How to write an IOK rule

What is an IOK rule?

IOK ("Indicator of Kit") is a small, open source language designed for detecting and classifying phishing sites. It's based on Sigma, but adapted for analysis of websites, rather than security logs.

The structure of an IOK rule

An IOK rule looks like this:

title: Fake Chrome error page
description: |
    The Chrome error page HTML is built into the browser: you should never see it in the response from a
    website.
    This is a clear sign that the site is employing cloaking/anti-analysis techniques.
level: likely_malicious
references:
    - https://twitter.com/phish_report/status/1537825544343011328

detection:
    chromeHTMLFragments:
        html|contains|all:
            - '<body id="t" class="neterror" style="font-family: '
            - '<div id="main-frame-error" class="interstitial-wrapper" jstcache="0">'
    condition: chromeHTMLFragments

tags:
  - anti-analysis

And can be broken down into three main sections.

Title and Description

A rule starts with some commentary to help you and your team understand what a rule detects. This commentary includes:

  • A short title (which will appear in places like the analysis page of a site that matches this rule)
  • A longer description where you can document, for example, what you know about the phishing kit this rule detects
  • A level denoting the severity of this rule. This value determines what actions Phish Report takes automatically when a rule matches a website.
  • A list of references where you can link to relevant scans of this phishing kit, your own internal documentation, or public analysis of this threat actor.

You can also include arbitrary additional data in this section. For example, if you wanted to document when you first observed a particular phishing kit, you could add your own field to do so:

first_seen: 2023-01-05

However, this field will not be interpreted by Phish Report.

Detection logic

The detection of an IOK rule consists of a set of named properties, and a condition which is a boolean expression containing the named properties. How to write this logic is described below.

Additional metadata

At the bottom of a rule comes some additional metadata to help Phish Report categorise your rule. Currently, only a tags field is supported.

The tags field is a list of text tags. Arbitrary values are supported but a few special formats are interpreted:

  • threat_actor.<name> will mark a rule as detecting the named threat actor.
  • target.<brand> marks a rule as detecting the named brand.

On this page