IOK logo

Screenshot of one of the IOK indicator rules

Open source detection rules for phishing site techniques, kits, and threat actors πŸ•΅οΈ

  • Simple: based on Sigma, a simple detection rules language πŸš€
  • Rich metadata: rules have descriptions, tags, and links to blog posts or related rules.

Use cases:

πŸ“ Creating indicators

IOK indicators are written using Sigma

Field name Type Description
html string The contents of the page HTML (as returned by the server)
js []string Contents of JavaScript from the page (includes inline scripts as well as scripts loaded externally)
css []string Contents of CSS from the page (includes inline stylesheets as well as externally loaded stylesheets)
cookies []string Cookies from the page. Each is in the form cookieName=value
headers []string Headers sent by the server. Each is in the form Header-Name: value
requests []string URLs of requests made by the page (and assets loaded by the page)

We are always looking for contributionsβ€”there’s far more phishing kits and techniques than a single team can analyse!

To contribute a new rule:

  1. Try to make sure it doesn’t already exist
  2. Open a pull request, adding your new file in the indicators/ folder
  3. We’ll review it and merge your PR
  4. It’ll go live on phish.report/IOK!

πŸ’­ Comparison to similar projects

IOK PhishingKit-Yara-Rules Wappalyzer
Open Source βœ… βœ… βœ…
Ruleset size Small, but growing 🦐 > 300 rules 🐠 1000s of rules 🐳
Can scan Live websites πŸ•Έ Phishing kit zips πŸ“¦ Live websites πŸ•Έ
Phishing focused βœ… βœ… ❌
Supports complex conditions βœ… βœ… ❌
Sends out stickers to contributors 🎁 βœ… ❌ ❌

🀝 Contributing

Documentation on how to write a rule is coming soon…

πŸ“ License

This project is ODbL licensed. You’re free to use the rules in your own projects (including commercial ones!) as long as you credit phish.report/IOK as the source.

For more details, read OpenStreetMap’s guidance (who also use the ODbL license).

GitHub

View Github