splunk-malware-filter/bin/getvnbadsitefilter.py

48 lines
1.8 KiB
Python
Raw Permalink Normal View History

2023-01-27 09:47:59 +00:00
"""
Get lookup csv from vn-badsite-filter
Usage: "| getvnbadsitefilter | outputlookup override_if_empty=false vn-badsite-filter-splunk.csv"
"""
import sys
from os import path
from time import time as unix_time
2023-01-27 09:47:59 +00:00
sys.path.insert(0, path.join(path.dirname(__file__)))
from utils import Utility
2023-01-27 09:47:59 +00:00
sys.path.insert(0, path.join(path.dirname(__file__), "..", "lib"))
from splunklib.searchcommands import Configuration, GeneratingCommand, Option, dispatch
2023-02-10 20:24:03 +00:00
DOWNLOAD_URLS = (
"https://malware-filter.gitlab.io/malware-filter/vn-badsite-filter-splunk.csv",
"https://curbengh.github.io/malware-filter/vn-badsite-filter-splunk.csv",
"https://curbengh.github.io/vn-badsite-filter/vn-badsite-filter-splunk.csv",
"https://malware-filter.gitlab.io/vn-badsite-filter/vn-badsite-filter-splunk.csv",
"https://malware-filter.pages.dev/vn-badsite-filter-splunk.csv",
"https://vn-badsite-filter.pages.dev/vn-badsite-filter-splunk.csv",
2023-01-27 09:47:59 +00:00
)
@Configuration()
class GetVNBadsiteFilter(Utility, GeneratingCommand):
"""Defines a search command that generates event records"""
wildcard_prefix = Option(name="wildcard_prefix")
wildcard_suffix = Option(name="wildcard_suffix")
wildcard_affix = Option(name="wildcard_affix")
custom_message = Option(name="message")
def generate(self):
2023-02-10 20:24:03 +00:00
dl_csv = self.download(DOWNLOAD_URLS)
2023-01-27 09:47:59 +00:00
for row in self.csv_reader(dl_csv):
if isinstance(self.custom_message, str) and len(self.custom_message) >= 1:
row["custom_message"] = self.custom_message
affixed_row = self.insert_affix(
row, self.wildcard_prefix, self.wildcard_suffix, self.wildcard_affix
)
yield self.gen_record(_time=unix_time(), **affixed_row)
2023-01-27 09:47:59 +00:00
dispatch(GetVNBadsiteFilter, sys.argv, sys.stdin, sys.stdout, __name__)