49 lines
1.8 KiB
Python
49 lines
1.8 KiB
Python
"""
|
|
Get lookup csv from phishing-filter
|
|
Usage: "| getphishingfilter | outputlookup override_if_empty=false phishing-filter-splunk.csv"
|
|
"""
|
|
|
|
import sys
|
|
from os import path
|
|
from time import time as unix_time
|
|
|
|
sys.path.insert(0, path.join(path.dirname(__file__)))
|
|
from utils import Utility
|
|
|
|
sys.path.insert(0, path.join(path.dirname(__file__), "..", "lib"))
|
|
from splunklib.searchcommands import Configuration, GeneratingCommand, Option, dispatch
|
|
|
|
DOWNLOAD_URLS = (
|
|
"https://malware-filter.gitlab.io/malware-filter/phishing-filter-splunk.csv",
|
|
"https://curbengh.github.io/malware-filter/phishing-filter-splunk.csv",
|
|
"https://curbengh.github.io/phishing-filter/phishing-filter-splunk.csv",
|
|
"https://malware-filter.gitlab.io/phishing-filter/phishing-filter-splunk.csv",
|
|
"https://malware-filter.pages.dev/phishing-filter-splunk.csv",
|
|
"https://phishing-filter.pages.dev/phishing-filter-splunk.csv",
|
|
)
|
|
|
|
|
|
@Configuration()
|
|
class GetPhishingFilter(Utility, GeneratingCommand):
|
|
"""Defines a search command that generates event records"""
|
|
|
|
wildcard_prefix = Option(name="wildcard_prefix")
|
|
wildcard_suffix = Option(name="wildcard_suffix")
|
|
wildcard_affix = Option(name="wildcard_affix")
|
|
custom_message = Option(name="message")
|
|
|
|
def generate(self):
|
|
dl_csv = self.download(DOWNLOAD_URLS)
|
|
for row in self.csv_reader(dl_csv):
|
|
if isinstance(self.custom_message, str) and len(self.custom_message) >= 1:
|
|
row["custom_message"] = self.custom_message
|
|
|
|
affixed_row = self.insert_affix(
|
|
row, self.wildcard_prefix, self.wildcard_suffix, self.wildcard_affix
|
|
)
|
|
|
|
yield self.gen_record(_time=unix_time(), **affixed_row)
|
|
|
|
|
|
dispatch(GetPhishingFilter, sys.argv, sys.stdin, sys.stdout, __name__)
|