feat: add csv file for Splunk lookup

- https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Aboutlookupsandfieldactions
2022-12-17 00:46:13 +00:00 · 2022-12-17 00:46:13 +00:00 · 89ac1cba24
parent 30add07aed
commit 89ac1cba24
2 changed files with 51 additions and 27 deletions
--- a/README.md
+++ b/README.md
@ -1,21 +1,22 @@
 # VN Malicious Domains Blocklist

 - Formats
-  * [URL-based](#url-based)
-  * [Domain-based](#domain-based)
-  * [Hosts-based](#hosts-based)
-  * [Domain-based (AdGuard Home)](#domain-based-adguard-home)
-  * [URL-based (AdGuard)](#url-based-adguard)
-  * [URL-based (Vivaldi)](#url-based-vivaldi)
-  * [Dnsmasq](#dnsmasq)
-  * [BIND zone](#bind)
-  * [RPZ](#response-policy-zone)
-  * [Unbound](#unbound)
-  * [dnscrypt-proxy](#dnscrypt-proxy)
-  * [Tracking Protection List (IE)](#tracking-protection-list-ie)
-  * [Snort2](#snort2)
-  * [Snort3](#snort3)
-  * [Suricata](#suricata)
+  - [URL-based](#url-based)
+  - [Domain-based](#domain-based)
+  - [Hosts-based](#hosts-based)
+  - [Domain-based (AdGuard Home)](#domain-based-adguard-home)
+  - [URL-based (AdGuard)](#url-based-adguard)
+  - [URL-based (Vivaldi)](#url-based-vivaldi)
+  - [Dnsmasq](#dnsmasq)
+  - [BIND zone](#bind)
+  - [RPZ](#response-policy-zone)
+  - [Unbound](#unbound)
+  - [dnscrypt-proxy](#dnscrypt-proxy)
+  - [Tracking Protection List (IE)](#tracking-protection-list-ie)
+  - [Snort2](#snort2)
+  - [Snort3](#snort3)
+  - [Suricata](#suricata)
+  * [Splunk](#splunk)
 - [Compressed version](#compressed-version)
 - [FAQ and Guides](#faq-and-guides)
 - [CI Variables](#ci-variables)
@ -39,8 +40,9 @@ There are multiple formats available, refer to the appropriate section according
 - [Snort2](#snort2)
 - [Snort3](#snort3)
 - [Suricata](#suricata)
+- [Splunk](#splunk)

-Not sure which format to choose? See [Compatibility](https://gitlab.com/malware-filter/malware-filter/wikis/compatibility) page in the wiki.
+For other programs, see [Compatibility](https://gitlab.com/malware-filter/malware-filter/wikis/compatibility) page in the wiki.

 Check out my other filters:

@ -307,7 +309,7 @@ chmod 755 /etc/cron.daily/vn-badsite-filter

 Configure dnscrypt-proxy to use the blocklist:

-``` diff
+```diff
 [blocked_names]
 +  blocked_names_file = '/etc/dnscrypt-proxy/vn-badsite-filter-dnscrypt-blocked-names.txt'

@ -354,7 +356,7 @@ This blocklist includes domains only. Supported in Internet Explorer 9+.

 ## Snort2

-This ruleset includes online URLs only. Not compatible with [Snort3](#snort3).
+Not compatible with [Snort3](#snort3).

 ### Install

@ -387,7 +389,7 @@ printf "\ninclude \$RULE_PATH/vn-badsite-filter-snort2.rules\n" >> /etc/snort/sn

 ## Snort3

-This ruleset includes online URLs only. Not compatible with [Snort2](#snort2).
+Not compatible with [Snort2](#snort2).

 ### Install

@ -404,7 +406,7 @@ chmod 755 /etc/cron.daily/vn-badsite-filter

 Configure Snort to use the ruleset:

-``` diff
+```diff
 # /etc/snort/snort.lua
 ips =
 {
@ -428,8 +430,6 @@ ips =

 ## Suricata

-This ruleset includes online URLs only.
-
 ### Install

 ```
@ -445,7 +445,7 @@ chmod 755 /etc/cron.daily/vn-badsite-filter

 Configure Suricata to use the ruleset:

-``` diff
+```diff
 # /etc/suricata/suricata.yaml
 rule-files:
  - local.rules
@ -465,6 +465,23 @@ rule-files:

 </details>

+## Splunk
+
+A CSV file for Splunk [lookup](https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Aboutlookupsandfieldactions).
+
+- https://malware-filter.gitlab.io/malware-filter/vn-badsite-filter-splunk.csv
+
+<details>
+<summary>Mirrors</summary>
+
+- https://curbengh.github.io/malware-filter/vn-badsite-filter-splunk.csv
+- https://curbengh.github.io/vn-badsite-filter/vn-badsite-filter-splunk.csv
+- https://malware-filter.gitlab.io/vn-badsite-filter/vn-badsite-filter-splunk.csv
+- https://malware-filter.pages.dev/vn-badsite-filter-splunk.csv
+- https://vn-badsite-filter.pages.dev/vn-badsite-filter-splunk.csv
+
+</details>
+
 ## Compressed version

 All filters are also available as gzip- and brotli-compressed.
--- a/src/script.sh
+++ b/src/script.sh
@ -157,19 +157,23 @@ set +x
 ## Snort & Suricata rulesets
 rm -f "../public/vn-badsite-filter-snort2.rules" \
  "../public/vn-badsite-filter-snort3.rules" \
-  "../public/vn-badsite-filter-suricata.rules"
+  "../public/vn-badsite-filter-suricata.rules" \
+  "../public/vn-badsite-filter-splunk.csv"

 SID="500000001"
 while read DOMAIN; do
-  SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"vn-badsite-filter vn-badsite website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$DOMAIN\"; content:\"Host\"; http_header; classtype:attempted-recon; sid:$SID; rev:1;)"
+  SN_RULE="alert tcp \$HOME_NET any -> \$EXTERNAL_NET [80,443] (msg:\"vn-badsite-filter malicious website detected\"; flow:established,from_client; content:\"GET\"; http_method; content:\"$DOMAIN\"; content:\"Host\"; http_header; classtype:attempted-recon; sid:$SID; rev:1;)"

-  SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter vn-badsite website detected\"; http_header:field host; content:\"$DOMAIN\",nocase; classtype:attempted-recon; sid:$SID; rev:1;)"
+  SN3_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter malicious website detected\"; http_header:field host; content:\"$DOMAIN\",nocase; classtype:attempted-recon; sid:$SID; rev:1;)"

-  SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter vn-badsite website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:attempted-recon; sid:$SID; rev:1;)"
+  SR_RULE="alert http \$HOME_NET any -> \$EXTERNAL_NET any (msg:\"vn-badsite-filter malicious website detected\"; flow:established,from_client; http.method; content:\"GET\"; http.host; content:\"$DOMAIN\"; classtype:attempted-recon; sid:$SID; rev:1;)"
+
+  SP_RULE="\"$DOMAIN\",\"\",\"vn-badsite-filter malicious website detected\",\"$CURRENT_TIME\""

  echo "$SN_RULE" >> "../public/vn-badsite-filter-snort2.rules"
  echo "$SN3_RULE" >> "../public/vn-badsite-filter-snort3.rules"
  echo "$SR_RULE" >> "../public/vn-badsite-filter-suricata.rules"
+  echo "$SP_RULE" >> "../public/vn-badsite-filter-splunk.csv"

  SID=$(( $SID + 1 ))
 done < "domains.txt"
@ -186,5 +190,8 @@ sed -i "1s/Blocklist/Snort3 Ruleset/" "../public/vn-badsite-filter-snort3.rules"
 sed -i "1i $COMMENT" "../public/vn-badsite-filter-suricata.rules"
 sed -i "1s/Blocklist/Suricata Ruleset/" "../public/vn-badsite-filter-suricata.rules"

+sed -i -e "1i $COMMENT" -e '1i "host","path","message","updated"' "../public/vn-badsite-filter-splunk.csv"
+sed -i "1s/Blocklist/Splunk Lookup/" "../public/vn-badsite-filter-splunk.csv"
+

 cd ../