Hey all,
Phishtank.com has a downloadable csv file that contains thousands of verified phishing urls. I want to compare these urls with all the weblogs of my hosts so that I can be alerted when one of my hosts accidentally stumbles upon one of these sites. Below is a sample row of the csv file. I edited the phishing url so no one would click it by accident or anything.
header row - phish_id, url, phish_detail_url, submission_time, ..., target
1932554, http://'ssl-allegrokonto.p.ht/enter_login.php.html, http://'www.phishtank.com/phish_detail.php?phish_id=1932554, 2013-07-15T12:22:00+00:00, ..., Allegro
All I am really interested in is the url data (to compare to weblogs), and possibly the target data of this file. Everything else is just extra information.
Once I have uploaded this file, how do I compose a search with components source=myweblogs and | lookup phishurls? I keep getting errors such as lookup command must come first, the lookup table phishurls is invalid, etc. Just some help on pulling out the url field of the csv file and comparing it with all my weblogs would be very helpful.
I cannot use the Phishing App on the Splunk site so just an explained search of how to do this is appreciated.
Thanks for any help provided.
Hi Nimish Doshi,
We are unable to install the phish tank app in our splunk instance. We reached to our support team and seems that the requested app isn't compatible with the version of splunk running on the splunk cloud instance. (Our version - 7.0.2.1) Splunk Vendor recommended reaching out to the Apps developer in order to have them update the compatibility of the app.
Is there anything that you could help us on this? Any suggestions on how we proceed further in installing the app with the current version? Or Splunk version needs to be upgraded or phishtank available with compatability?
Have you seen this app template? It may give you some ideas on using the Phishtank CSV data. I do use a lookup.
That's actually what gave me the idea. The problem is I can neither download or upload that app due to lack of permissions.
Hi Nimish Doshi,
We are unable to install the phish tank app in our splunk instance. We reached to our support team and seems that the requested app isn't compatible with the version of splunk running on the splunk cloud instance. (Our version - 7.0.2.1) Splunk Vendor recommended reaching out to the Apps developer in order to have them update the compatibility of the app.
Is there anything that you could help us on this? Any suggestions on how we proceed further in installing the app with the current version? Or Splunk version needs to be upgraded or phishtank available with compatability?