# config/suspicious_rules.yaml
# Baseline suspicious rules for SneakyScope
# Organized by category: script, form, text
# Notes:
# - Engine compiles regex with IGNORECASE.
# - 'severity' is optional: low | medium | high
# - 'tags' is optional: list of strings for grouping

# --- Script Rules ---
- name: eval_usage
  description: "Use of eval() in script"
  category: script
  type: regex
  pattern: '\beval\s*\('
  severity: high
  tags: [obfuscation, unsafe-eval]

- name: new_function_usage
  description: "Use of Function constructor (new Function)"
  category: script
  type: regex
  pattern: '\bnew\s+Function\s*\('
  severity: high
  tags: [obfuscation]

- name: document_write
  description: "Use of document.write (often abused in malicious injections)"
  category: script
  type: regex
  pattern: '\bdocument\s*\.\s*write\s*\('
  severity: medium
  tags: [injection, legacy-api]

- name: inline_event_handler
  description: "Inline event handler detected (onload, onclick, etc.)"
  category: script
  type: regex
  pattern: '\bon(load|click|error|mouseover|mouseenter|submit|keydown|keyup|change)\s*='
  severity: medium
  tags: [inline-handlers, potential-xss]

- name: obfuscated_encoding
  description: "Suspicious use of atob()/btoa() (base64 encode/decode)"
  category: script
  type: regex
  pattern: '\b(atob|btoa)\s*\('
  severity: medium
  tags: [encoding, obfuscation]

- name: unescape_usage
  description: "Use of unescape() (legacy/obfuscation)"
  category: script
  type: regex
  pattern: '\bunescape\s*\('
  severity: low
  tags: [legacy-api, obfuscation]

- name: string_timer_usage
  description: "String passed to setTimeout/setInterval (sink for XSS)"
  category: script
  type: regex
  pattern: '\bset(?:Timeout|Interval)\s*\(\s*[''"`].+[''"`]\s*,'
  severity: medium
  tags: [xss-sink]

- name: long_hex_constants
  description: "Long hex-like constants (possible obfuscation)"
  category: script
  type: regex
  pattern: '["'']?0x[0-9a-fA-F]{16,}["'']?'
  severity: low
  tags: [obfuscation]

# --- Form Rules ---
- name: suspicious_form_action_absolute
  description: "Form action uses absolute URL (potential credential exfiltration)"
  category: form
  type: regex
  pattern: '<form\b[^>]*\baction\s*=\s*[''"]https?://'
  severity: medium
  tags: [exfiltration, form]

- name: hidden_inputs
  description: "Form with hidden inputs (could be used to smuggle data)"
  category: form
  type: regex
  pattern: '<input\b[^>]*\btype\s*=\s*[''"]hidden[''"]'
  severity: low
  tags: [stealth, form]

- name: password_field
  description: "Form requests a password field"
  category: form
  type: regex
  pattern: '<input\b[^>]*\btype\s*=\s*[''"]password[''"]'
  severity: high
  tags: [credentials, form]

# --- Text Rules (Social Engineering / BEC) ---
- name: urgent_request
  description: "Language suggesting urgency (common in phishing/BEC)"
  category: text
  type: regex
  pattern: '\b(urgent|immediately|asap|action\s*required|verify\s*now)\b'
  severity: medium
  tags: [bec, urgency]

- name: account_suspension
  description: "Threat of account suspension/closure"
  category: text
  type: regex
  pattern: '\b(account\s*(suspend|closure|close)|verify\s*account)\b'
  severity: medium
  tags: [bec, scare-tactics]

- name: financial_request
  description: "Request for gift cards, wire transfer, or money"
  category: text
  type: regex
  pattern: '\b(gift\s*card|wire\s*transfer|bank\s*account|bitcoin|crypto|payment\s*required)\b'
  severity: high
  tags: [bec, financial]

- name: credential_reset
  description: "Password reset or credential reset wording"
  category: text
  type: regex
  pattern: '\b(reset\s*password|update\s*credentials|log\s*in\s*to\s*verify|password\s*expiry)\b'
  severity: medium
  tags: [bec, credentials]

- name: suspicious_iframe
  description: "Iframe tag present (possible phishing/malvertising/drive-by)"
  category: text
  type: regex
  pattern: '<iframe\b[^>]*\bsrc\s*=\s*[''"][^''"]+[''"]'
  severity: medium
  tags: [iframe, phishing, malvertising]