diff --git a/README.md b/README.md index 81b1597..febdeb8 100644 --- a/README.md +++ b/README.md @@ -1,21 +1,22 @@ # VN Malicious Domains Blocklist - Formats - * [URL-based](#url-based) - * [Domain-based](#domain-based) - * [Hosts-based](#hosts-based) - * [Domain-based (AdGuard Home)](#domain-based-adguard-home) - * [URL-based (AdGuard)](#url-based-adguard) - * [URL-based (Vivaldi)](#url-based-vivaldi) - * [Dnsmasq](#dnsmasq) - * [BIND zone](#bind) - * [RPZ](#response-policy-zone) - * [Unbound](#unbound) - * [dnscrypt-proxy](#dnscrypt-proxy) - * [Tracking Protection List (IE)](#tracking-protection-list-ie) - * [Snort2](#snort2) - * [Snort3](#snort3) - * [Suricata](#suricata) + - [URL-based](#url-based) + - [Domain-based](#domain-based) + - [Hosts-based](#hosts-based) + - [Domain-based (AdGuard Home)](#domain-based-adguard-home) + - [URL-based (AdGuard)](#url-based-adguard) + - [URL-based (Vivaldi)](#url-based-vivaldi) + - [Dnsmasq](#dnsmasq) + - [BIND zone](#bind) + - [RPZ](#response-policy-zone) + - [Unbound](#unbound) + - [dnscrypt-proxy](#dnscrypt-proxy) + - [Tracking Protection List (IE)](#tracking-protection-list-ie) + - [Snort2](#snort2) + - [Snort3](#snort3) + - [Suricata](#suricata) + * [Splunk](#splunk) - [Compressed version](#compressed-version) - [FAQ and Guides](#faq-and-guides) - [CI Variables](#ci-variables) @@ -39,8 +40,9 @@ There are multiple formats available, refer to the appropriate section according - [Snort2](#snort2) - [Snort3](#snort3) - [Suricata](#suricata) +- [Splunk](#splunk) -Not sure which format to choose? See [Compatibility](https://gitlab.com/malware-filter/malware-filter/wikis/compatibility) page in the wiki. +For other programs, see [Compatibility](https://gitlab.com/malware-filter/malware-filter/wikis/compatibility) page in the wiki. Check out my other filters: @@ -307,7 +309,7 @@ chmod 755 /etc/cron.daily/vn-badsite-filter Configure dnscrypt-proxy to use the blocklist: -``` diff +```diff [blocked_names] + blocked_names_file = '/etc/dnscrypt-proxy/vn-badsite-filter-dnscrypt-blocked-names.txt' @@ -354,7 +356,7 @@ This blocklist includes domains only. Supported in Internet Explorer 9+. ## Snort2 -This ruleset includes online URLs only. Not compatible with [Snort3](#snort3). +Not compatible with [Snort3](#snort3). ### Install @@ -387,7 +389,7 @@ printf "\ninclude \$RULE_PATH/vn-badsite-filter-snort2.rules\n" >> /etc/snort/sn ## Snort3 -This ruleset includes online URLs only. Not compatible with [Snort2](#snort2). +Not compatible with [Snort2](#snort2). ### Install @@ -404,7 +406,7 @@ chmod 755 /etc/cron.daily/vn-badsite-filter Configure Snort to use the ruleset: -``` diff +```diff # /etc/snort/snort.lua ips = { @@ -428,8 +430,6 @@ ips = ## Suricata -This ruleset includes online URLs only. - ### Install ``` @@ -445,7 +445,7 @@ chmod 755 /etc/cron.daily/vn-badsite-filter Configure Suricata to use the ruleset: -``` diff +```diff # /etc/suricata/suricata.yaml rule-files: - local.rules @@ -465,6 +465,23 @@ rule-files: +## Splunk + +A CSV file for Splunk [lookup](https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Aboutlookupsandfieldactions). + +- https://malware-filter.gitlab.io/malware-filter/vn-badsite-filter-splunk.csv + +
+Mirrors + +- https://curbengh.github.io/malware-filter/vn-badsite-filter-splunk.csv +- https://curbengh.github.io/vn-badsite-filter/vn-badsite-filter-splunk.csv +- https://malware-filter.gitlab.io/vn-badsite-filter/vn-badsite-filter-splunk.csv +- https://malware-filter.pages.dev/vn-badsite-filter-splunk.csv +- https://vn-badsite-filter.pages.dev/vn-badsite-filter-splunk.csv + +
+ ## Compressed version All filters are also available as gzip- and brotli-compressed. diff --git a/src/script.sh b/src/script.sh index 5702f4e..a1ba89a 100644 --- a/src/script.sh +++ b/src/script.sh @@ -157,19 +157,23 @@ set +x ## Snort & Suricata rulesets rm -f "../public/vn-badsite-filter-snort2.rules" \ "../public/vn-badsite-filter-snort3.rules" \ - "../public/vn-badsite-filter-suricata.rules" + "../public/vn-badsite-filter-suricata.rules" \ + "../public/vn-badsite-filter-splunk.csv" SID="500000001" while read DOMAIN; do - SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"vn-badsite-filter vn-badsite website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$DOMAIN\"; content:\"Host\"; http_header; classtype:attempted-recon; sid:$SID; rev:1;)" + SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"vn-badsite-filter malicious website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$DOMAIN\"; content:\"Host\"; http_header; classtype:attempted-recon; sid:$SID; rev:1;)" - SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter vn-badsite website detected\"; http_header:field host; content:\"$DOMAIN\",nocase; classtype:attempted-recon; sid:$SID; rev:1;)" + SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter malicious website detected\"; http_header:field host; content:\"$DOMAIN\",nocase; classtype:attempted-recon; sid:$SID; rev:1;)" - SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter vn-badsite website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:attempted-recon; sid:$SID; rev:1;)" + SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter malicious website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:attempted-recon; sid:$SID; rev:1;)" + + SP_RULE="\"$DOMAIN\",\"\",\"vn-badsite-filter malicious website detected\",\"$CURRENT_TIME\"" echo "$SN_RULE" >> "../public/vn-badsite-filter-snort2.rules" echo "$SN3_RULE" >> "../public/vn-badsite-filter-snort3.rules" echo "$SR_RULE" >> "../public/vn-badsite-filter-suricata.rules" + echo "$SP_RULE" >> "../public/vn-badsite-filter-splunk.csv" SID=$(( $SID + 1 )) done < "domains.txt" @@ -186,5 +190,8 @@ sed -i "1s/Blocklist/Snort3 Ruleset/" "../public/vn-badsite-filter-snort3.rules" sed -i "1i $COMMENT" "../public/vn-badsite-filter-suricata.rules" sed -i "1s/Blocklist/Suricata Ruleset/" "../public/vn-badsite-filter-suricata.rules" +sed -i -e "1i $COMMENT" -e '1i "host","path","message","updated"' "../public/vn-badsite-filter-splunk.csv" +sed -i "1s/Blocklist/Splunk Lookup/" "../public/vn-badsite-filter-splunk.csv" + cd ../