phish-analysis

https://github.com/initconf/phish-analysis
3 9 6 0 Last Push 9/13/17, 6:38 AM

Phishing detection package for Bro: this package implements the technology defined in : https://people.eecs.berkeley.edu/~grantho/papers/usenix2017-spearphish.pdf

The bro package works primarily using postgres as backend where it creates and maintains reputation data. Postgres is helpful in preserving states across BRO restarts. For postgres backend support you'd need to install bro-postgresql package from: https://github.com/0xxon/bro-postgresql.git

However, you can run this without postgres support. In that case, there will be limitation on how many URLs you can store in memory and keep track of. Historically we can keep up to 300-500K URLs without much problems.

For customization specific to your site/need please see: scripts/configure-variables-in-this-file.bro

Contact : Aashish Sharma, asharma@lbl.gov if you have further questions/interests

Package Version :

Description :

Suite of smtp related policies includes extracting and logging URLs from emails and various smtp anomaly detection heuristics to help flag phishing emails

Script Dir :

scripts

Test Command :

( cd tests && btest -d )

Tags :

smtp, phish, urls, emails