From 00a6e3029af7a0382d67de9db864112cc8322ef2 Mon Sep 17 00:00:00 2001
From: MDLeom <2809763-curben@users.noreply.gitlab.com>
Date: Fri, 16 Dec 2022 08:07:38 +0000
Subject: [PATCH] feat: add csv file for Splunk lookup

- https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Aboutlookupsandfieldactions
- "set -u" is disabled due to CF_API variable
---
 README.md     | 21 ++++++++++++++++++++-
 src/script.sh | 30 ++++++++++++++++++++++--------
 2 files changed, 42 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index b16a638e..4516c3f1 100644
--- a/README.md
+++ b/README.md
@@ -16,6 +16,7 @@
   - [Snort2](#snort2)
   - [Snort3](#snort3)
   - [Suricata](#suricata)
+  - [Splunk](#splunk)
 - [Compressed version](#compressed-version)
 - [Reporting issues](#issues)
 - [Cloning](#cloning)
@@ -41,8 +42,9 @@ There are multiple formats available, refer to the appropriate section according
 - [Snort2](#snort2)
 - [Snort3](#snort3)
 - [Suricata](#suricata)
+- [Splunk](#splunk)
 
-Not sure which format to choose? See [Compatibility](https://gitlab.com/malware-filter/malware-filter/wikis/compatibility) page in the wiki.
+For other programs, see [Compatibility](https://gitlab.com/malware-filter/malware-filter/wikis/compatibility) page in the wiki.
 
 Check out my other filters:
 
@@ -676,6 +678,23 @@ rule-files:
 
 </details>
 
+## Splunk
+
+A CSV file for Splunk [lookup](https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Aboutlookupsandfieldactions). This ruleset includes online URLs only.
+
+- https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-splunk-online.csv
+
+<details>
+<summary>Mirrors</summary>
+
+- https://curbengh.github.io/malware-filter/urlhaus-filter-splunk-online.csv
+- https://curbengh.github.io/urlhaus-filter/urlhaus-filter-splunk-online.csv
+- https://malware-filter.gitlab.io/urlhaus-filter/urlhaus-filter-splunk-online.csv
+- https://malware-filter.pages.dev/urlhaus-filter-splunk-online.csv
+- https://urlhaus-filter.pages.dev/urlhaus-filter-splunk-online.csv
+
+</details>
+
 ## Third-party mirrors
 
 <details>
diff --git a/src/script.sh b/src/script.sh
index f66a67ee..0fb1c0a1 100644
--- a/src/script.sh
+++ b/src/script.sh
@@ -2,7 +2,7 @@
 
 # works best on busybox ash
 
-set -efux -o pipefail
+set -efx -o pipefail
 
 alias curl="curl -L"
 alias rm="rm -rf"
@@ -89,6 +89,7 @@ sort -u > "urlhaus.txt"
 ## Parse domain and IP address only
 cat "urlhaus.txt" | \
 cut -f 1 -d "/" | \
+# Remove port
 cut -f 1 -d ":" | \
 # Remove invalid domains, see #15
 grep -vF "??" | \
@@ -389,10 +390,11 @@ sed "1s/Domains/IPs/" > "../public/urlhaus-filter-dnscrypt-blocked-ips-online.tx
 set +x
 
 
-# Snort & Suricata
+# Snort, Suricata, Splunk
 rm "../public/urlhaus-filter-snort2-online.rules" \
   "../public/urlhaus-filter-snort3-online.rules" \
-  "../public/urlhaus-filter-suricata-online.rules"
+  "../public/urlhaus-filter-suricata-online.rules" \
+  "../public/urlhaus-filter-splunk-online.csv"
 
 SID="100000001"
 while read DOMAIN; do
@@ -402,27 +404,36 @@ while read DOMAIN; do
 
   SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:trojan-activity; sid:$SID; rev:1;)"
 
+  SP_RULE="\"$DOMAIN\",\"\",\"urlhaus-filter malicious website detected\",\"$CURRENT_TIME\""
+
   echo "$SN_RULE" >> "../public/urlhaus-filter-snort2-online.rules"
   echo "$SN3_RULE" >> "../public/urlhaus-filter-snort3-online.rules"
   echo "$SR_RULE" >> "../public/urlhaus-filter-suricata-online.rules"
+  echo "$SP_RULE" >> "../public/urlhaus-filter-splunk-online.csv"
 
   SID=$(( $SID + 1 ))
 done < "malware-domains-online.txt"
 
 while read URL; do
-  HOST=$(echo "$URL" | cut -d"/" -f1)
-  URI=$(echo "$URL" | sed -e "s/^$HOST//" -e "s/;/\\\;/g")
+  DOMAIN=$(echo "$URL" | cut -d"/" -f1)
+  # escape ";"
+  PATHNAME=$(echo "$URL" | sed -e "s/^$DOMAIN//" -e "s/;/\\\;/g")
 
   # Snort2 only supports <=2047 characters of `content`
-  SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$(echo $URI | cut -c -2047)\"; http_uri; nocase; content:\"$HOST\"; content:\"Host\"; http_header; classtype:trojan-activity; sid:$SID; rev:1;)"
+  SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$(echo $PATHNAME | cut -c -2047)\"; http_uri; nocase; content:\"$DOMAIN\"; content:\"Host\"; http_header; classtype:trojan-activity; sid:$SID; rev:1;)"
 
-  SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; http_header:field host; content:\"$HOST\",nocase; http_uri; content:\"$URI\",nocase; classtype:trojan-activity; sid:$SID; rev:1;)"
+  SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; http_header:field host; content:\"$DOMAIN\",nocase; http_uri; content:\"$PATHNAME\",nocase; classtype:trojan-activity; sid:$SID; rev:1;)"
 
-  SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.uri; content:\"$URI\"; endswith; nocase; http.host; content:\"$HOST\"; classtype:trojan-activity; sid:$SID; rev:1;)"
+  SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"urlhaus-filter malicious website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.uri; content:\"$PATHNAME\"; endswith; nocase; http.host; content:\"$DOMAIN\"; classtype:trojan-activity; sid:$SID; rev:1;)"
+
+  PATHNAME=$(echo "$URL" | sed "s/^$DOMAIN//")
+
+  SP_RULE="\"$DOMAIN\",\"$PATHNAME\",\"urlhaus-filter malicious website detected\",\"$CURRENT_TIME\""
 
   echo "$SN_RULE" >> "../public/urlhaus-filter-snort2-online.rules"
   echo "$SN3_RULE" >> "../public/urlhaus-filter-snort3-online.rules"
   echo "$SR_RULE" >> "../public/urlhaus-filter-suricata-online.rules"
+  echo "$SP_RULE" >> "../public/urlhaus-filter-splunk-online.csv"
 
   SID=$(( $SID + 1 ))
 done < "malware-url-top-domains-raw-online.txt"
@@ -439,6 +450,9 @@ sed -i "1s/Domains Blocklist/URL Snort3 Ruleset/" "../public/urlhaus-filter-snor
 sed -i '1 i\'"$COMMENT_ONLINE"'' "../public/urlhaus-filter-suricata-online.rules"
 sed -i "1s/Domains Blocklist/URL Suricata Ruleset/" "../public/urlhaus-filter-suricata-online.rules"
 
+sed -i -e '1 i\'"$COMMENT_ONLINE"' ' -e '1 i\"host","path","message","updated"' "../public/urlhaus-filter-splunk-online.csv"
+sed -i "1s/Domains Blocklist/URL Splunk Lookup/" "../public/urlhaus-filter-splunk-online.csv"
+
 
 ## IE blocklist
 COMMENT_IE="msFilterList\n$COMMENT\n: Expires=1\n#"