recon; sid:$SID; rev:1;)"
+  SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"phishing-filter phishing website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$(echo $PATHNAME | cut -c -2047)\"; http_uri; nocase; content:\"$DOMAIN\"; content:\"Host\"; http_header; classtype:attempted-recon; sid:$SID; rev:1;)"
 
-  SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"phishing-filter phishing website detected\"; http_header:field host; content:\"$HOST\",nocase; http_uri; content:\"$URI\",nocase; classtype:attempted-recon; sid:$SID; rev:1;)"
+  SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"phishing-filter phishing website detected\"; http_header:field host; content:\"$DOMAIN\",nocase; http_uri; content:\"$PATHNAME\",nocase; classtype:attempted-recon; sid:$SID; rev:1;)"
 
-  SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"phishing-filter phishing website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.uri; content:\"$URI\"; endswith; nocase; http.host; content:\"$HOST\"; classtype:attempted-recon; sid:$SID; rev:1;)"
+  SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"phishing-filter phishing website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.uri; content:\"$PATHNAME\"; endswith; nocase; http.host; content:\"$DOMAIN\"; classtype:attempted-recon; sid:$SID; rev:1;)"
+
+  PATHNAME=$(echo "$URL" | sed "s/^$DOMAIN//")
+
+  SP_RULE="\"$DOMAIN\",\"$PATHNAME\",\"phishing-filter phishing website detected\",\"$CURRENT_TIME\""
 
   echo "$SN_RULE" >> "../public/phishing-filter-snort2.rules"
   echo "$SN3_RULE" >> "../public/phishing-filter-snort3.rules"
   echo "$SR_RULE" >> "../public/phishing-filter-suricata.rules"
+  echo "$SP_RULE" >> "../public/phishing-filter-splunk.csv"
 
   SID=$(( $SID + 1 ))
 done < "phishing-url-top-domains-raw.txt"
@@ -406,6 +416,9 @@ sed -i "1s/Domains Blocklist/URL Snort3 Ruleset/" "../public/phishing-filter-sno
 sed -i '1 i\'"$COMMENT"'' "../public/phishing-filter-suricata.rules"
 sed -i "1s/Domains Blocklist/URL Suricata Ruleset/" "../public/phishing-filter-suricata.rules"
 
+sed -i -e '1 i\'"$COMMENT"' ' -e '1 i\"host","path","message","updated"' "../public/phishing-filter-splunk.csv"
+sed -i "1s/Domains Blocklist/URL Splunk Lookup/" "../public/phishing-filter-splunk.csv"
+
 
 ## IE blocklist
 COMMENT_IE="msFilterList\n$COMMENT\n: Expires=1\n#"