curben
/
splunk-malware-filter
mirror of https://gitlab.com/malware-filter/splunk-malware-filter
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
1 Commit 1 Branch 20 Tags 110 KiB
Python 100%
Go to file
Ming Di Leom 22d1b7e8f5
Initial commit 		2023-01-27 09:59:55 +00:00
.vscode Initial commit 2023-01-27 09:59:55 +00:00
bin Initial commit 2023-01-27 09:59:55 +00:00
default Initial commit 2023-01-27 09:59:55 +00:00
lookups Initial commit 2023-01-27 09:59:55 +00:00
metadata Initial commit 2023-01-27 09:59:55 +00:00
.gitignore Initial commit 2023-01-27 09:59:55 +00:00
.gitlab-ci.yml Initial commit 2023-01-27 09:59:55 +00:00
.pre-commit-config.yaml Initial commit 2023-01-27 09:59:55 +00:00
LICENSE.md Initial commit 2023-01-27 09:59:55 +00:00
README.md Initial commit 2023-01-27 09:59:55 +00:00
build.py Initial commit 2023-01-27 09:59:55 +00:00
pyproject.toml Initial commit 2023-01-27 09:59:55 +00:00
requirements-dev.txt Initial commit 2023-01-27 09:59:55 +00:00
requirements.txt Initial commit 2023-01-27 09:59:55 +00:00

README.md

Splunk Add-on for malware-filter

Provide custom search commands to update malware-filter lookups. Each command downloads from a source CSV and emit rows as events which can then be piped to a lookup file or used as a subsearch. Each command is exported globally and can be used in any app. This add-on currently does not have any UI.

Usage

| geturlhausfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv

Optional arguments:

  • wildcard_prefix <string>: list of column names to have wildcard "*" prefixed to their non-empty value. New column(s) named "{column_name}_wildcard_prefix" will be created. Non-existant column will be silently ignored. Accepted values: "column_name", "columnA,columnB".
  • wildcard_suffix <string>: Same as wildcard_prefix but have the wildcard suffixed instead.
  • wildcard_affix <string>: Same as wildcard_prefix but have the wildcard prefixed and suffixed.
  • message <string>: Add custom message column. New column "custom_message" will be created.

Example:

| geturlhausfilter
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv
host path message updated
example2.com /some-path urlhaus-filter malicious website detected 2022-12-21T12:34:56Z 
| geturlhausfilter wildcard_prefix=path message="lorem ipsum"
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv
host path message updated path_wildcard_prefix message
example2.com /some-path urlhaus-filter malicious website detected 2022-12-21T12:34:56Z */some-path lorem ipsum
example.com urlhaus-filter malicious website detected 2022-12-21T12:34:56Z lorem ipsum

Lookup files

Lookup files are bundled but they are empty, run the relevant | getsomething | outputlookup some-filter.csv to get the latest lookup before using any of them.

  • urlhaus-filter-splunk-online.csv
  • phishing-filter-splunk.csv
  • pup-filter-splunk.csv
  • vn-badsite-filter-splunk.csv
  • botnet-filter-splunk.csv
  • botnet_ip.csv
  • opendbl_ip.csv

geturlhausfilter

| geturlhausfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv

Output columns are listed here https://gitlab.com/malware-filter/urlhaus-filter#splunk

getphishingfilter

| getphishingfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false phishing-filter-splunk.csv

Output columns are listed here https://gitlab.com/malware-filter/phishing-filter#splunk

getpupfilter

| getphishingfilter message=<string>
| outputlookup override_if_empty=false pup-filter-splunk.csv

Output columns are listed here https://gitlab.com/malware-filter/pup-filter#splunk

getvnbadsitefilter

| getphishingfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false vn-badsite-filter-splunk.csv

Output columns are listed here https://gitlab.com/malware-filter/vn-badsite-filter#splunk

getbotnetfilter

Highly recommend to use getbotnetip instead.

| getphishingfilter message=<string>
| outputlookup override_if_empty=false botnet-filter-splunk.csv

Output columns are listed here https://gitlab.com/malware-filter/botnet-filter#splunk

getbotnetip

Recommend to update the lookup file "botnet_ip.csv" every 5 minutes (cron */5 * * * *).

| getphishingfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false botnet_ip.csv

Source: https://feodotracker.abuse.ch/downloads/ipblocklist.csv

Columns:

first_seen_utc dst_ip dst_port c2_status last_online malware last_updated_utc
2021-01-17 07:44:46 51.178.161.32 4643 online 2023-01-26 Dridex 2023-01-25 17:41:16

getopendbl

Recommend to update the lookup file "opendbl_ip.csv" every 15 minutes (cron */15 * * * *).

| getopendbl wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false opendbl_ip.csv

Source: https://opendbl.net/

Disabling individual commands

Settings -> All configurations -> filter by "malware_filter" app

Build

python build.py

Disclaimer

getbotnetip.py and getopendbl.py are included simply for convenience, their upstream sources are not affiliated with malware-filter.

License

Creative Commons Zero v1.0 Universal