218 lines
5.7 KiB
Bash
218 lines
5.7 KiB
Bash
#!/bin/sh
|
|
|
|
set -efux -o pipefail
|
|
|
|
## Detect Musl C library
|
|
LIBC="$(ldd /bin/ls | grep 'musl' || [ $? = 1 ])"
|
|
if [ -z "$LIBC" ]; then
|
|
rm -f "/tmp/musl.log"
|
|
# Not Musl
|
|
CSVQUOTE="../utils/csvquote-bin-glibc"
|
|
else
|
|
# Musl
|
|
CSVQUOTE="../utils/csvquote-bin-musl"
|
|
fi
|
|
|
|
|
|
## Create a temporary working folder
|
|
mkdir -p "tmp/"
|
|
cd "tmp/"
|
|
|
|
## Prepare datasets
|
|
curl -L "https://data.phishtank.com/data/$PHISHTANK_API/online-valid.csv.bz2" -o "phishtank.bz2"
|
|
curl -L "https://openphish.com/feed.txt" -o "openphish-raw.txt"
|
|
curl -L "https://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip" -o "top-1m-umbrella.zip"
|
|
curl -L "https://tranco-list.eu/top-1m.csv.zip" -o "top-1m-tranco.zip"
|
|
|
|
bunzip2 -kc "phishtank.bz2" > "phishtank.csv"
|
|
|
|
|
|
## Parse URLs
|
|
cat "phishtank.csv" | \
|
|
## Workaround for column with double quotes
|
|
"./$CSVQUOTE" | \
|
|
cut -f 2 -d "," | \
|
|
"./$CSVQUOTE" -u | \
|
|
sed 's/"//g' | \
|
|
cut -f 3- -d "/" | \
|
|
# Domain must have at least a 'dot'
|
|
grep -F "." | \
|
|
sed "s/^www\.//g" > "phishtank.txt"
|
|
|
|
cat "openphish-raw.txt" | \
|
|
dos2unix | \
|
|
cut -f 3- -d "/" | \
|
|
grep -F "." | \
|
|
sed "s/^www\.//g" > "openphish.txt"
|
|
|
|
## Combine PhishTank and OpenPhish
|
|
cat "phishtank.txt" "openphish.txt" | \
|
|
sort -u > "phishing.txt"
|
|
|
|
## Parse domain and IP address only
|
|
cat "phishing.txt" | \
|
|
cut -f 1 -d "/" | \
|
|
cut -f 1 -d ":" | \
|
|
# #2
|
|
cut -f 1 -d "?" | \
|
|
sort -u > "phishing-domains.txt"
|
|
|
|
|
|
cp "../src/exclude.txt" "."
|
|
|
|
## Parse the Umbrella 1 Million
|
|
unzip -p "top-1m-umbrella.zip" | \
|
|
dos2unix | \
|
|
# Parse domains only
|
|
cut -f 2 -d "," | \
|
|
grep -F "." | \
|
|
# Remove www.
|
|
sed "s/^www\.//g" | \
|
|
sort -u > "top-1m-umbrella.txt"
|
|
|
|
## Parse the Tranco 1 Million
|
|
unzip -p "top-1m-tranco.zip" | \
|
|
dos2unix | \
|
|
# Parse domains only
|
|
cut -f 2 -d "," | \
|
|
grep -F "." | \
|
|
# Remove www.
|
|
sed "s/^www\.//g" | \
|
|
sort -u > "top-1m-tranco.txt"
|
|
|
|
# Merge Umbrella, Traco and self-maintained top domains
|
|
cat "top-1m-umbrella.txt" "top-1m-tranco.txt" "exclude.txt" | \
|
|
sort -u > "top-1m-well-known.txt"
|
|
|
|
|
|
## Parse popular domains
|
|
cat "phishing-domains.txt" | \
|
|
# grep match whole line
|
|
grep -Fx -f "top-1m-well-known.txt" > "phishing-top-domains.txt"
|
|
|
|
|
|
## Exclude popular domains
|
|
cat "phishing-domains.txt" | \
|
|
grep -F -vf "phishing-top-domains.txt" > "phishing-notop-domains.txt"
|
|
|
|
## Parse phishing URLs from popular domains
|
|
cat "phishing.txt" | \
|
|
grep -F -f "phishing-top-domains.txt" | \
|
|
sed "s/^/||/g" | \
|
|
sed "s/$/\$all/g" > "phishing-url-top-domains.txt"
|
|
|
|
|
|
## Merge malware domains and URLs
|
|
CURRENT_TIME="$(date -R -u)"
|
|
FIRST_LINE="! Title: Phishing URL Blocklist"
|
|
SECOND_LINE="! Updated: $CURRENT_TIME"
|
|
THIRD_LINE="! Expires: 1 day (update frequency)"
|
|
FOURTH_LINE="! Repo: https://gitlab.com/curben/phishing-filter"
|
|
FIFTH_LINE="! License: https://creativecommons.org/licenses/by-sa/4.0/"
|
|
SIXTH_LINE="! Source: https://www.phishtank.com/ & https://openphish.com/"
|
|
COMMENT_UBO="$FIRST_LINE\n$SECOND_LINE\n$THIRD_LINE\n$FOURTH_LINE\n$FIFTH_LINE\n$SIXTH_LINE"
|
|
|
|
|
|
cat "phishing-notop-domains.txt" "phishing-url-top-domains.txt" | \
|
|
sort | \
|
|
sed '1 i\'"$COMMENT_UBO"'' > "../dist/phishing-filter.txt"
|
|
|
|
|
|
# Adguard Home
|
|
cat "phishing-notop-domains.txt" | \
|
|
sed "s/^/||/g" | \
|
|
sed "s/$/^/g" > "phishing-domains-adguard-home.txt"
|
|
|
|
cat "phishing-domains-adguard-home.txt" | \
|
|
sort | \
|
|
sed '1 i\'"$COMMENT_UBO"'' | \
|
|
sed "1s/Blocklist/Blocklist (AdGuard Home)/" > "../dist/phishing-filter-agh.txt"
|
|
|
|
|
|
# Adguard browser extension
|
|
cat "phishing-notop-domains.txt" | \
|
|
sed "s/^/||/g" | \
|
|
sed "s/$/\$all/g" > "phishing-domains-adguard.txt"
|
|
|
|
cat "phishing-domains-adguard.txt" "phishing-url-top-domains.txt" | \
|
|
sort | \
|
|
sed '1 i\'"$COMMENT_UBO"'' | \
|
|
sed "1s/Blocklist/Blocklist (AdGuard)/" > "../dist/phishing-filter-ag.txt"
|
|
|
|
|
|
# Vivaldi
|
|
cat "phishing-notop-domains.txt" | \
|
|
sed "s/^/||/g" | \
|
|
sed "s/$/\$document/g" > "phishing-domains-vivaldi.txt"
|
|
|
|
cat "phishing-domains-vivaldi.txt" "phishing-url-top-domains.txt" | \
|
|
sed "s/\$all$/\$document/g" | \
|
|
sort | \
|
|
sed '1 i\'"$COMMENT_UBO"'' | \
|
|
sed "1s/Blocklist/Blocklist (Vivaldi)/" > "../dist/phishing-filter-vivaldi.txt"
|
|
|
|
|
|
## Domains-only blocklist
|
|
# awk + head is a workaround for sed prepend
|
|
COMMENT=$(printf "$COMMENT_UBO" | sed "s/^!/#/g" | sed "1s/URL/Domains/" | awk '{printf "%s\\n", $0}' | head -c -2)
|
|
|
|
cat "phishing-notop-domains.txt" | \
|
|
sort | \
|
|
sed '1 i\'"$COMMENT"'' > "../dist/phishing-filter-domains.txt"
|
|
|
|
|
|
## Hosts file blocklist
|
|
cat "../dist/phishing-filter-domains.txt" | \
|
|
# Exclude comment with #
|
|
grep -vE "^#" | \
|
|
# Remove IPv4 address
|
|
grep -vE "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | \
|
|
sed "s/^/0.0.0.0 /g" | \
|
|
# Re-insert comment
|
|
sed '1 i\'"$COMMENT"'' | \
|
|
sed "1s/Domains/Hosts/" > "../dist/phishing-filter-hosts.txt"
|
|
|
|
|
|
## Dnsmasq-compatible blocklist
|
|
cat "../dist/phishing-filter-hosts.txt" | \
|
|
grep -vE "^#" | \
|
|
sed "s/^0.0.0.0 /address=\//g" | \
|
|
sed "s/$/\/0.0.0.0/g" | \
|
|
sed '1 i\'"$COMMENT"'' | \
|
|
sed "1s/Blocklist/dnsmasq Blocklist/" > "../dist/phishing-filter-dnsmasq.conf"
|
|
|
|
|
|
## BIND-compatible blocklist
|
|
cat "../dist/phishing-filter-hosts.txt" | \
|
|
grep -vE "^#" | \
|
|
sed 's/^0.0.0.0 /zone "/g' | \
|
|
sed 's/$/" { type master; notify no; file "null.zone.file"; };/g' | \
|
|
sed '1 i\'"$COMMENT"'' | \
|
|
sed "1s/Blocklist/BIND Blocklist/" > "../dist/phishing-filter-bind.conf"
|
|
|
|
|
|
## Unbound-compatible blocklist
|
|
cat "../dist/phishing-filter-hosts.txt" | \
|
|
grep -vE "^#" | \
|
|
sed 's/^0.0.0.0 /local-zone: "/g' | \
|
|
sed 's/$/" always_nxdomain/g' | \
|
|
sed '1 i\'"$COMMENT"'' | \
|
|
sed "1s/Blocklist/Unbound Blocklist/" > "../dist/phishing-filter-unbound.conf"
|
|
|
|
|
|
## IE blocklist
|
|
COMMENT_IE="msFilterList\n$COMMENT\n: Expires=1\n#"
|
|
|
|
cat "../dist/phishing-filter-hosts.txt" | \
|
|
grep -vE "^#" | \
|
|
sed "s/^0\.0\.0\.0/-d/g" | \
|
|
sed '1 i\'"$COMMENT_IE"'' | \
|
|
sed "2s/Domains Blocklist/Hosts Blocklist (IE)/" > "../dist/phishing-filter.tpl"
|
|
|
|
|
|
## Clean up artifacts
|
|
rm "phishtank.csv" "top-1m-umbrella.zip" "top-1m-umbrella.txt" "top-1m-tranco.txt" "openphish-raw.txt"
|
|
|
|
|
|
cd ../
|