Open source detection rules for phishing site techniques, kits, and threat actors 🕵️
- Simple: based on Sigma, a simple detection rules language 🚀
- Rich metadata: rules have descriptions, tags, and links to blog posts or related rules.
- Identify fingerprints of known threat actors
- Discover anti-analysis techniques
- Classify which specific phishing kit is in use on a page
📝 Creating indicators
IOK indicators are written using Sigma
|html||string||The contents of the page HTML (as returned by the server)|
|css||string||Contents of CSS from the page (includes inline stylesheets as well as externally loaded stylesheets)|
|cookies||string||Cookies from the page. Each is in the form
|headers||string||Headers sent by the server. Each is in the form
|requests||string||URLs of requests made by the page (and assets loaded by the page)|
We are always looking for contributions—there’s far more phishing kits and techniques than a single team can analyse!
To contribute a new rule:
- Try to make sure it doesn’t already exist
- Open a pull request, adding your new file in the
- We’ll review it and merge your PR
- It’ll go live on phish.report/IOK!
💭 Comparison to similar projects
|Ruleset size||Small, but growing 🦐||> 300 rules 🐠||1000s of rules 🐳|
|Can scan||Live websites 🕸||Phishing kit zips 📦||Live websites 🕸|
|Supports complex conditions||✅||✅||❌|
|Sends out stickers to contributors 🎁||✅||❌||❌|
Documentation on how to write a rule is coming soon…
For more details, read OpenStreetMap’s guidance (who also use the ODbL license).