Go to file
Ming Di Leom 975e1531bc
feat: add _time
so that generated records can be saved to index, if configured
2023-02-15 09:40:37 +00:00
.vscode Initial commit 2023-01-27 09:59:55 +00:00
bin feat: add _time 2023-02-15 09:40:37 +00:00
default release: 0.0.7 2023-02-10 20:32:51 +00:00
lookups fix(getopendbl): rename "cidr" column to "cidr_range" 2023-02-04 06:42:43 +00:00
metadata fix(metadata): dedup config 2023-02-04 06:39:44 +00:00
.gitignore Initial commit 2023-01-27 09:59:55 +00:00
.gitlab-ci.yml fix: remove splunk 8 compatibility 2023-02-06 06:40:51 +00:00
.pre-commit-config.yaml Initial commit 2023-01-27 09:59:55 +00:00
LICENSE.md Initial commit 2023-01-27 09:59:55 +00:00
README.md docs: utilise splunk proxy setting 2023-02-10 20:32:13 +00:00
build.py build: exclude requests lib 2023-02-08 10:06:21 +00:00
pyproject.toml style: set line ending in pylint 2023-01-27 21:31:41 +00:00
requirements-dev.txt Initial commit 2023-01-27 09:59:55 +00:00
requirements.txt Initial commit 2023-01-27 09:59:55 +00:00

README.md

Splunk Add-on for malware-filter

Provide custom search commands to update malware-filter lookups. Each command downloads from a source CSV and emit rows as events which can then be piped to a lookup file or used as a subsearch. Each command is exported globally and can be used in any app. This add-on currently does not have any UI.

Source CSV will be downloaded via a proxy if configured in "$SPLUNK_HOME/etc/system/local/server.conf".

Tested on Splunk 9.x.

Installation

Releases are available at https://gitlab.com/malware-filter/splunk-malware-filter/-/releases

Instruction to build the main branch is available at the Build section.

Usage

| geturlhausfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv

Optional arguments:

  • wildcard_prefix <string>: list of column names to have wildcard "*" prefixed to their non-empty value. New column(s) named "{column_name}_wildcard_prefix" will be created. Non-existant column will be silently ignored. Accepted values: "column_name", "columnA,columnB".
  • wildcard_suffix <string>: Same as wildcard_prefix but have the wildcard suffixed instead.
  • wildcard_affix <string>: Same as wildcard_prefix but have the wildcard prefixed and suffixed.
  • message <string>: Add custom message column. New column "custom_message" will be created.

Example:

| geturlhausfilter
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv
host path message updated
example2.com /some-path urlhaus-filter malicious website detected 2022-12-21T12:34:56Z
| geturlhausfilter wildcard_prefix=path message="lorem ipsum"
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv
host path message updated path_wildcard_prefix message
example2.com /some-path urlhaus-filter malicious website detected 2022-12-21T12:34:56Z */some-path lorem ipsum
example.com urlhaus-filter malicious website detected 2022-12-21T12:34:56Z lorem ipsum

Lookup files

Lookup files are bundled but they are empty, run the relevant | getsomething | outputlookup some-filter.csv to get the latest lookup before using any of them.

  • urlhaus-filter-splunk-online.csv
  • phishing-filter-splunk.csv
  • pup-filter-splunk.csv
  • vn-badsite-filter-splunk.csv
  • botnet-filter-splunk.csv
  • botnet_ip.csv
  • opendbl_ip.csv

geturlhausfilter

| geturlhausfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false urlhaus-filter-splunk-online.csv

Output columns are listed here https://gitlab.com/malware-filter/urlhaus-filter#splunk

getphishingfilter

| getphishingfilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false phishing-filter-splunk.csv

Output columns are listed here https://gitlab.com/malware-filter/phishing-filter#splunk

getpupfilter

| getpupfilter  wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false pup-filter-splunk.csv

Output columns are listed here https://gitlab.com/malware-filter/pup-filter#splunk

getvnbadsitefilter

| getvnbadsitefilter wildcard_prefix=<string> wildcard_suffix=<string> wildcard_affix=<string> message=<string>
| outputlookup override_if_empty=false vn-badsite-filter-splunk.csv

Output columns are listed here https://gitlab.com/malware-filter/vn-badsite-filter#splunk

getbotnetfilter

Highly recommend to use getbotnetip instead.

| getbotnetfilter message=<string>
| outputlookup override_if_empty=false botnet-filter-splunk.csv

Output columns are listed here https://gitlab.com/malware-filter/botnet-filter#splunk

getbotnetip

Recommend to update the lookup file "botnet_ip.csv" every 5 minutes (cron */5 * * * *).

| getbotnetip message=<string>
| outputlookup override_if_empty=false botnet_ip.csv

Columns:

first_seen_utc dst_ip dst_port c2_status last_online malware updated
2021-01-17 07:44:46 51.178.161.32 4643 online 2023-01-26 Dridex 2023-01-25T17:41:16Z

Source: https://feodotracker.abuse.ch/downloads/ipblocklist.csv

getopendbl

Recommend to update the lookup file "opendbl_ip.csv" every 15 minutes (cron */15 * * * *).

| getopendbl message=<string>
| outputlookup override_if_empty=false opendbl_ip.csv
start end netmask cidr_range name updated
187.190.252.167 187.190.252.167 32 187.190.252.167/32 Emerging Threats: Known Compromised Hosts 2023-01-30T08:03:00Z
89.248.163.0 89.248.163.255 24 89.248.163.0/24 Dshield 2023-01-30T08:01:00Z

Source: https://opendbl.net/

Disable individual commands

Settings -> All configurations -> filter by "malware_filter" app

Build

git clone https://gitlab.com/malware-filter/splunk-malware-filter
cd splunk-malware-filter
python build.py

Download failover

For get*filter search commands, the script will attempt to download from the following domains in sequence (check out the DOWNLOAD_URLS constant in each script):

  • malware-filter.gitlab.io
  • curbengh.github.io
  • curbengh.github.io
  • malware-filter.gitlab.io
  • malware-filter.pages.dev
  • *-filter.pages.dev

If your corporate proxy admin balks at having to allow >1 domains, allowing any of them will do. Since the script wouldn't know the proxy ruleset, it will still attempt those domains in sequence until it found a reachable one.

Disclaimer

getbotnetip.py and getopendbl.py are included simply for convenience, their upstream sources are not affiliated with malware-filter.

License

Creative Commons Zero v1.0 Universal