Mirror of https://gitlab.com/malware-filter/splunk-malware-filter

Go to file

Ming Di Leom 31638daa85 fix: normalise "updated" column with ISO-8601 format - fix command example		2023-01-30 10:08:25 +00:00
.vscode	Initial commit	2023-01-27 09:59:55 +00:00
bin	fix: normalise "updated" column	2023-01-30 10:08:25 +00:00
default	docs(searchbnf): options are not sequential	2023-01-27 21:11:23 +00:00
lookups	Initial commit	2023-01-27 09:59:55 +00:00
metadata	Initial commit	2023-01-27 09:59:55 +00:00
.gitignore	Initial commit	2023-01-27 09:59:55 +00:00
.gitlab-ci.yml	ci: publish release and asset	2023-01-27 11:40:00 +00:00
.pre-commit-config.yaml	Initial commit	2023-01-27 09:59:55 +00:00
LICENSE.md	Initial commit	2023-01-27 09:59:55 +00:00
README.md	fix: normalise "updated" column	2023-01-30 10:08:25 +00:00
build.py	ci: publish release and asset	2023-01-27 11:40:00 +00:00
pyproject.toml	style: set line ending in pylint	2023-01-27 21:31:41 +00:00
requirements-dev.txt	Initial commit	2023-01-27 09:59:55 +00:00
requirements.txt	Initial commit	2023-01-27 09:59:55 +00:00

README.md

Splunk Add-on for malware-filter

Installation
Usage
geturlhausfilter
getphishingfilter
getpupfilter
getvnbadsitefilter
getbotnetfilter
getbotnetip
getopendbl
getopendbl
Disable individual commands
Build

Provide custom search commands to update malware-filter lookups. Each command downloads from a source CSV and emit rows as events which can then be piped to a lookup file or used as a subsearch. Each command is exported globally and can be used in any app. This add-on currently does not have any UI.

Installation

Releases are available at https://gitlab.com/malware-filter/splunk-malware-filter/-/releases

Instruction to build the latest commit is available at the Build section.

Usage

| geturlhausfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv

Optional arguments:

wildcard_prefix <string>: list of column names to have wildcard "*" prefixed to their non-empty value. New column(s) named "{column_name}_wildcard_prefix" will be created. Non-existant column will be silently ignored. Accepted values: "column_name", "columnA,columnB".
wildcard_suffix <string>: Same as wildcard_prefix but have the wildcard suffixed instead.
wildcard_affix <string>: Same as wildcard_prefix but have the wildcard prefixed and suffixed.
message <string>: Add custom message column. New column "custom_message" will be created.

Example:

| geturlhausfilter
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv

host	path	message	updated
example2.com	/some-path	urlhaus-filter malicious website detected	2022-12-21T12:34:56Z

| geturlhausfilter wildcard_prefix=path message="lorem ipsum"
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv

host	path	message	updated	path_wildcard_prefix	message
example2.com	/some-path	urlhaus-filter malicious website detected	2022-12-21T12:34:56Z	*/some-path	lorem ipsum
example.com		urlhaus-filter malicious website detected	2022-12-21T12:34:56Z		lorem ipsum

Lookup files

Lookup files are bundled but they are empty, run the relevant | getsomething | outputlookup some-filter.csv to get the latest lookup before using any of them.

urlhaus-filter-splunk-online.csv
phishing-filter-splunk.csv
pup-filter-splunk.csv
vn-badsite-filter-splunk.csv
botnet-filter-splunk.csv
botnet_ip.csv
opendbl_ip.csv

geturlhausfilter

| geturlhausfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv

Output columns are listed here https://gitlab.com/malware-filter/urlhaus-filter#splunk

getphishingfilter

| getphishingfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false phishing-filter-splunk.csv

Output columns are listed here https://gitlab.com/malware-filter/phishing-filter#splunk

getpupfilter

| getpupfilter  wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false pup-filter-splunk.csv

Output columns are listed here https://gitlab.com/malware-filter/pup-filter#splunk

getvnbadsitefilter

| getvnbadsitefilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false vn-badsite-filter-splunk.csv

Output columns are listed here https://gitlab.com/malware-filter/vn-badsite-filter#splunk

getbotnetfilter

Highly recommend to use getbotnetip instead.

| getbotnetfilter message=<string>
| outputlookup override_if_empty=false botnet-filter-splunk.csv

Output columns are listed here https://gitlab.com/malware-filter/botnet-filter#splunk

getbotnetip

Recommend to update the lookup file "botnet_ip.csv" every 5 minutes (cron */5 * * * *).

| getbotnetip message=<string>
| outputlookup override_if_empty=false botnet_ip.csv

Columns:

first_seen_utc	dst_ip	dst_port	c2_status	last_online	malware	updated
2021-01-17 07:44:46	51.178.161.32	4643	online	2023-01-26	Dridex	2023-01-25T17:41:16Z

Source: https://feodotracker.abuse.ch/downloads/ipblocklist.csv

getopendbl

Recommend to update the lookup file "opendbl_ip.csv" every 15 minutes (cron */15 * * * *).

| getopendbl message=<string>
| outputlookup override_if_empty=false opendbl_ip.csv

start	end	netmask	cidr	name	updated
187.190.252.167	187.190.252.167	32	187.190.252.167/32	Emerging Threats: Known Compromised Hosts	2023-01-30T08:03:00Z
89.248.163.0	89.248.163.255	24	89.248.163.0/24	Dshield	2023-01-30T08:01:00Z

Source: https://opendbl.net/

Disable individual commands

Settings -> All configurations -> filter by "malware_filter" app

Build

git clone https://gitlab.com/malware-filter/splunk-malware-filter
cd splunk-malware-filter
python build.py

Disclaimer

getbotnetip.py and getopendbl.py are included simply for convenience, their upstream sources are not affiliated with malware-filter.

License

Creative Commons Zero v1.0 Universal