feat: add csv file for Splunk lookup

- https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Aboutlookupsandfieldactions

README.md

@@ -1,21 +1,22 @@
 # VN Malicious Domains Blocklist
 
 - Formats
-  * [URL-based](#url-based)
+  - [URL-based](#url-based)
-  * [Domain-based](#domain-based)
+  - [Domain-based](#domain-based)
-  * [Hosts-based](#hosts-based)
+  - [Hosts-based](#hosts-based)
-  * [Domain-based (AdGuard Home)](#domain-based-adguard-home)
+  - [Domain-based (AdGuard Home)](#domain-based-adguard-home)
-  * [URL-based (AdGuard)](#url-based-adguard)
+  - [URL-based (AdGuard)](#url-based-adguard)
-  * [URL-based (Vivaldi)](#url-based-vivaldi)
+  - [URL-based (Vivaldi)](#url-based-vivaldi)
-  * [Dnsmasq](#dnsmasq)
+  - [Dnsmasq](#dnsmasq)
-  * [BIND zone](#bind)
+  - [BIND zone](#bind)
-  * [RPZ](#response-policy-zone)
+  - [RPZ](#response-policy-zone)
-  * [Unbound](#unbound)
+  - [Unbound](#unbound)
-  * [dnscrypt-proxy](#dnscrypt-proxy)
+  - [dnscrypt-proxy](#dnscrypt-proxy)
-  * [Tracking Protection List (IE)](#tracking-protection-list-ie)
+  - [Tracking Protection List (IE)](#tracking-protection-list-ie)
-  * [Snort2](#snort2)
+  - [Snort2](#snort2)
-  * [Snort3](#snort3)
+  - [Snort3](#snort3)
-  * [Suricata](#suricata)
+  - [Suricata](#suricata)
+  * [Splunk](#splunk)
 - [Compressed version](#compressed-version)
 - [FAQ and Guides](#faq-and-guides)
 - [CI Variables](#ci-variables)
@@ -39,8 +40,9 @@ There are multiple formats available, refer to the appropriate section according
 - [Snort2](#snort2)
 - [Snort3](#snort3)
 - [Suricata](#suricata)
+- [Splunk](#splunk)
 
-Not sure which format to choose? See [Compatibility](https://gitlab.com/malware-filter/malware-filter/wikis/compatibility) page in the wiki.
+For other programs, see [Compatibility](https://gitlab.com/malware-filter/malware-filter/wikis/compatibility) page in the wiki.
 
 Check out my other filters:
 
@@ -354,7 +356,7 @@ This blocklist includes domains only. Supported in Internet Explorer 9+.
 
 ## Snort2
 
-This ruleset includes online URLs only. Not compatible with [Snort3](#snort3).
+Not compatible with [Snort3](#snort3).
 
 ### Install
 
@@ -387,7 +389,7 @@ printf "\ninclude \$RULE_PATH/vn-badsite-filter-snort2.rules\n" >> /etc/snort/sn
 
 ## Snort3
 
-This ruleset includes online URLs only. Not compatible with [Snort2](#snort2).
+Not compatible with [Snort2](#snort2).
 
 ### Install
 
@@ -428,8 +430,6 @@ ips =
 
 ## Suricata
 
-This ruleset includes online URLs only.
-
 ### Install
 
 ```
@@ -465,6 +465,23 @@ rule-files:
 
 </details>
 
+## Splunk
+
+A CSV file for Splunk [lookup](https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Aboutlookupsandfieldactions).
+
+- https://malware-filter.gitlab.io/malware-filter/vn-badsite-filter-splunk.csv
+
+<details>
+<summary>Mirrors</summary>
+
+- https://curbengh.github.io/malware-filter/vn-badsite-filter-splunk.csv
+- https://curbengh.github.io/vn-badsite-filter/vn-badsite-filter-splunk.csv
+- https://malware-filter.gitlab.io/vn-badsite-filter/vn-badsite-filter-splunk.csv
+- https://malware-filter.pages.dev/vn-badsite-filter-splunk.csv
+- https://vn-badsite-filter.pages.dev/vn-badsite-filter-splunk.csv
+
+</details>
+
 ## Compressed version
 
 All filters are also available as gzip- and brotli-compressed.

src/script.sh

@@ -157,19 +157,23 @@ set +x
 ## Snort & Suricata rulesets
 rm -f "../public/vn-badsite-filter-snort2.rules" \
   "../public/vn-badsite-filter-snort3.rules" \
-  "../public/vn-badsite-filter-suricata.rules"
+  "../public/vn-badsite-filter-suricata.rules" \
+  "../public/vn-badsite-filter-splunk.csv"
 
 SID="500000001"
 while read DOMAIN; do
-  SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"vn-badsite-filter vn-badsite website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$DOMAIN\"; content:\"Host\"; http_header; classtype:attempted-recon; sid:$SID; rev:1;)"
+  SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"vn-badsite-filter malicious website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$DOMAIN\"; content:\"Host\"; http_header; classtype:attempted-recon; sid:$SID; rev:1;)"
 
-  SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter vn-badsite website detected\"; http_header:field host; content:\"$DOMAIN\",nocase; classtype:attempted-recon; sid:$SID; rev:1;)"
+  SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter malicious website detected\"; http_header:field host; content:\"$DOMAIN\",nocase; classtype:attempted-recon; sid:$SID; rev:1;)"
 
-  SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter vn-badsite website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:attempted-recon; sid:$SID; rev:1;)"
+  SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter malicious website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:attempted-recon; sid:$SID; rev:1;)"
+
+  SP_RULE="\"$DOMAIN\",\"\",\"vn-badsite-filter malicious website detected\",\"$CURRENT_TIME\""
 
   echo "$SN_RULE" >> "../public/vn-badsite-filter-snort2.rules"
   echo "$SN3_RULE" >> "../public/vn-badsite-filter-snort3.rules"
   echo "$SR_RULE" >> "../public/vn-badsite-filter-suricata.rules"
+  echo "$SP_RULE" >> "../public/vn-badsite-filter-splunk.csv"
 
   SID=$(( $SID + 1 ))
 done < "domains.txt"
@@ -186,5 +190,8 @@ sed -i "1s/Blocklist/Snort3 Ruleset/" "../public/vn-badsite-filter-snort3.rules"
 sed -i "1i $COMMENT" "../public/vn-badsite-filter-suricata.rules"
 sed -i "1s/Blocklist/Suricata Ruleset/" "../public/vn-badsite-filter-suricata.rules"
 
+sed -i -e "1i $COMMENT" -e '1i "host","path","message","updated"' "../public/vn-badsite-filter-splunk.csv"
+sed -i "1s/Blocklist/Splunk Lookup/" "../public/vn-badsite-filter-splunk.csv"
+
 
 cd ../