52 lines
1.8 KiB
Python
52 lines
1.8 KiB
Python
"""
|
|
Get botnet IPs from feodo tracker
|
|
Usage: "| getbotnetip | outputlookup override_if_empty=false botnet_ip.csv"
|
|
Recommend to update the lookup file every 5 minutes (cron "*/5 * * * *")
|
|
"""
|
|
|
|
import sys
|
|
from datetime import datetime, timezone
|
|
from os import path
|
|
from re import search
|
|
|
|
sys.path.insert(0, path.join(path.dirname(__file__)))
|
|
from utils import Utility
|
|
|
|
sys.path.insert(0, path.join(path.dirname(__file__), "..", "lib"))
|
|
from splunklib.searchcommands import Configuration, GeneratingCommand, Option, dispatch
|
|
|
|
DOWNLOAD_URL = "https://feodotracker.abuse.ch/downloads/ipblocklist.csv"
|
|
|
|
|
|
@Configuration()
|
|
class GetBotnetIP(Utility, GeneratingCommand):
|
|
"""Defines a search command that generates event records"""
|
|
|
|
custom_message = Option(name="message")
|
|
|
|
def generate(self):
|
|
feodo_csv = self.download(DOWNLOAD_URL)
|
|
updated = datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
|
|
# parse updated time from header comment
|
|
for line in filter(lambda row: row[0] == "#", feodo_csv.splitlines()):
|
|
if line.startswith("# Last updated:"):
|
|
last_updated_utc = search(
|
|
r"\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}", line
|
|
).group()
|
|
updated = (
|
|
datetime.strptime(last_updated_utc, "%Y-%m-%d %H:%M:%S")
|
|
.replace(tzinfo=timezone.utc)
|
|
.strftime("%Y-%m-%dT%H:%M:%SZ")
|
|
)
|
|
break
|
|
# parse input csv, remove '#' comments and output as events
|
|
for row in self.csv_reader(feodo_csv):
|
|
row["updated"] = updated
|
|
if isinstance(self.custom_message, str) and len(self.custom_message) >= 1:
|
|
row["custom_message"] = self.custom_message
|
|
|
|
yield self.gen_record(**row)
|
|
|
|
|
|
dispatch(GetBotnetIP, sys.argv, sys.stdin, sys.stdout, __name__)
|