CIS Critical Controls App - Bugs in threat feed do...

All Apps and Add-ons

I've found two issue in this app:

Issue 1
The ransomware_domain_blocklist lookup is not correctly populated due to an issue in the python script.

The script ransomware_domain_blocklist.py is removing the first character from each entry due to the below rex in the # rm whitespace block. Looks like it's been re-used from the http list maybe.

ransomwaretracker_domain_orig.write(re.sub(r'^[^h]', '', line))
Replace with the below.

ransomwaretracker_domain_orig.write(re.sub(r'^[^0-9a-zA-Z]', '', line))

Issue 2

List malc0de_dns_blacklist.csv does not download due to blocking of non standard browsers. My lookup shows the below which comes from cloudflare.

            <p>The owner of this website (malc0de.com) has banned your access based on your browser's signature (4340f913eddb1d9e-ua48).</p>

Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...