2019-05-29 05:15:08 +00:00
|
|
|
#!/bin/sh
|
|
|
|
|
2020-02-08 03:32:36 +00:00
|
|
|
set -efux -o pipefail
|
2019-05-29 05:15:08 +00:00
|
|
|
|
|
|
|
## Create a temporary working folder
|
2020-05-14 09:44:25 +00:00
|
|
|
mkdir -p "tmp/"
|
|
|
|
cd "tmp/"
|
2019-05-29 05:15:08 +00:00
|
|
|
|
|
|
|
|
|
|
|
## Prepare datasets
|
2020-04-01 10:27:02 +00:00
|
|
|
curl -L "https://urlhaus.abuse.ch/downloads/csv/" -o "urlhaus.zip"
|
2020-05-12 02:33:10 +00:00
|
|
|
curl -L "https://s3-us-west-1.amazonaws.com/umbrella-static/top-1m.csv.zip" -o "top-1m-umbrella.zip"
|
|
|
|
curl -L "https://tranco-list.eu/top-1m.csv.zip" -o "top-1m-tranco.zip"
|
2019-05-29 05:15:08 +00:00
|
|
|
|
2021-04-01 06:09:08 +00:00
|
|
|
cp -f "../src/exclude.txt" "."
|
2019-05-29 05:15:08 +00:00
|
|
|
|
2020-04-01 09:52:12 +00:00
|
|
|
## Prepare URLhaus.csv
|
|
|
|
unzip -p "urlhaus.zip" | \
|
2019-05-29 05:15:08 +00:00
|
|
|
# Convert DOS to Unix line ending
|
|
|
|
dos2unix | \
|
2021-03-18 08:43:53 +00:00
|
|
|
tr "[:upper:]" "[:lower:]" | \
|
2019-05-29 05:15:08 +00:00
|
|
|
# Remove comment
|
2020-05-14 09:44:25 +00:00
|
|
|
sed "/^#/d" > "URLhaus.csv"
|
2020-04-01 09:52:12 +00:00
|
|
|
|
|
|
|
## Parse URLs
|
2020-05-14 09:44:25 +00:00
|
|
|
cat "URLhaus.csv" | \
|
2019-06-16 02:21:36 +00:00
|
|
|
cut -f 6 -d '"' | \
|
2020-02-08 03:32:36 +00:00
|
|
|
cut -f 3- -d "/" | \
|
2019-08-04 07:54:07 +00:00
|
|
|
# Domain must have at least a 'dot'
|
2020-02-08 03:32:36 +00:00
|
|
|
grep -F "." | \
|
2021-01-21 04:09:23 +00:00
|
|
|
# Remove invalid protocol, see #32
|
|
|
|
sed -E "s/^(ttps:\/\/|https:\/|http\/)//g" | \
|
2019-05-29 05:15:08 +00:00
|
|
|
# Remove www.
|
2020-02-08 03:32:36 +00:00
|
|
|
sed "s/^www\.//g" | \
|
|
|
|
sort -u > "urlhaus.txt"
|
2019-05-29 05:15:08 +00:00
|
|
|
|
|
|
|
## Parse domain and IP address only
|
2020-02-08 03:32:36 +00:00
|
|
|
cat "urlhaus.txt" | \
|
|
|
|
cut -f 1 -d "/" | \
|
|
|
|
cut -f 1 -d ":" | \
|
2020-05-15 23:28:22 +00:00
|
|
|
# Remove invalid domains, see #15
|
|
|
|
grep -vF "??" | \
|
2020-05-15 10:14:57 +00:00
|
|
|
cut -f 1 -d "?" | \
|
2020-02-08 03:32:36 +00:00
|
|
|
sort -u > "urlhaus-domains.txt"
|
2019-05-29 05:15:08 +00:00
|
|
|
|
2020-04-01 09:52:12 +00:00
|
|
|
## Parse online URLs only
|
2020-05-14 09:44:25 +00:00
|
|
|
cat "URLhaus.csv" | \
|
2019-06-13 06:04:13 +00:00
|
|
|
grep '"online"' | \
|
|
|
|
cut -f 6 -d '"' | \
|
2020-02-08 03:32:36 +00:00
|
|
|
cut -f 3- -d "/" | \
|
|
|
|
sed "s/^www\.//g" | \
|
|
|
|
sort -u > "urlhaus-online.txt"
|
2019-06-13 06:04:13 +00:00
|
|
|
|
2020-02-08 03:32:36 +00:00
|
|
|
cat "urlhaus-online.txt" | \
|
|
|
|
cut -f 1 -d "/" | \
|
|
|
|
cut -f 1 -d ":" | \
|
2020-05-15 23:28:22 +00:00
|
|
|
grep -vF "??" | \
|
2020-05-15 10:14:57 +00:00
|
|
|
cut -f 1 -d "?" | \
|
2020-02-08 03:32:36 +00:00
|
|
|
sort -u > "urlhaus-domains-online.txt"
|
2019-06-13 06:04:13 +00:00
|
|
|
|
2019-05-29 05:15:08 +00:00
|
|
|
|
2020-04-02 21:46:28 +00:00
|
|
|
## Parse the Umbrella 1 Million
|
2020-05-12 02:33:10 +00:00
|
|
|
unzip -p "top-1m-umbrella.zip" | \
|
2019-05-29 05:15:08 +00:00
|
|
|
dos2unix | \
|
2021-03-18 08:43:53 +00:00
|
|
|
tr "[:upper:]" "[:lower:]" | \
|
2019-05-29 05:15:08 +00:00
|
|
|
# Parse domains only
|
2020-02-08 03:32:36 +00:00
|
|
|
cut -f 2 -d "," | \
|
|
|
|
grep -F "." | \
|
2019-05-29 05:15:08 +00:00
|
|
|
# Remove www.
|
2020-02-08 03:32:36 +00:00
|
|
|
sed "s/^www\.//g" | \
|
2020-05-12 02:33:10 +00:00
|
|
|
sort -u > "top-1m-umbrella.txt"
|
|
|
|
|
|
|
|
## Parse the Tranco 1 Million
|
|
|
|
unzip -p "top-1m-tranco.zip" | \
|
|
|
|
dos2unix | \
|
2021-03-18 08:43:53 +00:00
|
|
|
tr "[:upper:]" "[:lower:]" | \
|
2020-05-12 02:33:10 +00:00
|
|
|
# Parse domains only
|
|
|
|
cut -f 2 -d "," | \
|
|
|
|
grep -F "." | \
|
|
|
|
# Remove www.
|
|
|
|
sed "s/^www\.//g" | \
|
|
|
|
sort -u > "top-1m-tranco.txt"
|
2019-05-29 05:15:08 +00:00
|
|
|
|
|
|
|
# Merge Umbrella and self-maintained top domains
|
2020-05-12 02:33:10 +00:00
|
|
|
cat "top-1m-umbrella.txt" "top-1m-tranco.txt" "exclude.txt" | \
|
2020-02-08 03:32:36 +00:00
|
|
|
sort -u > "top-1m-well-known.txt"
|
2019-05-29 05:15:08 +00:00
|
|
|
|
|
|
|
|
|
|
|
## Parse popular domains from URLhaus
|
2020-02-08 03:32:36 +00:00
|
|
|
cat "urlhaus-domains.txt" | \
|
2019-05-29 05:15:08 +00:00
|
|
|
# grep match whole line
|
2020-02-08 03:32:36 +00:00
|
|
|
grep -Fx -f "top-1m-well-known.txt" > "urlhaus-top-domains.txt"
|
2019-05-29 05:15:08 +00:00
|
|
|
|
|
|
|
|
|
|
|
## Parse domains from URLhaus excluding popular domains
|
2020-02-08 03:32:36 +00:00
|
|
|
cat "urlhaus-domains.txt" | \
|
2021-04-01 06:09:08 +00:00
|
|
|
grep -F -vf "urlhaus-top-domains.txt" | \
|
|
|
|
# Remove blank lines
|
|
|
|
sed "/^$/d" > "malware-domains.txt"
|
2019-05-29 05:15:08 +00:00
|
|
|
|
2020-02-08 03:32:36 +00:00
|
|
|
cat "urlhaus-domains-online.txt" | \
|
2021-04-01 06:09:08 +00:00
|
|
|
grep -F -vf "urlhaus-top-domains.txt" | \
|
|
|
|
sed "/^$/d" > "malware-domains-online.txt"
|
2019-06-13 06:04:13 +00:00
|
|
|
|
2019-05-29 06:04:31 +00:00
|
|
|
## Parse malware URLs from popular domains
|
2020-02-08 03:32:36 +00:00
|
|
|
cat "urlhaus.txt" | \
|
2020-07-05 05:09:03 +00:00
|
|
|
grep -F -f "urlhaus-top-domains.txt" | \
|
|
|
|
sed "s/^/||/g" | \
|
2020-07-07 01:23:10 +00:00
|
|
|
sed "s/$/\$all/g" > "malware-url-top-domains.txt"
|
2019-05-29 05:15:08 +00:00
|
|
|
|
2020-02-08 03:32:36 +00:00
|
|
|
cat "urlhaus-online.txt" | \
|
2020-07-05 05:09:03 +00:00
|
|
|
grep -F -f "urlhaus-top-domains.txt" | \
|
|
|
|
sed "s/^/||/g" | \
|
2020-07-07 01:23:10 +00:00
|
|
|
sed "s/$/\$all/g" > "malware-url-top-domains-online.txt"
|
2019-06-13 06:04:13 +00:00
|
|
|
|
2021-03-18 08:43:53 +00:00
|
|
|
cat "urlhaus-online.txt" | \
|
|
|
|
grep -F -f "urlhaus-top-domains.txt" > "malware-url-top-domains-raw-online.txt"
|
|
|
|
|
2019-05-29 05:15:08 +00:00
|
|
|
|
|
|
|
## Merge malware domains and URLs
|
|
|
|
CURRENT_TIME="$(date -R -u)"
|
2020-05-13 10:29:10 +00:00
|
|
|
FIRST_LINE="! Title: Malicious URL Blocklist"
|
2019-05-29 05:15:08 +00:00
|
|
|
SECOND_LINE="! Updated: $CURRENT_TIME"
|
|
|
|
THIRD_LINE="! Expires: 1 day (update frequency)"
|
2020-12-30 23:35:20 +00:00
|
|
|
FOURTH_LINE="! Homepage: https://gitlab.com/curben/urlhaus-filter"
|
2021-03-18 22:06:02 +00:00
|
|
|
FIFTH_LINE="! License: https://gitlab.com/curben/urlhaus-filter#license"
|
2019-05-29 05:15:08 +00:00
|
|
|
SIXTH_LINE="! Source: https://urlhaus.abuse.ch/api/"
|
2020-05-13 10:29:10 +00:00
|
|
|
COMMENT_ABP="$FIRST_LINE\n$SECOND_LINE\n$THIRD_LINE\n$FOURTH_LINE\n$FIFTH_LINE\n$SIXTH_LINE"
|
2019-05-29 05:15:08 +00:00
|
|
|
|
2020-10-04 02:39:27 +00:00
|
|
|
|
|
|
|
cat "malware-domains.txt" "malware-url-top-domains.txt" | \
|
|
|
|
sort | \
|
|
|
|
sed '1 i\'"$COMMENT_ABP"'' > "../urlhaus-filter.txt"
|
|
|
|
|
|
|
|
cat "malware-domains-online.txt" "malware-url-top-domains-online.txt" | \
|
|
|
|
sort | \
|
|
|
|
sed '1 i\'"$COMMENT_ABP"'' | \
|
|
|
|
sed "1s/Malicious/Online Malicious/" > "../urlhaus-filter-online.txt"
|
|
|
|
|
|
|
|
|
2020-09-15 08:41:16 +00:00
|
|
|
# Adguard Home (#19, #22)
|
2020-07-08 10:22:57 +00:00
|
|
|
cat "malware-domains.txt" | \
|
|
|
|
sed "s/^/||/g" | \
|
2020-09-03 01:33:24 +00:00
|
|
|
sed "s/$/^/g" > "malware-domains-adguard-home.txt"
|
2020-07-08 10:22:57 +00:00
|
|
|
|
|
|
|
cat "malware-domains-online.txt" | \
|
|
|
|
sed "s/^/||/g" | \
|
2020-09-03 01:33:24 +00:00
|
|
|
sed "s/$/^/g" > "malware-domains-online-adguard-home.txt"
|
2020-07-08 10:22:57 +00:00
|
|
|
|
2020-09-03 01:33:24 +00:00
|
|
|
cat "malware-domains-adguard-home.txt" | \
|
2020-09-01 06:22:23 +00:00
|
|
|
sort | \
|
|
|
|
sed '1 i\'"$COMMENT_ABP"'' | \
|
|
|
|
sed "1s/Blocklist/Blocklist (AdGuard Home)/" > "../urlhaus-filter-agh.txt"
|
|
|
|
|
2020-09-03 01:33:24 +00:00
|
|
|
cat "malware-domains-online-adguard-home.txt" | \
|
2020-09-01 06:22:23 +00:00
|
|
|
sort | \
|
|
|
|
sed '1 i\'"$COMMENT_ABP"'' | \
|
|
|
|
sed "1s/Malicious/Online Malicious/" | \
|
|
|
|
sed "1s/Blocklist/Blocklist (AdGuard Home)/" > "../urlhaus-filter-agh-online.txt"
|
|
|
|
|
2019-05-29 05:15:08 +00:00
|
|
|
|
2020-09-15 08:41:16 +00:00
|
|
|
# Adguard browser extension
|
2020-09-03 01:33:24 +00:00
|
|
|
cat "malware-domains.txt" | \
|
|
|
|
sed "s/^/||/g" | \
|
|
|
|
sed "s/$/\$all/g" > "malware-domains-adguard.txt"
|
|
|
|
|
|
|
|
cat "malware-domains-online.txt" | \
|
|
|
|
sed "s/^/||/g" | \
|
|
|
|
sed "s/$/\$all/g" > "malware-domains-online-adguard.txt"
|
|
|
|
|
|
|
|
cat "malware-domains-adguard.txt" "malware-url-top-domains.txt" | \
|
|
|
|
sort | \
|
|
|
|
sed '1 i\'"$COMMENT_ABP"'' | \
|
|
|
|
sed "1s/Blocklist/Blocklist (AdGuard)/" > "../urlhaus-filter-ag.txt"
|
|
|
|
|
|
|
|
cat "malware-domains-online-adguard.txt" "malware-url-top-domains-online.txt" | \
|
|
|
|
sort | \
|
|
|
|
sed '1 i\'"$COMMENT_ABP"'' | \
|
|
|
|
sed "1s/Malicious/Online Malicious/" | \
|
|
|
|
sed "1s/Blocklist/Blocklist (AdGuard)/" > "../urlhaus-filter-ag-online.txt"
|
|
|
|
|
|
|
|
|
2020-09-15 08:41:16 +00:00
|
|
|
# Vivaldi
|
|
|
|
cat "malware-domains.txt" | \
|
|
|
|
sed "s/^/||/g" | \
|
|
|
|
sed "s/$/\$document/g" > "malware-domains-vivaldi.txt"
|
|
|
|
|
|
|
|
cat "malware-domains-online.txt" | \
|
|
|
|
sed "s/^/||/g" | \
|
|
|
|
sed "s/$/\$document/g" > "malware-domains-online-vivaldi.txt"
|
|
|
|
|
|
|
|
cat "malware-domains-vivaldi.txt" "malware-url-top-domains.txt" | \
|
|
|
|
sed "s/\$all$/\$document/g" | \
|
|
|
|
sort | \
|
|
|
|
sed '1 i\'"$COMMENT_ABP"'' | \
|
|
|
|
sed "1s/Blocklist/Blocklist (Vivaldi)/" > "../urlhaus-filter-vivaldi.txt"
|
|
|
|
|
|
|
|
cat "malware-domains-online-vivaldi.txt" "malware-url-top-domains-online.txt" | \
|
|
|
|
sed "s/\$all$/\$document/g" | \
|
|
|
|
sort | \
|
|
|
|
sed '1 i\'"$COMMENT_ABP"'' | \
|
|
|
|
sed "1s/Malicious/Online Malicious/" | \
|
|
|
|
sed "1s/Blocklist/Blocklist (Vivaldi)/" > "../urlhaus-filter-vivaldi-online.txt"
|
|
|
|
|
|
|
|
|
2020-04-19 05:19:05 +00:00
|
|
|
## Domains-only blocklist
|
2020-05-13 10:37:40 +00:00
|
|
|
# awk + head is a workaround for sed prepend
|
|
|
|
COMMENT=$(printf "$COMMENT_ABP" | sed "s/^!/#/g" | sed "1s/URL/Domains/" | awk '{printf "%s\\n", $0}' | head -c -2)
|
|
|
|
COMMENT_ONLINE=$(printf "$COMMENT" | sed "1s/Malicious/Online Malicious/" | awk '{printf "%s\\n", $0}' | head -c -2)
|
2019-10-01 06:58:46 +00:00
|
|
|
|
2020-02-08 03:32:36 +00:00
|
|
|
cat "malware-domains.txt" | \
|
2019-10-01 06:58:46 +00:00
|
|
|
sort | \
|
2020-04-19 05:19:05 +00:00
|
|
|
sed '1 i\'"$COMMENT"'' > "../urlhaus-filter-domains.txt"
|
2019-10-01 06:58:46 +00:00
|
|
|
|
2020-02-08 03:32:36 +00:00
|
|
|
cat "malware-domains-online.txt" | \
|
2019-10-01 06:58:46 +00:00
|
|
|
sort | \
|
2020-05-13 10:29:10 +00:00
|
|
|
sed '1 i\'"$COMMENT_ONLINE"'' > "../urlhaus-filter-domains-online.txt"
|
2019-10-01 06:58:46 +00:00
|
|
|
|
2020-04-19 05:19:05 +00:00
|
|
|
|
2021-04-01 06:09:08 +00:00
|
|
|
## Hosts only
|
|
|
|
cat "malware-domains.txt" | \
|
|
|
|
sort | \
|
|
|
|
# Remove IPv4 address
|
|
|
|
grep -vE "([0-9]{1,3}[\.]){3}[0-9]{1,3}" > "malware-hosts.txt"
|
|
|
|
|
|
|
|
cat "malware-domains-online.txt" | \
|
|
|
|
sort | \
|
2020-03-30 02:48:01 +00:00
|
|
|
# Remove IPv4 address
|
2021-04-01 06:09:08 +00:00
|
|
|
grep -vE "([0-9]{1,3}[\.]){3}[0-9]{1,3}" > "malware-hosts-online.txt"
|
|
|
|
|
|
|
|
|
|
|
|
## Hosts file blocklist
|
|
|
|
cat "malware-hosts.txt" | \
|
2020-04-19 07:25:58 +00:00
|
|
|
sed "s/^/0.0.0.0 /g" | \
|
|
|
|
# Re-insert comment
|
|
|
|
sed '1 i\'"$COMMENT"'' | \
|
2020-04-19 05:19:05 +00:00
|
|
|
sed "1s/Domains/Hosts/" > "../urlhaus-filter-hosts.txt"
|
2020-03-30 02:48:01 +00:00
|
|
|
|
2021-04-01 06:09:08 +00:00
|
|
|
cat "malware-hosts-online.txt" | \
|
2020-04-19 07:25:58 +00:00
|
|
|
sed "s/^/0.0.0.0 /g" | \
|
2020-05-13 10:29:10 +00:00
|
|
|
sed '1 i\'"$COMMENT_ONLINE"'' | \
|
|
|
|
sed "1s/Domains/Hosts/" > "../urlhaus-filter-hosts-online.txt"
|
2020-04-19 05:19:05 +00:00
|
|
|
|
|
|
|
|
|
|
|
## Dnsmasq-compatible blocklist
|
2021-04-01 06:09:08 +00:00
|
|
|
cat "malware-hosts.txt" | \
|
|
|
|
sed "s/^/address=\//g" | \
|
2020-04-19 07:25:58 +00:00
|
|
|
sed "s/$/\/0.0.0.0/g" | \
|
|
|
|
sed '1 i\'"$COMMENT"'' | \
|
2020-04-19 05:19:05 +00:00
|
|
|
sed "1s/Blocklist/dnsmasq Blocklist/" > "../urlhaus-filter-dnsmasq.conf"
|
|
|
|
|
2021-04-01 06:09:08 +00:00
|
|
|
cat "malware-hosts-online.txt" | \
|
|
|
|
sed "s/^/address=\//g" | \
|
2020-04-19 07:25:58 +00:00
|
|
|
sed "s/$/\/0.0.0.0/g" | \
|
2020-05-13 10:29:10 +00:00
|
|
|
sed '1 i\'"$COMMENT_ONLINE"'' | \
|
2020-04-19 05:19:05 +00:00
|
|
|
sed "1s/Blocklist/dnsmasq Blocklist/" > "../urlhaus-filter-dnsmasq-online.conf"
|
2020-03-30 02:48:01 +00:00
|
|
|
|
2020-04-19 08:02:03 +00:00
|
|
|
|
|
|
|
## BIND-compatible blocklist
|
2021-04-01 06:09:08 +00:00
|
|
|
cat "malware-hosts.txt" | \
|
|
|
|
sed 's/^/zone "/g' | \
|
2020-04-19 13:17:20 +00:00
|
|
|
sed 's/$/" { type master; notify no; file "null.zone.file"; };/g' | \
|
2020-04-19 08:02:03 +00:00
|
|
|
sed '1 i\'"$COMMENT"'' | \
|
|
|
|
sed "1s/Blocklist/BIND Blocklist/" > "../urlhaus-filter-bind.conf"
|
|
|
|
|
2021-04-01 06:09:08 +00:00
|
|
|
cat "malware-hosts-online.txt" | \
|
|
|
|
sed 's/^/zone "/g' | \
|
2020-04-19 13:17:20 +00:00
|
|
|
sed 's/$/" { type master; notify no; file "null.zone.file"; };/g' | \
|
2020-05-13 10:29:10 +00:00
|
|
|
sed '1 i\'"$COMMENT_ONLINE"'' | \
|
2020-04-19 08:02:03 +00:00
|
|
|
sed "1s/Blocklist/BIND Blocklist/" > "../urlhaus-filter-bind-online.conf"
|
|
|
|
|
|
|
|
|
2021-04-02 03:31:59 +00:00
|
|
|
## DNS Response Policy Zone (RPZ)
|
|
|
|
CURRENT_UNIX_TIME="$(date +%s)"
|
|
|
|
RPZ_SYNTAX="\n\$TTL 30\n@ IN SOA rpz.curben.gitlab.io. hostmaster.rpz.curben.gitlab.io. $CURRENT_UNIX_TIME 86400 3600 604800 30\n NS localhost.\n"
|
|
|
|
|
|
|
|
cat "malware-hosts.txt" | \
|
|
|
|
sed "s/$/ CNAME ./g" | \
|
|
|
|
sed '1 i\'"$RPZ_SYNTAX"'' | \
|
|
|
|
sed '1 i\'"$COMMENT"'' | \
|
|
|
|
sed "s/^#/;/g" | \
|
|
|
|
sed "1s/Blocklist/RPZ Blocklist/" > "../urlhaus-filter-rpz.conf"
|
|
|
|
|
|
|
|
cat "malware-hosts-online.txt" | \
|
|
|
|
sed "s/$/ CNAME ./g" | \
|
|
|
|
sed '1 i\'"$RPZ_SYNTAX"'' | \
|
|
|
|
sed '1 i\'"$COMMENT_ONLINE"'' | \
|
|
|
|
sed "s/^#/;/g" | \
|
|
|
|
sed "1s/Blocklist/RPZ Blocklist/" > "../urlhaus-filter-rpz-online.conf"
|
|
|
|
|
|
|
|
|
2020-04-19 08:42:25 +00:00
|
|
|
## Unbound-compatible blocklist
|
2021-04-01 06:09:08 +00:00
|
|
|
cat "malware-hosts.txt" | \
|
|
|
|
sed 's/^/local-zone: "/g' | \
|
2020-04-19 08:42:25 +00:00
|
|
|
sed 's/$/" always_nxdomain/g' | \
|
|
|
|
sed '1 i\'"$COMMENT"'' | \
|
|
|
|
sed "1s/Blocklist/Unbound Blocklist/" > "../urlhaus-filter-unbound.conf"
|
|
|
|
|
2021-04-01 06:09:08 +00:00
|
|
|
cat "malware-hosts-online.txt" | \
|
|
|
|
sed 's/^/local-zone: "/g' | \
|
2020-04-19 08:42:25 +00:00
|
|
|
sed 's/$/" always_nxdomain/g' | \
|
2020-05-13 10:29:10 +00:00
|
|
|
sed '1 i\'"$COMMENT_ONLINE"'' | \
|
2020-04-19 08:42:25 +00:00
|
|
|
sed "1s/Blocklist/Unbound Blocklist/" > "../urlhaus-filter-unbound-online.conf"
|
|
|
|
|
|
|
|
|
2021-03-18 10:18:59 +00:00
|
|
|
## Temporarily disable command print
|
|
|
|
set +x
|
|
|
|
|
|
|
|
|
|
|
|
# Snort & Suricata
|
2021-03-19 18:41:49 +00:00
|
|
|
rm -f "../urlhaus-filter-snort2-online.rules" \
|
|
|
|
"../urlhaus-filter-snort3-online.rules" \
|
|
|
|
"../urlhaus-filter-suricata-online.rules"
|
2021-03-18 10:18:59 +00:00
|
|
|
|
|
|
|
SID="100000001"
|
|
|
|
while read DOMAIN; do
|
|
|
|
SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$DOMAIN\"; content:\"Host\"; http_header; classtype:trojan-activity; sid:$SID; rev:1;)"
|
|
|
|
|
2021-03-19 18:41:49 +00:00
|
|
|
SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; http_header:field host; content:\"$DOMAIN\",nocase; classtype:trojan-activity; sid:$SID; rev:1;)"
|
|
|
|
|
2021-03-18 10:18:59 +00:00
|
|
|
SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:trojan-activity; sid:$SID; rev:1;)"
|
|
|
|
|
|
|
|
echo "$SN_RULE" >> "../urlhaus-filter-snort2-online.rules"
|
2021-03-19 18:41:49 +00:00
|
|
|
echo "$SN3_RULE" >> "../urlhaus-filter-snort3-online.rules"
|
2021-03-18 10:18:59 +00:00
|
|
|
echo "$SR_RULE" >> "../urlhaus-filter-suricata-online.rules"
|
|
|
|
|
|
|
|
SID=$(( $SID + 1 ))
|
|
|
|
done < "malware-domains-online.txt"
|
|
|
|
|
|
|
|
while read URL; do
|
|
|
|
HOST=$(echo "$URL" | cut -d"/" -f1)
|
2021-03-18 18:53:15 +00:00
|
|
|
URI=$(echo "$URL" | sed -e "s/^$HOST//" -e "s/;/\\\;/g")
|
2021-03-18 10:18:59 +00:00
|
|
|
|
2021-03-19 22:16:30 +00:00
|
|
|
# Snort2 only supports <=2047 characters of `content`
|
2021-03-18 18:53:15 +00:00
|
|
|
SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$(echo $URI | cut -c -2047)\"; http_uri; nocase; content:\"$HOST\"; content:\"Host\"; http_header; classtype:trojan-activity; sid:$SID; rev:1;)"
|
2021-03-18 10:18:59 +00:00
|
|
|
|
2021-03-19 18:41:49 +00:00
|
|
|
SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; http_header:field host; content:\"$HOST\",nocase; http_uri; content:\"$URI\",nocase; classtype:trojan-activity; sid:$SID; rev:1;)"
|
|
|
|
|
2021-03-18 10:18:59 +00:00
|
|
|
SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.uri; content:\"$URI\"; endswith; nocase; http.host; content:\"$HOST\"; classtype:trojan-activity; sid:$SID; rev:1;)"
|
|
|
|
|
|
|
|
echo "$SN_RULE" >> "../urlhaus-filter-snort2-online.rules"
|
2021-03-19 18:41:49 +00:00
|
|
|
echo "$SN3_RULE" >> "../urlhaus-filter-snort3-online.rules"
|
2021-03-18 10:18:59 +00:00
|
|
|
echo "$SR_RULE" >> "../urlhaus-filter-suricata-online.rules"
|
|
|
|
|
|
|
|
SID=$(( $SID + 1 ))
|
|
|
|
done < "malware-url-top-domains-raw-online.txt"
|
|
|
|
|
|
|
|
## Re-enable command print
|
|
|
|
set -x
|
|
|
|
|
2021-03-19 22:15:17 +00:00
|
|
|
sed -i '1 i\'"$COMMENT_ONLINE"'' "../urlhaus-filter-snort2-online.rules"
|
|
|
|
sed -i "1s/Domains Blocklist/URL Snort2 Ruleset/" "../urlhaus-filter-snort2-online.rules"
|
2021-03-18 10:18:59 +00:00
|
|
|
|
2021-03-19 22:15:17 +00:00
|
|
|
sed -i '1 i\'"$COMMENT_ONLINE"'' "../urlhaus-filter-snort3-online.rules"
|
|
|
|
sed -i "1s/Domains Blocklist/URL Snort3 Ruleset/" "../urlhaus-filter-snort3-online.rules"
|
2021-03-19 18:41:49 +00:00
|
|
|
|
2021-03-19 22:15:17 +00:00
|
|
|
sed -i '1 i\'"$COMMENT_ONLINE"'' "../urlhaus-filter-suricata-online.rules"
|
|
|
|
sed -i "1s/Domains Blocklist/URL Suricata Ruleset/" "../urlhaus-filter-suricata-online.rules"
|
2021-03-18 10:18:59 +00:00
|
|
|
|
|
|
|
|
2020-12-07 04:57:57 +00:00
|
|
|
## IE blocklist
|
|
|
|
COMMENT_IE="msFilterList\n$COMMENT\n: Expires=1\n#"
|
|
|
|
COMMENT_ONLINE_IE="msFilterList\n$COMMENT_ONLINE\n: Expires=1\n#"
|
|
|
|
|
2021-04-01 06:09:08 +00:00
|
|
|
cat "malware-hosts.txt" | \
|
|
|
|
sed "s/^/-d /g" | \
|
2020-12-07 04:57:57 +00:00
|
|
|
sed '1 i\'"$COMMENT_IE"'' | \
|
|
|
|
sed "2s/Domains Blocklist/Hosts Blocklist (IE)/" > "../urlhaus-filter.tpl"
|
|
|
|
|
2021-04-01 06:09:08 +00:00
|
|
|
cat "malware-hosts-online.txt" | \
|
|
|
|
sed "s/^/-d /g" | \
|
2020-12-07 04:57:57 +00:00
|
|
|
sed '1 i\'"$COMMENT_ONLINE_IE"'' | \
|
|
|
|
sed "2s/Domains Blocklist/Hosts Blocklist (IE)/" > "../urlhaus-filter-online.tpl"
|
|
|
|
|
|
|
|
|
2020-07-05 03:34:56 +00:00
|
|
|
## Clean up artifacts
|
2020-07-05 10:21:03 +00:00
|
|
|
rm "URLhaus.csv" "top-1m-umbrella.zip" "top-1m-umbrella.txt" "top-1m-tranco.txt"
|
2020-07-05 03:34:56 +00:00
|
|
|
|
|
|
|
|
2020-05-14 09:44:25 +00:00
|
|
|
cd ../
|