""" Get lookup csv from phishing-filter Usage: "| getphishingfilter | outputlookup override_if_empty=false phishing-filter-splunk.csv" """ import sys from os import path from time import time as unix_time sys.path.insert(0, path.join(path.dirname(__file__))) from utils import Utility sys.path.insert(0, path.join(path.dirname(__file__), "..", "lib")) from splunklib.searchcommands import Configuration, GeneratingCommand, Option, dispatch DOWNLOAD_URLS = ( "https://malware-filter.gitlab.io/malware-filter/phishing-filter-splunk.csv", "https://curbengh.github.io/malware-filter/phishing-filter-splunk.csv", "https://curbengh.github.io/phishing-filter/phishing-filter-splunk.csv", "https://malware-filter.gitlab.io/phishing-filter/phishing-filter-splunk.csv", "https://malware-filter.pages.dev/phishing-filter-splunk.csv", "https://phishing-filter.pages.dev/phishing-filter-splunk.csv", ) @Configuration() class GetPhishingFilter(Utility, GeneratingCommand): """Defines a search command that generates event records""" wildcard_prefix = Option(name="wildcard_prefix") wildcard_suffix = Option(name="wildcard_suffix") wildcard_affix = Option(name="wildcard_affix") custom_message = Option(name="message") def generate(self): dl_csv = self.download(DOWNLOAD_URLS) for row in self.csv_reader(dl_csv): if isinstance(self.custom_message, str) and len(self.custom_message) >= 1: row["custom_message"] = self.custom_message affixed_row = self.insert_affix( row, self.wildcard_prefix, self.wildcard_suffix, self.wildcard_affix ) yield self.gen_record(_time=unix_time(), **affixed_row) dispatch(GetPhishingFilter, sys.argv, sys.stdin, sys.stdout, __name__)