Phishing Lua Parser Options File Phishing Lua Parser Options File
Caution: RSA strongly suggests that you do not subscribe to the options file. Subsequent downloads of this file will overwrite all changes that you have made to the file.
Note the following:
- If you deploy the options file, it can be found in the same directory as parsers:
- The parser is not dependent upon the options file. The parser will load and run even in the absence of the options file. The options file is only required if you need to change the default settings.
- If you do not have an options file (or if your options file is invalid), the parser uses the default settings.
Note: The parser will never use both the defaults and customized options. If the options file exists and its contents can be loaded, then the defaults will not be used at all.
The phishing_lua_options file contains the following options for controlling the parser:
Deduplicate Host Registration
Check Host Consistency
Register URL Components
Register Entire URL
To change an option from false to true, edit the line inside the corresponding function, from
And similarly to go from true to false.
Note: Modifying any of these options requires a service restart to take effect; a simple parser reload is insufficient.
Deduplicate Host RegistrationDeduplicate Host Registration
Name: deduplicate. Default value: true
By default, if the same host portion appears in multiple HREFs within a session, it will only be registered once for that session.
If this option is disabled, then the host portion of an HREF will be registered each time it is seen, regardless of whether it has already been registered previously for that session.
Note that this option only affects the behavior of this parser. A host may still be registered by another parser. This option has no effect on the Check Host Consistency option.
Check Host ConsistencyCheck Host Consistency
Name: hostCheck. Default value: true
Compares the host portions of all URLs found within an HREF. If the host portion is a hostname, then only the domain portion is compared. If the host portion is an IP address, the entire IP is compared.
Whitelist DomainWhitelist Domain
Name: whitelistDomain. Has no default value.
Intended for sites that rewrite HREFs in email messages. For example:
This option accepts a domain to exclude from consistency checking. The domain must be enclosed in quotes, such as "example.com".
Note that in the following example, an alert will still be registered even if "example.com" is whitelisted:
Register URL ComponentsRegister URL Components
Name: urlComponents. Default value: false.
Warning: Do not enable this option if you are enabling the Register Entire URL (registerURL) option.
In addition to host meta, this option registers the components of each URL found. For example, assume the following URL: http://www.example.com/directory/filename.ext?p=foo%3Dbar.
This registers the following meta:
- directory: directory
- filename: filename.ext
- extension: ext
- query: p=foo%3Dbar
No deduplication of components (other than host) is performed, even if the option Deduplicate Host Registration is enabled.
Register Entire URLRegister Entire URL
Name: registerUrl. Default value: false.
Warning: URLs are highly unique. Therefore, enabling this option will bloat the metadb, decreasing performance and retention, and is NOT ADVISED.
Do not enable this option if also enabling Register URL Components.
Registers the entirety of each URL found. The URL will be registered with the meta key url. Registered URLs will be a maximum of 256 characters (this is a standard meta length limitation).
No deduplication of URLs performed, even if the Deduplicate Host Registration option is enabled.
Host KeyHost Key
Name: hostKey. Default is alias.host.
Default behavior is to register extracted hosts as alias.host, alias.ip, or alias.ipv6 as appropriate.
Modifying this value will cause extracted hosts to instead be registered with the specified key. If the key does not already exist, it will be created. Normal key name restrictions apply.