feat: add csv file for Splunk lookup

- https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Aboutlookupsandfieldactions
2022-12-17 00:33:17 +00:00 · 2022-12-17 00:33:17 +00:00 · c3ae99c64a
parent a401884547
commit c3ae99c64a
2 changed files with 29 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -16,6 +16,7 @@
  - [Snort2](#snort2)
  - [Snort3](#snort3)
  - [Suricata](#suricata)
+  - [Splunk](#splunk)
 - [Compressed version](#compressed-version)
 - [Reporting issues](#issues)
 - [FAQ and Guides](#faq-and-guides)
@ -40,6 +41,7 @@ There are multiple formats available, refer to the appropriate section according
 - [Snort2](#snort2)
 - [Snort3](#snort3)
 - [Suricata](#suricata)
+- [Splunk](#splunk)

 Not sure which format to choose? See [Compatibility](https://gitlab.com/malware-filter/urlhaus-filter/wikis/compatibility) page.

@ -343,7 +345,7 @@ This blocklist includes domains only.

 ## Snort2

-This ruleset includes online URLs only. Not compatible with [Snort3](#snort3).
+Not compatible with [Snort3](#snort3).

 ### Install

@ -376,7 +378,7 @@ printf "\ninclude \$RULE_PATH/pup-filter-snort2.rules\n" >> /etc/snort/snort.con

 ## Snort3

-This ruleset includes online URLs only. Not compatible with [Snort2](#snort2).
+Not compatible with [Snort2](#snort2).

 ### Install

@ -417,8 +419,6 @@ ips =

 ## Suricata

-This ruleset includes online URLs only.
-
 ### Install

 ```
@ -454,6 +454,23 @@ rule-files:

 </details>

+## Splunk
+
+A CSV file for Splunk [lookup](https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Aboutlookupsandfieldactions).
+
+- https://malware-filter.gitlab.io/malware-filter/pup-filter-splunk.csv
+
+<details>
+<summary>Mirrors</summary>
+
+- https://curbengh.github.io/malware-filter/pup-filter-splunk.csv
+- https://curbengh.github.io/pup-filter/pup-filter-splunk.csv
+- https://malware-filter.gitlab.io/pup-filter/pup-filter-splunk.csv
+- https://malware-filter.pages.dev/pup-filter-splunk.csv
+- https://pup-filter.pages.dev/pup-filter-splunk.csv
+
+</details>
+
 ## Compressed version

 All filters are also available as gzip- and brotli-compressed.
--- a/src/script.sh
+++ b/src/script.sh
@ -241,7 +241,8 @@ set +x
 ## Snort & Suricata rulesets
 rm "../public/pup-filter-snort2.rules" \
  "../public/pup-filter-snort3.rules" \
-  "../public/pup-filter-suricata.rules"
+  "../public/pup-filter-suricata.rules" \
+  "../public/pup-filter-splunk.csv"

 SID="300000001"
 while read DOMAIN; do
@ -251,9 +252,12 @@ while read DOMAIN; do

  SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"pup-filter PUP website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:web-application-activity; sid:$SID; rev:1;)"

+  SP_RULE="\"$DOMAIN\",\"\",\"pup-filter PUP website detected\",\"$CURRENT_TIME\""
+
  echo "$SN_RULE" >> "../public/pup-filter-snort2.rules"
  echo "$SN3_RULE" >> "../public/pup-filter-snort3.rules"
  echo "$SR_RULE" >> "../public/pup-filter-suricata.rules"
+  echo "$SP_RULE" >> "../public/pup-filter-splunk.csv"

  SID=$(( $SID + 1 ))
 done < "pup-notop-domains.txt"
@ -270,6 +274,9 @@ sed -i "1s/Blocklist/Snort3 Ruleset/" "../public/pup-filter-snort3.rules"
 sed -i "1i $COMMENT" "../public/pup-filter-suricata.rules"
 sed -i "1s/Blocklist/Suricata Ruleset/" "../public/pup-filter-suricata.rules"

+sed -i -e "1i $COMMENT" -e '1i "host","path","message","updated"' "../public/pup-filter-splunk.csv"
+sed -i "1s/Blocklist/Splunk Lookup/" "../public/pup-filter-splunk.csv"
+

 ## Clean up artifacts
 rm "source.zip" "source-domains.txt" "top-1m-umbrella.zip" "top-1m-umbrella.txt" "top-1m-tranco.txt" "cf/" "top-1m-radar.txt"