curben
/
phishing-filter
mirror of https://gitlab.com/malware-filter/phishing-filter
1
0
Fork 0
Code Issues Releases Wiki Activity

fix(ids): include query string

This commit is contained in:
MDLeom 2025-03-19 10:13:54 +00:00
parent e4002c1110
commit 5b432df69c
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/ids.js
View File

@ -34,13 +34,14 @@ for await (const domain of domains.readLines()) {
for await (const line of urls.readLines()) {
const url = new URL(`http://${line}`)
const { hostname } = url
let pathname = url.pathname.replace(';', '\\;')
snort2.write(`alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"phishing-filter phishing website detected"; flow:established,from_client; content:"GET"; http_method; content:"${pathname.substring(0, 2048)}"; http_uri; nocase; content:"${hostname}"; content:"Host"; http_header; classtype:attempted-recon; sid:${sid}; rev:1;)\n`)
snort3.write(`alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"phishing-filter phishing website detected"; http_header:field host; content:"${hostname}",nocase; http_uri; content:"${pathname}",nocase; classtype:attempted-recon; sid:${sid}; rev:1;)\n`)
suricata.write(`alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"phishing-filter phishing website detected"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"${pathname}"; endswith; nocase; http.host; content:"${hostname}"; classtype:attempted-recon; sid:${sid}; rev:1;)\n`)
pathname = url.pathname
splunk.write(`"${hostname}","${pathname}","phishing-filter phishing website detected","${process.env.CURRENT_TIME}"\n`)
const { hostname, pathname, search } = url
const pathEscape = pathname.replaceAll(';', '\\;') + search
const path = pathname + search
snort2.write(`alert tcp $HOME_NET any -> $EXTERNAL_NET [80,443] (msg:"phishing-filter phishing website detected"; flow:established,from_client; content:"GET"; http_method; content:"${pathEscape.substring(0, 2048)}"; http_uri; nocase; content:"${hostname}"; content:"Host"; http_header; classtype:attempted-recon; sid:${sid}; rev:1;)\n`)
snort3.write(`alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"phishing-filter phishing website detected"; http_header:field host; content:"${hostname}",nocase; http_uri; content:"${pathEscape}",nocase; classtype:attempted-recon; sid:${sid}; rev:1;)\n`)
suricata.write(`alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"phishing-filter phishing website detected"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"${pathEscape}"; endswith; nocase; http.host; content:"${hostname}"; classtype:attempted-recon; sid:${sid}; rev:1;)\n`)
splunk.write(`"${hostname}","${path}","phishing-filter phishing website detected","${process.env.CURRENT_TIME}"\n`)
sid++
}