Filtering false positives

title: Filtering false positives description: | In the previous lesson we found a large number of Facebook phishing sites. But our results were full of 404 pages from scans *after* the site had been suspended. In this lesson we'll see how to use multiple properties to filter down results to just the malicious sites. level: likely_malicious detection: generatedDomainName: hostname|re: invoice-[0-9a-f]+\.web\.app firebase404: # We can use the `html` field to match on the contents of the web page. # Checking for the string "Site Not Found" will match the Firebase 404 page # which is seen in scans that occur after the site has already been suspended html|contains: "Site Not Found" # (the `title` field would work equally well in this case) # You write conditions using the properties you've defined in the `detection` section, # combining them with logical keywords e.g. # A and B (both A and B must be true) # A or B (either A or B must be true) # not A (A must be false) # # For complex examples, brackets can be used e.g. A and (B or C) and D # # 🤔 write a condition so that it excludes pages matching `firebase404` condition: generatedDomainName

Rule matches

Quick Reference

IOK rules allow you to detect (potential/likely/confirmed) phishing sites by matching on various properties of the website like the text on the page, the cookies set, and the filenames of the assets loaded.

Fields

  • Hostname
    hostname
    Type
    string
    Description

    The hostname of the site.

    e.g. www.phish.domain

  • Title
    title
    Type
    string list
    Description

    The title of the site as shown in a browser. If multiple titles are set (e.g. by JavaScript), this contains all of them.

    e.g. Login | My Bank

  • HTML
    html
    Type
    string
    Description

    The contents of the page HTML (as returned by the server).

    e.g. <html><head>....</html>

  • DOM
    dom
    Type
    string
    Description

    The contents of the page HTML after loading (e.g. after javascript has executed and modified the page).

    e.g. <html><head>....</html>

  • JS
    js
    Type
    string list
    Description

    Contents of JavaScript from the page (includes inline scripts as well as scripts loaded externally).

    e.g. !function(e,t){"object"==typeof module&&

  • CSS
    css
    Type
    string list
    Description

    Contents of CSS from the page (includes inline stylesheets as well as externally loaded stylesheets)

    e.g. .redTitle {color: red;}

  • Cookies
    cookies
    Type
    string list
    Description

    Cookies from the page. Each is in the form cookieName=value

    e.g. PHPSESSID=el4ukv0kqbvoirg7nkp4dncpk3

  • Headers
    headers
    Type
    string list
    Description

    Headers sent by the server. Each is in the form Header-Name: value

    e.g. X-Powered-By: PHP/7.4.33

  • Requests
    requests
    Type
    string list
    Description

    URLs of requests made by the page (and assets loaded by the page).

    e.g. https://www.phish.domain/css/style.css

title: Example rule
description: |
    This should describe what the rule detects.
    You can use markdown syntax

# The level setting determines whether you'll be alerted
# about matches or if this site is just monitored for changes
level: likely_malicious

# This is where your rule logic lives
# It is formed of a set of properties and a condition
detection:
    propertyOne:
        html|contains: "a string"

    propertyTwo:
        requests|endswith: "/logo.png"

    # The condition combines the properties using and/or/not
    condition: propertyOne and not propertyTwo

Modifiers

  • contains
    contains
    Description

    True if the field contains the string.

  • startswith
    startswith
    Description

    True if the field starts with the string.

  • endswith
    endswith
    Description

    True if the field ends with the string.

  • all
    all
    Description

    Requires this matches all provided values, not just one.