splunk-malware-filter/bin/getbotnetfilter.py

"""
Get lookup csv from botnet-filter
Usage: "| getbotnetfilter | outputlookup override_if_empty=false botnet-filter-splunk.csv"
"""

import sys
from os import path
from time import time as unix_time

sys.path.insert(0, path.join(path.dirname(__file__)))
from utils import Utility

sys.path.insert(0, path.join(path.dirname(__file__), "..", "lib"))
from splunklib.searchcommands import Configuration, GeneratingCommand, Option, dispatch

DOWNLOAD_URLS = (
    "https://malware-filter.gitlab.io/malware-filter/botnet-filter-splunk.csv",
    "https://curbengh.github.io/malware-filter/botnet-filter-splunk.csv",
    "https://curbengh.github.io/botnet-filter/botnet-filter-splunk.csv",
    "https://malware-filter.gitlab.io/botnet-filter/botnet-filter-splunk.csv",
    "https://malware-filter.pages.dev/botnet-filter-splunk.csv",
    "https://botnet-filter.pages.dev/botnet-filter-splunk.csv",
)


@Configuration()
class GetBotnetFilter(Utility, GeneratingCommand):
    """Defines a search command that generates event records"""

    custom_message = Option(name="message")

    def generate(self):
        dl_csv = self.download(DOWNLOAD_URLS)
        for row in self.csv_reader(dl_csv):
            if isinstance(self.custom_message, str) and len(self.custom_message) >= 1:
                row["custom_message"] = self.custom_message

            yield self.gen_record(_time=unix_time(), **row)


dispatch(GetBotnetFilter, sys.argv, sys.stdin, sys.stdout, __name__)
Initial commit 2023-01-27 09:47:59 +00:00			`"""`
			`Get lookup csv from botnet-filter`
			`Usage: "\| getbotnetfilter \| outputlookup override_if_empty=false botnet-filter-splunk.csv"`
			`"""`

			`import sys`
			`from os import path`
feat: add _time so that generated records can be saved to index, if configured 2023-02-15 09:40:37 +00:00			`from time import time as unix_time`
Initial commit 2023-01-27 09:47:59 +00:00
build: exclude requests lib - use splunk built-in, maybe useful for certifi cacert.pem style: add path instead of __init__.py style: remove shebang (not meant to be executed by generic python) 2023-02-08 10:06:21 +00:00			`sys.path.insert(0, path.join(path.dirname(__file__)))`
			`from utils import Utility`

Initial commit 2023-01-27 09:47:59 +00:00			`sys.path.insert(0, path.join(path.dirname(__file__), "..", "lib"))`
			`from splunklib.searchcommands import Configuration, GeneratingCommand, Option, dispatch`

feat: download mirrors 2023-02-10 20:24:03 +00:00			`DOWNLOAD_URLS = (`
			`"https://malware-filter.gitlab.io/malware-filter/botnet-filter-splunk.csv",`
			`"https://curbengh.github.io/malware-filter/botnet-filter-splunk.csv",`
			`"https://curbengh.github.io/botnet-filter/botnet-filter-splunk.csv",`
			`"https://malware-filter.gitlab.io/botnet-filter/botnet-filter-splunk.csv",`
			`"https://malware-filter.pages.dev/botnet-filter-splunk.csv",`
			`"https://botnet-filter.pages.dev/botnet-filter-splunk.csv",`
Initial commit 2023-01-27 09:47:59 +00:00			`)`


			`@Configuration()`
			`class GetBotnetFilter(Utility, GeneratingCommand):`
			`"""Defines a search command that generates event records"""`

			`custom_message = Option(name="message")`

			`def generate(self):`
feat: download mirrors 2023-02-10 20:24:03 +00:00			`dl_csv = self.download(DOWNLOAD_URLS)`
Initial commit 2023-01-27 09:47:59 +00:00			`for row in self.csv_reader(dl_csv):`
			`if isinstance(self.custom_message, str) and len(self.custom_message) >= 1:`
			`row["custom_message"] = self.custom_message`

feat: add _time so that generated records can be saved to index, if configured 2023-02-15 09:40:37 +00:00			`yield self.gen_record(_time=unix_time(), **row)`
Initial commit 2023-01-27 09:47:59 +00:00

build: exclude requests lib - use splunk built-in, maybe useful for certifi cacert.pem style: add path instead of __init__.py style: remove shebang (not meant to be executed by generic python) 2023-02-08 10:06:21 +00:00			`dispatch(GetBotnetFilter, sys.argv, sys.stdin, sys.stdout, __name__)`