feat: add csv file for Splunk lookup
- https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Aboutlookupsandfieldactions - "set -u" is disabled due to CF_API variable
This commit is contained in:
MDLeom
parent
df8fe36d39
commit
00a6e3029a
21
README.md
21
README.md
|
|
@ -16,6 +16,7 @@
|
|||
- [Snort2](#snort2)
|
||||
- [Snort3](#snort3)
|
||||
- [Suricata](#suricata)
|
||||
- [Splunk](#splunk)
|
||||
- [Compressed version](#compressed-version)
|
||||
- [Reporting issues](#issues)
|
||||
- [Cloning](#cloning)
|
||||
|
|
@ -41,8 +42,9 @@ There are multiple formats available, refer to the appropriate section according
|
|||
- [Snort2](#snort2)
|
||||
- [Snort3](#snort3)
|
||||
- [Suricata](#suricata)
|
||||
- [Splunk](#splunk)
|
||||
|
||||
Not sure which format to choose? See [Compatibility](https://gitlab.com/malware-filter/malware-filter/wikis/compatibility) page in the wiki.
|
||||
For other programs, see [Compatibility](https://gitlab.com/malware-filter/malware-filter/wikis/compatibility) page in the wiki.
|
||||
|
||||
Check out my other filters:
|
||||
|
||||
|
|
@ -676,6 +678,23 @@ rule-files:
|
|||
|
||||
</details>
|
||||
|
||||
## Splunk
|
||||
|
||||
A CSV file for Splunk [lookup](https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Aboutlookupsandfieldactions). This ruleset includes online URLs only.
|
||||
|
||||
- https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-splunk-online.csv
|
||||
|
||||
<details>
|
||||
<summary>Mirrors</summary>
|
||||
|
||||
- https://curbengh.github.io/malware-filter/urlhaus-filter-splunk-online.csv
|
||||
- https://curbengh.github.io/urlhaus-filter/urlhaus-filter-splunk-online.csv
|
||||
- https://malware-filter.gitlab.io/urlhaus-filter/urlhaus-filter-splunk-online.csv
|
||||
- https://malware-filter.pages.dev/urlhaus-filter-splunk-online.csv
|
||||
- https://urlhaus-filter.pages.dev/urlhaus-filter-splunk-online.csv
|
||||
|
||||
</details>
|
||||
|
||||
## Third-party mirrors
|
||||
|
||||
<details>
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
# works best on busybox ash
|
||||
|
||||
set -efux -o pipefail
|
||||
set -efx -o pipefail
|
||||
|
||||
alias curl="curl -L"
|
||||
alias rm="rm -rf"
|
||||
|
|
@ -89,6 +89,7 @@ sort -u > "urlhaus.txt"
|
|||
## Parse domain and IP address only
|
||||
cat "urlhaus.txt" | \
|
||||
cut -f 1 -d "/" | \
|
||||
# Remove port
|
||||
cut -f 1 -d ":" | \
|
||||
# Remove invalid domains, see #15
|
||||
grep -vF "??" | \
|
||||
|
|
@ -389,10 +390,11 @@ sed "1s/Domains/IPs/" > "../public/urlhaus-filter-dnscrypt-blocked-ips-online.tx
|
|||
set +x
|
||||
|
||||
|
||||
# Snort & Suricata
|
||||
# Snort, Suricata, Splunk
|
||||
rm "../public/urlhaus-filter-snort2-online.rules" \
|
||||
"../public/urlhaus-filter-snort3-online.rules" \
|
||||
"../public/urlhaus-filter-suricata-online.rules"
|
||||
"../public/urlhaus-filter-suricata-online.rules" \
|
||||
"../public/urlhaus-filter-splunk-online.csv"
|
||||
|
||||
SID="100000001"
|
||||
while read DOMAIN; do
|
||||
|
|
@ -402,27 +404,36 @@ while read DOMAIN; do
|
|||
|
||||
SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:trojan-activity; sid:$SID; rev:1;)"
|
||||
|
||||
SP_RULE="\"$DOMAIN\",\"\",\"urlhaus-filter malicious website detected\",\"$CURRENT_TIME\""
|
||||
|
||||
echo "$SN_RULE" >> "../public/urlhaus-filter-snort2-online.rules"
|
||||
echo "$SN3_RULE" >> "../public/urlhaus-filter-snort3-online.rules"
|
||||
echo "$SR_RULE" >> "../public/urlhaus-filter-suricata-online.rules"
|
||||
echo "$SP_RULE" >> "../public/urlhaus-filter-splunk-online.csv"
|
||||
|
||||
SID=$(( $SID + 1 ))
|
||||
done < "malware-domains-online.txt"
|
||||
|
||||
while read URL; do
|
||||
HOST=$(echo "$URL" | cut -d"/" -f1)
|
||||
URI=$(echo "$URL" | sed -e "s/^$HOST//" -e "s/;/\\\;/g")
|
||||
DOMAIN=$(echo "$URL" | cut -d"/" -f1)
|
||||
# escape ";"
|
||||
PATHNAME=$(echo "$URL" | sed -e "s/^$DOMAIN//" -e "s/;/\\\;/g")
|
||||
|
||||
# Snort2 only supports <=2047 characters of `content`
|
||||
SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$(echo $URI | cut -c -2047)\"; http_uri; nocase; content:\"$HOST\"; content:\"Host\"; http_header; classtype:trojan-activity; sid:$SID; rev:1;)"
|
||||
SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$(echo $PATHNAME | cut -c -2047)\"; http_uri; nocase; content:\"$DOMAIN\"; content:\"Host\"; http_header; classtype:trojan-activity; sid:$SID; rev:1;)"
|
||||
|
||||
SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; http_header:field host; content:\"$HOST\",nocase; http_uri; content:\"$URI\",nocase; classtype:trojan-activity; sid:$SID; rev:1;)"
|
||||
SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; http_header:field host; content:\"$DOMAIN\",nocase; http_uri; content:\"$PATHNAME\",nocase; classtype:trojan-activity; sid:$SID; rev:1;)"
|
||||
|
||||
SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.uri; content:\"$URI\"; endswith; nocase; http.host; content:\"$HOST\"; classtype:trojan-activity; sid:$SID; rev:1;)"
|
||||
SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.uri; content:\"$PATHNAME\"; endswith; nocase; http.host; content:\"$DOMAIN\"; classtype:trojan-activity; sid:$SID; rev:1;)"
|
||||
|
||||
PATHNAME=$(echo "$URL" | sed "s/^$DOMAIN//")
|
||||
|
||||
SP_RULE="\"$DOMAIN\",\"$PATHNAME\",\"urlhaus-filter malicious website detected\",\"$CURRENT_TIME\""
|
||||
|
||||
echo "$SN_RULE" >> "../public/urlhaus-filter-snort2-online.rules"
|
||||
echo "$SN3_RULE" >> "../public/urlhaus-filter-snort3-online.rules"
|
||||
echo "$SR_RULE" >> "../public/urlhaus-filter-suricata-online.rules"
|
||||
echo "$SP_RULE" >> "../public/urlhaus-filter-splunk-online.csv"
|
||||
|
||||
SID=$(( $SID + 1 ))
|
||||
done < "malware-url-top-domains-raw-online.txt"
|
||||
|
|
@ -439,6 +450,9 @@ sed -i "1s/Domains Blocklist/URL Snort3 Ruleset/" "../public/urlhaus-filter-snor
|
|||
sed -i '1 i\'"$COMMENT_ONLINE"'' "../public/urlhaus-filter-suricata-online.rules"
|
||||
sed -i "1s/Domains Blocklist/URL Suricata Ruleset/" "../public/urlhaus-filter-suricata-online.rules"
|
||||
|
||||
sed -i -e '1 i\'"$COMMENT_ONLINE"' ' -e '1 i\"host","path","message","updated"' "../public/urlhaus-filter-splunk-online.csv"
|
||||
sed -i "1s/Domains Blocklist/URL Splunk Lookup/" "../public/urlhaus-filter-splunk-online.csv"
|
||||
|
||||
|
||||
## IE blocklist
|
||||
COMMENT_IE="msFilterList\n$COMMENT\n: Expires=1\n#"
|
||||
|
|
|
|||
Loading…
Reference in New Issue