IOK logo

Screenshot of one of the IOK indicator rules

Open source detection rules for phishing site techniques, kits, and threat actors πŸ•΅οΈ

  • Simple: based on Sigma, a simple detection rules language πŸš€
  • Rich metadata: rules have descriptions, tags, and links to blog posts or related rules.

Use cases:

πŸ“ Creating indicators

IOK indicators are written using Sigma

Field name Type Description
html string The contents of the page HTML (as returned by the server)
js []string Contents of JavaScript from the page (includes inline scripts as well as scripts loaded externally)
css []string Contents of CSS from the page (includes inline stylesheets as well as externally loaded stylesheets)
cookies []string Cookies from the page. Each is in the form cookieName=value
headers []string Headers sent by the server. Each is in the form Header-Name: value
requests []string URLs of requests made by the page (and assets loaded by the page)

We are always looking for contributionsβ€”there’s far more phishing kits and techniques than a single team can analyse!

To contribute a new rule:

  1. Try to make sure it doesn’t already exist
  2. Open a pull request, adding your new file in the indicators/ folder
  3. We’ll review it and merge your PR
  4. It’ll go live on!

πŸ’­ Comparison to similar projects

IOK PhishingKit-Yara-Rules Wappalyzer
Open Source βœ… βœ… βœ…
Ruleset size Small, but growing 🦐 > 300 rules 🐠 1000s of rules 🐳
Can scan Live websites πŸ•Έ Phishing kit zips πŸ“¦ Live websites πŸ•Έ
Phishing focused βœ… βœ… ❌
Supports complex conditions βœ… βœ… ❌
Sends out stickers to contributors 🎁 βœ… ❌ ❌

🀝 Contributing

Documentation on how to write a rule is coming soon…

πŸ“ License

This project is ODbL licensed. You’re free to use the rules in your own projects (including commercial ones!) as long as you credit as the source.

For more details, read OpenStreetMap’s guidance (who also use the ODbL license).


View Github