81 lines
2.3 KiB
YAML
81 lines
2.3 KiB
YAML
# config/suspicious_rules.yaml
|
|
# Baseline suspicious rules for SneakyScope
|
|
# Organized by category: script, form, text
|
|
# Extend these with more specific rules as needed
|
|
|
|
# --- Script Rules ---
|
|
- name: eval_usage
|
|
description: "Use of eval() in script"
|
|
category: script
|
|
type: regex
|
|
pattern: "\\beval\\("
|
|
|
|
- name: document_write
|
|
description: "Use of document.write (often abused in malicious injections)"
|
|
category: script
|
|
type: regex
|
|
pattern: "document\\.write\\("
|
|
|
|
- name: inline_event_handler
|
|
description: "Inline event handler detected (onload, onclick, etc.)"
|
|
category: script
|
|
type: regex
|
|
pattern: "on(load|click|error|mouseover|keydown)\\s*="
|
|
|
|
- name: obfuscated_encoding
|
|
description: "Suspicious use of atob() or btoa() (base64 encoding/decoding)"
|
|
category: script
|
|
type: regex
|
|
pattern: "\\b(atob|btoa)\\("
|
|
|
|
- name: suspicious_iframe
|
|
description: "Iframe usage in script (possible phishing/malvertising)"
|
|
category: script
|
|
type: regex
|
|
pattern: "<iframe[^>]*>"
|
|
|
|
# --- Form Rules ---
|
|
- name: suspicious_form_action
|
|
description: "Form action with external URL (potential credential exfiltration)"
|
|
category: form
|
|
type: regex
|
|
pattern: "<form[^>]*action=['\"]http"
|
|
|
|
- name: hidden_inputs
|
|
description: "Form with hidden inputs (possible credential harvesting)"
|
|
category: form
|
|
type: regex
|
|
pattern: "<input[^>]*type=['\"]hidden"
|
|
|
|
- name: password_field
|
|
description: "Form requesting password field"
|
|
category: form
|
|
type: regex
|
|
pattern: "<input[^>]*type=['\"]password"
|
|
|
|
# --- Text Rules (Social Engineering / BEC) ---
|
|
- name: urgent_request
|
|
description: "Language suggesting urgency (common in phishing/BEC)"
|
|
category: text
|
|
type: regex
|
|
pattern: "(urgent|immediately|asap|action required)"
|
|
|
|
- name: account_suspension
|
|
description: "Threat of account suspension/closure"
|
|
category: text
|
|
type: regex
|
|
pattern: "(account.*suspend|account.*close|verify.*account)"
|
|
|
|
- name: financial_request
|
|
description: "Request for gift cards, wire transfer, or money"
|
|
category: text
|
|
type: regex
|
|
pattern: "(gift card|wire transfer|bank account|bitcoin|payment required)"
|
|
|
|
- name: credential_reset
|
|
description: "Password reset or credential reset wording"
|
|
category: text
|
|
type: regex
|
|
pattern: "(reset password|update credentials|login to verify)"
|
|
|