6.4 KiB
Splunk Add-on for malware-filter
- Installation
- Usage
- geturlhausfilter
- getphishingfilter
- getpupfilter
- getvnbadsitefilter
- getbotnetfilter
- getbotnetip
- getopendbl
- getopendbl
- Disable individual commands
- Build
Provide custom search commands to update malware-filter lookups. Each command downloads from a source CSV and emit rows as events which can then be piped to a lookup file or used as a subsearch. Each command is exported globally and can be used in any app. This add-on currently does not have any UI.
Compatible with Splunk 9.x. For Splunk 8.x, install "*-splunk8.tar.gz" instead.
Installation
Releases are available at https://gitlab.com/malware-filter/splunk-malware-filter/-/releases
Instruction to build the main branch is available at the Build section.
Usage
| geturlhausfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv
Optional arguments:
- wildcard_prefix
<string>
: list of column names to have wildcard "*" prefixed to their non-empty value. New column(s) named "{column_name}_wildcard_prefix" will be created. Non-existant column will be silently ignored. Accepted values:"column_name"
,"columnA,columnB"
. - wildcard_suffix
<string>
: Same as wildcard_prefix but have the wildcard suffixed instead. - wildcard_affix
<string>
: Same as wildcard_prefix but have the wildcard prefixed and suffixed. - message
<string>
: Add custom message column. New column "custom_message" will be created.
Example:
| geturlhausfilter
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv
host | path | message | updated |
---|---|---|---|
example2.com | /some-path | urlhaus-filter malicious website detected | 2022-12-21T12:34:56Z |
| geturlhausfilter wildcard_prefix=path message="lorem ipsum"
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv
host | path | message | updated | path_wildcard_prefix | message |
---|---|---|---|---|---|
example2.com | /some-path | urlhaus-filter malicious website detected | 2022-12-21T12:34:56Z | */some-path | lorem ipsum |
example.com | urlhaus-filter malicious website detected | 2022-12-21T12:34:56Z | lorem ipsum |
Lookup files
Lookup files are bundled but they are empty, run the relevant | getsomething | outputlookup some-filter.csv
to get the latest lookup before using any of them.
- urlhaus-filter-splunk-online.csv
- phishing-filter-splunk.csv
- pup-filter-splunk.csv
- vn-badsite-filter-splunk.csv
- botnet-filter-splunk.csv
- botnet_ip.csv
- opendbl_ip.csv
geturlhausfilter
| geturlhausfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv
Output columns are listed here https://gitlab.com/malware-filter/urlhaus-filter#splunk
getphishingfilter
| getphishingfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false phishing-filter-splunk.csv
Output columns are listed here https://gitlab.com/malware-filter/phishing-filter#splunk
getpupfilter
| getpupfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false pup-filter-splunk.csv
Output columns are listed here https://gitlab.com/malware-filter/pup-filter#splunk
getvnbadsitefilter
| getvnbadsitefilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false vn-badsite-filter-splunk.csv
Output columns are listed here https://gitlab.com/malware-filter/vn-badsite-filter#splunk
getbotnetfilter
Highly recommend to use getbotnetip
instead.
| getbotnetfilter message=<string>
| outputlookup override_if_empty=false botnet-filter-splunk.csv
Output columns are listed here https://gitlab.com/malware-filter/botnet-filter#splunk
getbotnetip
Recommend to update the lookup file "botnet_ip.csv" every 5 minutes (cron */5 * * * *
).
| getbotnetip message=<string>
| outputlookup override_if_empty=false botnet_ip.csv
Columns:
first_seen_utc | dst_ip | dst_port | c2_status | last_online | malware | updated |
---|---|---|---|---|---|---|
2021-01-17 07:44:46 | 51.178.161.32 | 4643 | online | 2023-01-26 | Dridex | 2023-01-25T17:41:16Z |
Source: https://feodotracker.abuse.ch/downloads/ipblocklist.csv
getopendbl
Recommend to update the lookup file "opendbl_ip.csv" every 15 minutes (cron */15 * * * *
).
| getopendbl message=<string>
| outputlookup override_if_empty=false opendbl_ip.csv
start | end | netmask | cidr_range | name | updated |
---|---|---|---|---|---|
187.190.252.167 | 187.190.252.167 | 32 | 187.190.252.167/32 | Emerging Threats: Known Compromised Hosts | 2023-01-30T08:03:00Z |
89.248.163.0 | 89.248.163.255 | 24 | 89.248.163.0/24 | Dshield | 2023-01-30T08:01:00Z |
Source: https://opendbl.net/
Disable individual commands
Settings -> All configurations -> filter by "malware_filter" app
Build
git clone https://gitlab.com/malware-filter/splunk-malware-filter
cd splunk-malware-filter
python build.py
Disclaimer
getbotnetip.py
and getopendbl.py
are included simply for convenience, their upstream sources are not affiliated with malware-filter.