first commit

app/config/bec_words.yaml

@@ -0,0 +1,5 @@
+words:
+  - "reset password"
+  - "open document"
+  - "view document"
+  - "verify account"

app/config/settings.yaml

@@ -0,0 +1,9 @@
+app:
+  name: SneakyScope
+  version_major: 0
+  version_minor: 1
+
+cache:
+  recent_runs_count: 10
+  whois_cache_days: 7
+  geoip_cache_days: 7

app/config/suspicious_rules.yaml

@@ -0,0 +1,80 @@
+# config/suspicious_rules.yaml
+# Baseline suspicious rules for SneakyScope
+# Organized by category: script, form, text
+# Extend these with more specific rules as needed
+
+# --- Script Rules ---
+- name: eval_usage
+  description: "Use of eval() in script"
+  category: script
+  type: regex
+  pattern: "\\beval\\("
+
+- name: document_write
+  description: "Use of document.write (often abused in malicious injections)"
+  category: script
+  type: regex
+  pattern: "document\\.write\\("
+
+- name: inline_event_handler
+  description: "Inline event handler detected (onload, onclick, etc.)"
+  category: script
+  type: regex
+  pattern: "on(load|click|error|mouseover|keydown)\\s*="
+
+- name: obfuscated_encoding
+  description: "Suspicious use of atob() or btoa() (base64 encoding/decoding)"
+  category: script
+  type: regex
+  pattern: "\\b(atob|btoa)\\("
+
+- name: suspicious_iframe
+  description: "Iframe usage in script (possible phishing/malvertising)"
+  category: script
+  type: regex
+  pattern: "<iframe[^>]*>"
+
+# --- Form Rules ---
+- name: suspicious_form_action
+  description: "Form action with external URL (potential credential exfiltration)"
+  category: form
+  type: regex
+  pattern: "<form[^>]*action=['\"]http"
+
+- name: hidden_inputs
+  description: "Form with hidden inputs (possible credential harvesting)"
+  category: form
+  type: regex
+  pattern: "<input[^>]*type=['\"]hidden"
+
+- name: password_field
+  description: "Form requesting password field"
+  category: form
+  type: regex
+  pattern: "<input[^>]*type=['\"]password"
+
+# --- Text Rules (Social Engineering / BEC) ---
+- name: urgent_request
+  description: "Language suggesting urgency (common in phishing/BEC)"
+  category: text
+  type: regex
+  pattern: "(urgent|immediately|asap|action required)"
+
+- name: account_suspension
+  description: "Threat of account suspension/closure"
+  category: text
+  type: regex
+  pattern: "(account.*suspend|account.*close|verify.*account)"
+
+- name: financial_request
+  description: "Request for gift cards, wire transfer, or money"
+  category: text
+  type: regex
+  pattern: "(gift card|wire transfer|bank account|bitcoin|payment required)"
+
+- name: credential_reset
+  description: "Password reset or credential reset wording"
+  category: text
+  type: regex
+  pattern: "(reset password|update credentials|login to verify)"
+