From 89ac1cba2415e40ddce73bf9445b7255ea474ee5 Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Sat, 17 Dec 2022 00:46:13 +0000
Subject: [PATCH] feat: add csv file for Splunk lookup

- https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Aboutlookupsandfieldactions
---
 README.md     | 63 ++++++++++++++++++++++++++++++++-------------------
 src/script.sh | 15 ++++++++----
 2 files changed, 51 insertions(+), 27 deletions(-)

diff --git a/README.md b/README.md
index 81b1597..febdeb8 100644
--- a/README.md
+++ b/README.md
@@ -1,21 +1,22 @@
 # VN Malicious Domains Blocklist
 
 - Formats
-  * [URL-based](#url-based)
-  * [Domain-based](#domain-based)
-  * [Hosts-based](#hosts-based)
-  * [Domain-based (AdGuard Home)](#domain-based-adguard-home)
-  * [URL-based (AdGuard)](#url-based-adguard)
-  * [URL-based (Vivaldi)](#url-based-vivaldi)
-  * [Dnsmasq](#dnsmasq)
-  * [BIND zone](#bind)
-  * [RPZ](#response-policy-zone)
-  * [Unbound](#unbound)
-  * [dnscrypt-proxy](#dnscrypt-proxy)
-  * [Tracking Protection List (IE)](#tracking-protection-list-ie)
-  * [Snort2](#snort2)
-  * [Snort3](#snort3)
-  * [Suricata](#suricata)
+  - [URL-based](#url-based)
+  - [Domain-based](#domain-based)
+  - [Hosts-based](#hosts-based)
+  - [Domain-based (AdGuard Home)](#domain-based-adguard-home)
+  - [URL-based (AdGuard)](#url-based-adguard)
+  - [URL-based (Vivaldi)](#url-based-vivaldi)
+  - [Dnsmasq](#dnsmasq)
+  - [BIND zone](#bind)
+  - [RPZ](#response-policy-zone)
+  - [Unbound](#unbound)
+  - [dnscrypt-proxy](#dnscrypt-proxy)
+  - [Tracking Protection List (IE)](#tracking-protection-list-ie)
+  - [Snort2](#snort2)
+  - [Snort3](#snort3)
+  - [Suricata](#suricata)
+  * [Splunk](#splunk)
 - [Compressed version](#compressed-version)
 - [FAQ and Guides](#faq-and-guides)
 - [CI Variables](#ci-variables)
@@ -39,8 +40,9 @@ There are multiple formats available, refer to the appropriate section according
 - [Snort2](#snort2)
 - [Snort3](#snort3)
 - [Suricata](#suricata)
+- [Splunk](#splunk)
 
-Not sure which format to choose? See [Compatibility](https://gitlab.com/malware-filter/malware-filter/wikis/compatibility) page in the wiki.
+For other programs, see [Compatibility](https://gitlab.com/malware-filter/malware-filter/wikis/compatibility) page in the wiki.
 
 Check out my other filters:
 
@@ -307,7 +309,7 @@ chmod 755 /etc/cron.daily/vn-badsite-filter
 
 Configure dnscrypt-proxy to use the blocklist:
 
-``` diff
+```diff
 [blocked_names]
 +  blocked_names_file = '/etc/dnscrypt-proxy/vn-badsite-filter-dnscrypt-blocked-names.txt'
 
@@ -354,7 +356,7 @@ This blocklist includes domains only. Supported in Internet Explorer 9+.
 
 ## Snort2
 
-This ruleset includes online URLs only. Not compatible with [Snort3](#snort3).
+Not compatible with [Snort3](#snort3).
 
 ### Install
 
@@ -387,7 +389,7 @@ printf "\ninclude \$RULE_PATH/vn-badsite-filter-snort2.rules\n" >> /etc/snort/sn
 
 ## Snort3
 
-This ruleset includes online URLs only. Not compatible with [Snort2](#snort2).
+Not compatible with [Snort2](#snort2).
 
 ### Install
 
@@ -404,7 +406,7 @@ chmod 755 /etc/cron.daily/vn-badsite-filter
 
 Configure Snort to use the ruleset:
 
-``` diff
+```diff
 # /etc/snort/snort.lua
 ips =
 {
@@ -428,8 +430,6 @@ ips =
 
 ## Suricata
 
-This ruleset includes online URLs only.
-
 ### Install
 
 ```
@@ -445,7 +445,7 @@ chmod 755 /etc/cron.daily/vn-badsite-filter
 
 Configure Suricata to use the ruleset:
 
-``` diff
+```diff
 # /etc/suricata/suricata.yaml
 rule-files:
   - local.rules
@@ -465,6 +465,23 @@ rule-files:
 
 </details>
 
+## Splunk
+
+A CSV file for Splunk [lookup](https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Aboutlookupsandfieldactions).
+
+- https://malware-filter.gitlab.io/malware-filter/vn-badsite-filter-splunk.csv
+
+<details>
+<summary>Mirrors</summary>
+
+- https://curbengh.github.io/malware-filter/vn-badsite-filter-splunk.csv
+- https://curbengh.github.io/vn-badsite-filter/vn-badsite-filter-splunk.csv
+- https://malware-filter.gitlab.io/vn-badsite-filter/vn-badsite-filter-splunk.csv
+- https://malware-filter.pages.dev/vn-badsite-filter-splunk.csv
+- https://vn-badsite-filter.pages.dev/vn-badsite-filter-splunk.csv
+
+</details>
+
 ## Compressed version
 
 All filters are also available as gzip- and brotli-compressed.
diff --git a/src/script.sh b/src/script.sh
index 5702f4e..a1ba89a 100644
--- a/src/script.sh
+++ b/src/script.sh
@@ -157,19 +157,23 @@ set +x
 ## Snort & Suricata rulesets
 rm -f "../public/vn-badsite-filter-snort2.rules" \
   "../public/vn-badsite-filter-snort3.rules" \
-  "../public/vn-badsite-filter-suricata.rules"
+  "../public/vn-badsite-filter-suricata.rules" \
+  "../public/vn-badsite-filter-splunk.csv"
 
 SID="500000001"
 while read DOMAIN; do
-  SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"vn-badsite-filter vn-badsite website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$DOMAIN\"; content:\"Host\"; http_header; classtype:attempted-recon; sid:$SID; rev:1;)"
+  SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"vn-badsite-filter malicious website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$DOMAIN\"; content:\"Host\"; http_header; classtype:attempted-recon; sid:$SID; rev:1;)"
 
-  SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter vn-badsite website detected\"; http_header:field host; content:\"$DOMAIN\",nocase; classtype:attempted-recon; sid:$SID; rev:1;)"
+  SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter malicious website detected\"; http_header:field host; content:\"$DOMAIN\",nocase; classtype:attempted-recon; sid:$SID; rev:1;)"
 
-  SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter vn-badsite website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:attempted-recon; sid:$SID; rev:1;)"
+  SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter malicious website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:attempted-recon; sid:$SID; rev:1;)"
+
+  SP_RULE="\"$DOMAIN\",\"\",\"vn-badsite-filter malicious website detected\",\"$CURRENT_TIME\""
 
   echo "$SN_RULE" >> "../public/vn-badsite-filter-snort2.rules"
   echo "$SN3_RULE" >> "../public/vn-badsite-filter-snort3.rules"
   echo "$SR_RULE" >> "../public/vn-badsite-filter-suricata.rules"
+  echo "$SP_RULE" >> "../public/vn-badsite-filter-splunk.csv"
 
   SID=$(( $SID + 1 ))
 done < "domains.txt"
@@ -186,5 +190,8 @@ sed -i "1s/Blocklist/Snort3 Ruleset/" "../public/vn-badsite-filter-snort3.rules"
 sed -i "1i $COMMENT" "../public/vn-badsite-filter-suricata.rules"
 sed -i "1s/Blocklist/Suricata Ruleset/" "../public/vn-badsite-filter-suricata.rules"
 
+sed -i -e "1i $COMMENT" -e '1i "host","path","message","updated"' "../public/vn-badsite-filter-splunk.csv"
+sed -i "1s/Blocklist/Splunk Lookup/" "../public/vn-badsite-filter-splunk.csv"
+
 
 cd ../