feat: add csv file for Splunk lookup
- https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Aboutlookupsandfieldactions
This commit is contained in:
parent
30add07aed
commit
89ac1cba24
63
README.md
63
README.md
|
@ -1,21 +1,22 @@
|
||||||
# VN Malicious Domains Blocklist
|
# VN Malicious Domains Blocklist
|
||||||
|
|
||||||
- Formats
|
- Formats
|
||||||
* [URL-based](#url-based)
|
- [URL-based](#url-based)
|
||||||
* [Domain-based](#domain-based)
|
- [Domain-based](#domain-based)
|
||||||
* [Hosts-based](#hosts-based)
|
- [Hosts-based](#hosts-based)
|
||||||
* [Domain-based (AdGuard Home)](#domain-based-adguard-home)
|
- [Domain-based (AdGuard Home)](#domain-based-adguard-home)
|
||||||
* [URL-based (AdGuard)](#url-based-adguard)
|
- [URL-based (AdGuard)](#url-based-adguard)
|
||||||
* [URL-based (Vivaldi)](#url-based-vivaldi)
|
- [URL-based (Vivaldi)](#url-based-vivaldi)
|
||||||
* [Dnsmasq](#dnsmasq)
|
- [Dnsmasq](#dnsmasq)
|
||||||
* [BIND zone](#bind)
|
- [BIND zone](#bind)
|
||||||
* [RPZ](#response-policy-zone)
|
- [RPZ](#response-policy-zone)
|
||||||
* [Unbound](#unbound)
|
- [Unbound](#unbound)
|
||||||
* [dnscrypt-proxy](#dnscrypt-proxy)
|
- [dnscrypt-proxy](#dnscrypt-proxy)
|
||||||
* [Tracking Protection List (IE)](#tracking-protection-list-ie)
|
- [Tracking Protection List (IE)](#tracking-protection-list-ie)
|
||||||
* [Snort2](#snort2)
|
- [Snort2](#snort2)
|
||||||
* [Snort3](#snort3)
|
- [Snort3](#snort3)
|
||||||
* [Suricata](#suricata)
|
- [Suricata](#suricata)
|
||||||
|
* [Splunk](#splunk)
|
||||||
- [Compressed version](#compressed-version)
|
- [Compressed version](#compressed-version)
|
||||||
- [FAQ and Guides](#faq-and-guides)
|
- [FAQ and Guides](#faq-and-guides)
|
||||||
- [CI Variables](#ci-variables)
|
- [CI Variables](#ci-variables)
|
||||||
|
@ -39,8 +40,9 @@ There are multiple formats available, refer to the appropriate section according
|
||||||
- [Snort2](#snort2)
|
- [Snort2](#snort2)
|
||||||
- [Snort3](#snort3)
|
- [Snort3](#snort3)
|
||||||
- [Suricata](#suricata)
|
- [Suricata](#suricata)
|
||||||
|
- [Splunk](#splunk)
|
||||||
|
|
||||||
Not sure which format to choose? See [Compatibility](https://gitlab.com/malware-filter/malware-filter/wikis/compatibility) page in the wiki.
|
For other programs, see [Compatibility](https://gitlab.com/malware-filter/malware-filter/wikis/compatibility) page in the wiki.
|
||||||
|
|
||||||
Check out my other filters:
|
Check out my other filters:
|
||||||
|
|
||||||
|
@ -307,7 +309,7 @@ chmod 755 /etc/cron.daily/vn-badsite-filter
|
||||||
|
|
||||||
Configure dnscrypt-proxy to use the blocklist:
|
Configure dnscrypt-proxy to use the blocklist:
|
||||||
|
|
||||||
``` diff
|
```diff
|
||||||
[blocked_names]
|
[blocked_names]
|
||||||
+ blocked_names_file = '/etc/dnscrypt-proxy/vn-badsite-filter-dnscrypt-blocked-names.txt'
|
+ blocked_names_file = '/etc/dnscrypt-proxy/vn-badsite-filter-dnscrypt-blocked-names.txt'
|
||||||
|
|
||||||
|
@ -354,7 +356,7 @@ This blocklist includes domains only. Supported in Internet Explorer 9+.
|
||||||
|
|
||||||
## Snort2
|
## Snort2
|
||||||
|
|
||||||
This ruleset includes online URLs only. Not compatible with [Snort3](#snort3).
|
Not compatible with [Snort3](#snort3).
|
||||||
|
|
||||||
### Install
|
### Install
|
||||||
|
|
||||||
|
@ -387,7 +389,7 @@ printf "\ninclude \$RULE_PATH/vn-badsite-filter-snort2.rules\n" >> /etc/snort/sn
|
||||||
|
|
||||||
## Snort3
|
## Snort3
|
||||||
|
|
||||||
This ruleset includes online URLs only. Not compatible with [Snort2](#snort2).
|
Not compatible with [Snort2](#snort2).
|
||||||
|
|
||||||
### Install
|
### Install
|
||||||
|
|
||||||
|
@ -404,7 +406,7 @@ chmod 755 /etc/cron.daily/vn-badsite-filter
|
||||||
|
|
||||||
Configure Snort to use the ruleset:
|
Configure Snort to use the ruleset:
|
||||||
|
|
||||||
``` diff
|
```diff
|
||||||
# /etc/snort/snort.lua
|
# /etc/snort/snort.lua
|
||||||
ips =
|
ips =
|
||||||
{
|
{
|
||||||
|
@ -428,8 +430,6 @@ ips =
|
||||||
|
|
||||||
## Suricata
|
## Suricata
|
||||||
|
|
||||||
This ruleset includes online URLs only.
|
|
||||||
|
|
||||||
### Install
|
### Install
|
||||||
|
|
||||||
```
|
```
|
||||||
|
@ -445,7 +445,7 @@ chmod 755 /etc/cron.daily/vn-badsite-filter
|
||||||
|
|
||||||
Configure Suricata to use the ruleset:
|
Configure Suricata to use the ruleset:
|
||||||
|
|
||||||
``` diff
|
```diff
|
||||||
# /etc/suricata/suricata.yaml
|
# /etc/suricata/suricata.yaml
|
||||||
rule-files:
|
rule-files:
|
||||||
- local.rules
|
- local.rules
|
||||||
|
@ -465,6 +465,23 @@ rule-files:
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
|
||||||
|
## Splunk
|
||||||
|
|
||||||
|
A CSV file for Splunk [lookup](https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Aboutlookupsandfieldactions).
|
||||||
|
|
||||||
|
- https://malware-filter.gitlab.io/malware-filter/vn-badsite-filter-splunk.csv
|
||||||
|
|
||||||
|
<details>
|
||||||
|
<summary>Mirrors</summary>
|
||||||
|
|
||||||
|
- https://curbengh.github.io/malware-filter/vn-badsite-filter-splunk.csv
|
||||||
|
- https://curbengh.github.io/vn-badsite-filter/vn-badsite-filter-splunk.csv
|
||||||
|
- https://malware-filter.gitlab.io/vn-badsite-filter/vn-badsite-filter-splunk.csv
|
||||||
|
- https://malware-filter.pages.dev/vn-badsite-filter-splunk.csv
|
||||||
|
- https://vn-badsite-filter.pages.dev/vn-badsite-filter-splunk.csv
|
||||||
|
|
||||||
|
</details>
|
||||||
|
|
||||||
## Compressed version
|
## Compressed version
|
||||||
|
|
||||||
All filters are also available as gzip- and brotli-compressed.
|
All filters are also available as gzip- and brotli-compressed.
|
||||||
|
|
|
@ -157,19 +157,23 @@ set +x
|
||||||
## Snort & Suricata rulesets
|
## Snort & Suricata rulesets
|
||||||
rm -f "../public/vn-badsite-filter-snort2.rules" \
|
rm -f "../public/vn-badsite-filter-snort2.rules" \
|
||||||
"../public/vn-badsite-filter-snort3.rules" \
|
"../public/vn-badsite-filter-snort3.rules" \
|
||||||
"../public/vn-badsite-filter-suricata.rules"
|
"../public/vn-badsite-filter-suricata.rules" \
|
||||||
|
"../public/vn-badsite-filter-splunk.csv"
|
||||||
|
|
||||||
SID="500000001"
|
SID="500000001"
|
||||||
while read DOMAIN; do
|
while read DOMAIN; do
|
||||||
SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"vn-badsite-filter vn-badsite website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$DOMAIN\"; content:\"Host\"; http_header; classtype:attempted-recon; sid:$SID; rev:1;)"
|
SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"vn-badsite-filter malicious website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$DOMAIN\"; content:\"Host\"; http_header; classtype:attempted-recon; sid:$SID; rev:1;)"
|
||||||
|
|
||||||
SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter vn-badsite website detected\"; http_header:field host; content:\"$DOMAIN\",nocase; classtype:attempted-recon; sid:$SID; rev:1;)"
|
SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter malicious website detected\"; http_header:field host; content:\"$DOMAIN\",nocase; classtype:attempted-recon; sid:$SID; rev:1;)"
|
||||||
|
|
||||||
SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter vn-badsite website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:attempted-recon; sid:$SID; rev:1;)"
|
SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter malicious website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:attempted-recon; sid:$SID; rev:1;)"
|
||||||
|
|
||||||
|
SP_RULE="\"$DOMAIN\",\"\",\"vn-badsite-filter malicious website detected\",\"$CURRENT_TIME\""
|
||||||
|
|
||||||
echo "$SN_RULE" >> "../public/vn-badsite-filter-snort2.rules"
|
echo "$SN_RULE" >> "../public/vn-badsite-filter-snort2.rules"
|
||||||
echo "$SN3_RULE" >> "../public/vn-badsite-filter-snort3.rules"
|
echo "$SN3_RULE" >> "../public/vn-badsite-filter-snort3.rules"
|
||||||
echo "$SR_RULE" >> "../public/vn-badsite-filter-suricata.rules"
|
echo "$SR_RULE" >> "../public/vn-badsite-filter-suricata.rules"
|
||||||
|
echo "$SP_RULE" >> "../public/vn-badsite-filter-splunk.csv"
|
||||||
|
|
||||||
SID=$(( $SID + 1 ))
|
SID=$(( $SID + 1 ))
|
||||||
done < "domains.txt"
|
done < "domains.txt"
|
||||||
|
@ -186,5 +190,8 @@ sed -i "1s/Blocklist/Snort3 Ruleset/" "../public/vn-badsite-filter-snort3.rules"
|
||||||
sed -i "1i $COMMENT" "../public/vn-badsite-filter-suricata.rules"
|
sed -i "1i $COMMENT" "../public/vn-badsite-filter-suricata.rules"
|
||||||
sed -i "1s/Blocklist/Suricata Ruleset/" "../public/vn-badsite-filter-suricata.rules"
|
sed -i "1s/Blocklist/Suricata Ruleset/" "../public/vn-badsite-filter-suricata.rules"
|
||||||
|
|
||||||
|
sed -i -e "1i $COMMENT" -e '1i "host","path","message","updated"' "../public/vn-badsite-filter-splunk.csv"
|
||||||
|
sed -i "1s/Blocklist/Splunk Lookup/" "../public/vn-badsite-filter-splunk.csv"
|
||||||
|
|
||||||
|
|
||||||
cd ../
|
cd ../
|
||||||
|
|
Loading…
Reference in New Issue