Is there some kind of definition of what info gets to be placed in what field? Some sources deliver CIDR, some deliver IP, some deliver DNS domains etc. Is there a definition of what the lookup table should look like that gathers all sources and provides a systemwide lookup?
I would like to gather a global list of suspicions internet destinations and/or client IPs
Also, urllib has issues with https via proxy and I have good experiences with the requests library. Any chance the author will consider using that library?
There is no guidance on what the lookups should look like, getwatchlist is just a tool that you can use to grab a URL and make a lookup. How you map those for your use is really up to you. Some examples can be found in the config, or here:
Also, keep in mind that you can map fields using the "=", so for example, if the 4th column in the retrieved file is the name of the contributor, and you wanted it to be mapped to a field named "contributor" you can add "4=contributor" to the command to create that mapping.
As for the use of the requests library, that would be a possibility for the future, but I currently don't have any plans on when the next release would be.
Thanks,
Dave