Omenix.Org » hids http://www.omenix.org My crime is that of curiosity Mon, 06 Feb 2012 19:02:18 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 OSSEC HIDS Phishing detection rule http://www.omenix.org/ossec-hids-phishing-detection-rule/ http://www.omenix.org/ossec-hids-phishing-detection-rule/#comments Tue, 24 Jun 2008 09:28:50 +0000 omen http://www.omenix.org/?p=263 Kudos to aphesz for making the rules. Well basically the rules is to send an email to admin especially for webhosters admin a notification about which site is under phishing attack. Below are the rules that you need to put in web_rules.xml at the end of file but before </group> closing tag.

<rule id=”31190″ level=”12″>
<if_sid>31100</if_sid>
<url>paypal.co|hsbc.co|citibank.co|ebay.co|barclays|amazon.co|</url>
<url>verizon.net|lloyds.com|maybank2u|maybank|e-gold.com</url>
<description>Phishing sites detected. System check advisable.</description>
<group>attack,</group>
</rule>

Now restart OSSEC and it should be picking up sites according to the keywords set. Keep in mind that the keywords above are just among the few popular sites that are usually being targeted. You’re free to add/remove those keywords as per your needs. Also, if you set OSSEC to email alerts to your mailbox, you’ll be getting these whenever it detects a phishing site. The best part is if you have APF to work along together. It will block who are trying visit the phising site. Usually the uploader of phishing site will get blocked because they want to check if their scripts is working or not ;)

]]> http://www.omenix.org/ossec-hids-phishing-detection-rule/feed/ 0