YARA Netloc vs IOK (open source)

What is VirusTotal's YARA Netloc extension?

Netloc is a proprietary extension to YARA (introduced by VirusTotal) that extends YARA supported entities from traditional files to network infrastructure, including domains, URLs and IP addresses. It adds a new .net attribute specifically for network related entities such as URLs, domains and IP addresses.

A YARA rule using the Netloc extension looks like this:

import "vt"

rule LilithBot {
  condition:
    vt.net.url.url matches /\/gate\/.{60}\/registerBot/ or
    vt.net.url.url matches /\/gate\/.{60}\/getFile\?name=admin_settings_plugin\.json/ or
    vt.net.url.url matches /\/gate\/.{60}\/uploadFile\?name/
}

What is IOK (Indicator Of Kit)?

IOK ("Indicator of Kit") is a small, open source language designed for detecting and classifying phishing sites. It's based on Sigma, but adapted for analysis of websites, rather than security logs.

An equivalent IOK rule to the LilithBot Netloc example would look like this:

title: LilithBot
detection:
  urlPattern:
    requests|re:
      - /gate/.{60}/registerBot
      - /gate/.{60}/getFile\?name=admin_settings_plugin\.json
      - /gate/.{60}/uploadFile\?name

  condition: urlPattern

Netloc vs IOK

Language

Netloc is an extension to YARA so requires that rules are written in YARA. IOK is based on the open source Sigma detection language which uses YAML.

Until VirusTotal released Netloc, YARA rules could only be used to analyse files and so experience with YARA was limited to malware analysts.

On the other hand, YAML is used as a configuration language by a wide range of tools so many people are already familiar with it. Sigma (a dialect of YAML) is an extremely popular detection rules language so is familiar to a much wider range of people working in security than are familiar with YARA.

Capabilities

Netloc supports matching on a far wider array of webpage attributes than IOK (approximately fifty different fields in Netloc vs ten in IOK). For example, Netloc allows you to write rules based on:

• Favicon hash
• Outgoing links from the webpage
• The HTTPS certificate issuer

None of which are currently supported in IOK. However, as an open source project, support for these attributes could all be added to IOK in future.

Netloc fields: https://developers.virustotal.com/docs/nethunt#url-metadata
IOK fields: https://github.com/phish-report/IOK#-creating-indicators

Availability

Netloc is a proprietary extension to YARA which can only be used on VirusTotal's Livehunt platform (which requires an enterprise subscription).

In contrast, IOK rules can be used in several ways (including free ones):

• Using the open source rule engine
• Converting IOK rules to SIEM queries using the Sigma CLI tool
• As a hosted platform with a Phish Report enterprise subscription

When to use IOK

IOK is a good alternative to Netloc when:

• You want to detect malicious behavior in web pages (but don't need to match files which might request those webpages)
• You want to be able to run rules yourself
• You don't have a VirusTotal enterprise subscription