first commit
This commit is contained in:
80
app/config/suspicious_rules.yaml
Normal file
80
app/config/suspicious_rules.yaml
Normal file
@@ -0,0 +1,80 @@
|
||||
# config/suspicious_rules.yaml
|
||||
# Baseline suspicious rules for SneakyScope
|
||||
# Organized by category: script, form, text
|
||||
# Extend these with more specific rules as needed
|
||||
|
||||
# --- Script Rules ---
|
||||
- name: eval_usage
|
||||
description: "Use of eval() in script"
|
||||
category: script
|
||||
type: regex
|
||||
pattern: "\\beval\\("
|
||||
|
||||
- name: document_write
|
||||
description: "Use of document.write (often abused in malicious injections)"
|
||||
category: script
|
||||
type: regex
|
||||
pattern: "document\\.write\\("
|
||||
|
||||
- name: inline_event_handler
|
||||
description: "Inline event handler detected (onload, onclick, etc.)"
|
||||
category: script
|
||||
type: regex
|
||||
pattern: "on(load|click|error|mouseover|keydown)\\s*="
|
||||
|
||||
- name: obfuscated_encoding
|
||||
description: "Suspicious use of atob() or btoa() (base64 encoding/decoding)"
|
||||
category: script
|
||||
type: regex
|
||||
pattern: "\\b(atob|btoa)\\("
|
||||
|
||||
- name: suspicious_iframe
|
||||
description: "Iframe usage in script (possible phishing/malvertising)"
|
||||
category: script
|
||||
type: regex
|
||||
pattern: "<iframe[^>]*>"
|
||||
|
||||
# --- Form Rules ---
|
||||
- name: suspicious_form_action
|
||||
description: "Form action with external URL (potential credential exfiltration)"
|
||||
category: form
|
||||
type: regex
|
||||
pattern: "<form[^>]*action=['\"]http"
|
||||
|
||||
- name: hidden_inputs
|
||||
description: "Form with hidden inputs (possible credential harvesting)"
|
||||
category: form
|
||||
type: regex
|
||||
pattern: "<input[^>]*type=['\"]hidden"
|
||||
|
||||
- name: password_field
|
||||
description: "Form requesting password field"
|
||||
category: form
|
||||
type: regex
|
||||
pattern: "<input[^>]*type=['\"]password"
|
||||
|
||||
# --- Text Rules (Social Engineering / BEC) ---
|
||||
- name: urgent_request
|
||||
description: "Language suggesting urgency (common in phishing/BEC)"
|
||||
category: text
|
||||
type: regex
|
||||
pattern: "(urgent|immediately|asap|action required)"
|
||||
|
||||
- name: account_suspension
|
||||
description: "Threat of account suspension/closure"
|
||||
category: text
|
||||
type: regex
|
||||
pattern: "(account.*suspend|account.*close|verify.*account)"
|
||||
|
||||
- name: financial_request
|
||||
description: "Request for gift cards, wire transfer, or money"
|
||||
category: text
|
||||
type: regex
|
||||
pattern: "(gift card|wire transfer|bank account|bitcoin|payment required)"
|
||||
|
||||
- name: credential_reset
|
||||
description: "Password reset or credential reset wording"
|
||||
category: text
|
||||
type: regex
|
||||
pattern: "(reset password|update credentials|login to verify)"
|
||||
|
||||
Reference in New Issue
Block a user