# Splunk Add-on for malware-filter

Provide custom search commands to update [malware-filter](https://gitlab.com/malware-filter) lookups. Each command downloads from a source CSV and emit rows as events which can then be piped to a lookup file or used as a subsearch. Each command is exported globally and can be used in any app. This add-on currently does not have any UI.

## Usage

```
| geturlhausfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv
```

Optional arguments:

- **wildcard_prefix** `<string>`: list of column names to have wildcard "\*" prefixed to their _non-empty_ value. New column(s) named "{column_name}\_wildcard_prefix" will be created. Non-existant column will be silently ignored. Accepted values: `"column_name"`, `"columnA,columnB"`.
- **wildcard_suffix** `<string>`: Same as wildcard_prefix but have the wildcard suffixed instead.
- **wildcard_affix** `<string>`: Same as wildcard_prefix but have the wildcard prefixed and suffixed.
- **message** `<string>`: Add custom message column. New column "custom_message" will be created.

Example:

```
| geturlhausfilter
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv
```

| host         | path       | message                                   | updated              |
| ------------ | ---------- | ----------------------------------------- | -------------------- |
| example2.com | /some-path | urlhaus-filter malicious website detected | 2022-12-21T12:34:56Z |

```
| geturlhausfilter wildcard_prefix=path message="lorem ipsum"
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv
```

| host         | path       | message                                   | updated              | path_wildcard_prefix | message     |
| ------------ | ---------- | ----------------------------------------- | -------------------- | -------------------- | ----------- |
| example2.com | /some-path | urlhaus-filter malicious website detected | 2022-12-21T12:34:56Z | \*/some-path         | lorem ipsum |
| example.com  |            | urlhaus-filter malicious website detected | 2022-12-21T12:34:56Z |                      | lorem ipsum |

## Lookup files

Lookup files are bundled but they are empty, run the relevant `| getsomething | outputlookup some-filter.csv` to get the latest lookup before using any of them.

- urlhaus-filter-splunk-online.csv
- phishing-filter-splunk.csv
- pup-filter-splunk.csv
- vn-badsite-filter-splunk.csv
- botnet-filter-splunk.csv
- botnet_ip.csv
- opendbl_ip.csv

## geturlhausfilter

```
| geturlhausfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv
```

Output columns are listed here https://gitlab.com/malware-filter/urlhaus-filter#splunk

## getphishingfilter

```
| getphishingfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false phishing-filter-splunk.csv
```

Output columns are listed here https://gitlab.com/malware-filter/phishing-filter#splunk

## getpupfilter

```
| getphishingfilter message=<string>
| outputlookup override_if_empty=false pup-filter-splunk.csv
```

Output columns are listed here https://gitlab.com/malware-filter/pup-filter#splunk

## getvnbadsitefilter

```
| getphishingfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false vn-badsite-filter-splunk.csv
```

Output columns are listed here https://gitlab.com/malware-filter/vn-badsite-filter#splunk

## getbotnetfilter

Highly recommend to use [`getbotnetip`](#getbotnetip) instead.

```
| getphishingfilter message=<string>
| outputlookup override_if_empty=false botnet-filter-splunk.csv
```

Output columns are listed here https://gitlab.com/malware-filter/botnet-filter#splunk

## getbotnetip

Recommend to update the lookup file "botnet_ip.csv" every 5 minutes (cron `*/5 * * * *`).

```
| getphishingfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false botnet_ip.csv
```

Source: https://feodotracker.abuse.ch/downloads/ipblocklist.csv

Columns:

| first_seen_utc      | dst_ip        | dst_port | c2_status | last_online | malware | last_updated_utc    |
| ------------------- | ------------- | -------- | --------- | ----------- | ------- | ------------------- |
| 2021-01-17 07:44:46 | 51.178.161.32 | 4643     | online    | 2023-01-26  | Dridex  | 2023-01-25 17:41:16 |

## getopendbl

Recommend to update the lookup file "opendbl_ip.csv" every 15 minutes (cron `*/15 * * * *`).

```
| getopendbl wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false opendbl_ip.csv
```

Source: https://opendbl.net/

## Disabling individual commands

Settings -> All configurations -> filter by "malware_filter" app

## Build

`python build.py`

## Disclaimer

`getbotnetip.py` and `getopendbl.py` are included simply for convenience, their upstream sources are not affiliated with malware-filter.

## License

[Creative Commons Zero v1.0 Universal](LICENSE.md)