OSSEC HIDS Phishing detection rule
Web hosting admins always had problems with phishing attacks / attempts and usually just sits around for an email from the phishing victims’ representatives / datacentre / ISP. For some reasons I couldn’t accept up to this day, a certain datacentre in KL, Malaysia, straight away pull the plug on their client’s server whenever they receive a phishing email notice, and told their clients’ to “delete the phishing sites before we plug it back in“. I’ve faced such problem for more than twice this year alone and I’d say stupid. I googled around for an phishing detection scripts or similar tools of trade, I couldn’t find any. All that are available on the net, are tools for end-users / consumers / businesses. So I decided to mingle around with OSSEC HIDS rules, and created a rule that’ll detect phishing sites whenever it is being accessed via port 80.
The beauty of this being an IDS rule instead of some bash script running on crontab is that the IDS itself will automaticly deny the detected IP from accessing the box again. ALL of phishers would definately try to access their own newly uploaded phishing site at least once, so when that happens, OSSEC IDS will pick it up, deny the IP and thus, blocking the phishers from doing any more damage. All you need to do is to just add this new rule to web_rules.xml, at the end of file but before </group> closing tag.
<rule id="31190" level="12">
<if_sid>31100</if_sid>
<url>paypal.co|hsbc.co|citibank.co|ebay.co|barclays|amazon.co|</url>
<url>verizon.net|lloyds.com|maybank2u|maybank|e-gold.com</url>
<description>Phishing sites detected. System check advisable.</description>
<group>attack,</group>
</rule>
Now restart OSSEC and it should be picking up sites according to the <url></url> keywords set. Keep in mind that the keywords above are just among the few popular sites that are usually being targeted. You’re free to add/remove those keywords as per your needs. Also, if you set OSSEC to email alerts to your mailbox, you’ll be getting these whenever it detects a phishing site:
OSSEC HIDS Notification.
2008 Jun 24 01:34:22Received From: culprits->/var/log/apache2/evil-access.log
Rule: 31190 fired (level 12) -> "Phishing?"
Portion of the log(s):xx.xx.xx.xx - - [24/Jun/2008:01:34:20 -0400] "GET /paypal.com/ HTTP/1.1" 200 7 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0"
--END OF NOTIFICATION
OSSEC HIDS: www.ossec.net
Cheers :)
– aphesz
Sorry, comments for this entry are closed at this time.