IOK rules allow you to detect (potential/likely/confirmed) phishing sites by matching on various properties of the website like the text on the page, the cookies set, and the filenames of the assets loaded.
hostnameThe hostname of the site.
e.g. www.phish.domain
titleThe title of the site as shown in a browser. If multiple titles are set (e.g. by JavaScript), this contains all of them.
e.g. Login | My Bank
htmlThe contents of the page HTML (as returned by the server).
e.g. <html><head>....</html>
domThe contents of the page HTML after loading (e.g. after javascript has executed and modified the page).
e.g. <html><head>....</html>
jsContents of JavaScript from the page (includes inline scripts as well as scripts loaded externally).
e.g. !function(e,t){"object"==typeof module&&
cssContents of CSS from the page (includes inline stylesheets as well as externally loaded stylesheets)
e.g. .redTitle {color: red;}
cookiesCookies from the page. Each is in the form cookieName=value
e.g. PHPSESSID=el4ukv0kqbvoirg7nkp4dncpk3
headersHeaders sent by the server. Each is in the form Header-Name: value
e.g. X-Powered-By: PHP/7.4.33
requestsURLs of requests made by the page (and assets loaded by the page).
e.g. https://www.phish.domain/css/style.css
title: Example rule
description: |
This should describe what the rule detects.
You can use markdown syntax
# The level setting determines whether you'll be alerted
# about matches or if this site is just monitored for changes
level: likely_malicious
# This is where your rule logic lives
# It is formed of a set of properties and a condition
detection:
propertyOne:
html|contains: "a string"
propertyTwo:
requests|endswith: "/logo.png"
# The condition combines the properties using and/or/not
condition: propertyOne and not propertyTwocontainsTrue if the field contains the string.
startswithTrue if the field starts with the string.
endswithTrue if the field ends with the string.
allRequires this matches all provided values, not just one.