Skip to content

Sensors Available Tags

Tag Description
100PROCENT_IT_KOMMUNIKATION https://www.100procent.com/
ACTOR_NCSC UK National Cyber Security Centre internet scanning. https://www.ncsc.gov.uk/information/ncsc-scanning-information
ADWARE Malware delivered via advertisement
ADWIND Adwind RAT, a cross-platform, multifunctional malware program also known as AlienSpy, Frutas, Unrecom, Sockrat, JSocket and jRat
AFP_SCANNER AFP - Apple Filing protocol Scanner
AFS_SCANNER AFSVersionRequest Scanner
AMPEREINNOTECH Internet wide scanner https://ampereinnotech.com/
AMPLIFICATION Association with amplification attacks
AMQP_SCANNER Scanning for a technology of Advanced Message Queuing Protocol such as RabbitMQ
ANDROMOUSE_SCANNER AndroMouse Scanner - Android Wireless Mouse And Keyboard
APACHE_AIRFLOW Scanning for Apache Airflow
APACHE_COUCHDB Scanning for Apache CouchDB panel
APACHE_HADOOP Scanning for Apache Hadoop Panel
APACHE_JSERV_SCANNER The Apache JServ Protocol (AJP) is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server
APACHE_SOLR Scanning for Apache Solr panel
APPLERD_SCANNER Apple Remote Desktop Scanner
ARUCER_BACKDOOR_SCANNER Malware
ASTERISK_SCANNER Scanning for Asterisk/VOIP Technology
ATLASSIAN_BITBUCKET_SERVER_RCE Exploiting Atlassian Bitbucket Server remote code execution vulnerability, CVE-2022-36804
ATLASSIAN_JIRA_ISSUE_MANAGEMENT Scanning for Atlassian Jira Issue Management Panel
ATLASSIAN_QUESTIONS_FOR_CONFLUENCE_HARDCODED_PASSWORD Scanning for Atlassian Confluence hardcoded password vulnerability (CVE-2022-26138)
AUTO_GENERATED Indicates rules and tags generated by an automated process.
BACKDOOR Scanning for a known backdoor
BAIDUSPIDER http://www.baidu.com/
BENIGN Known and confirmed actor or actions that have been classified by us as non malicious
BGP_SCANNER Scanning for BGP protocol
BINARYEDGE Internet wide scanner https://www.binaryedge.io/
BINGBOT https://www.bing.com/
BITSIGHT Internet wide scanner https://www.bitsight.com/
BITTORRENT_SCANNER Scanning for Bittorrent protocol
BLUEKEEP_RDPSCAN https://github.com/robertdavidgraham/rdpscan
BLUEKEEP_SCANNER Vulnerability affecting RDP protocol (CVE-2019-0708)
BLUEKEEP_ZEROSUM https://github.com/zerosum0x0/CVE-2019-0708
BOTNET Known botnet traffic
BUSYBOX_SCANNER Scanning for BusyBox
CASSANDRA_SCANNER Scanning for Apache Cassandra
CENSYS Internet wide scanner https://censys.io/
CISCO_ASA Scanning for Cisco ASA VPN Panel
CISCO_LINKSYS_SCANNER Scanning for vulnerabilities associated with Cisco or Linksys
CISCO_SMART_INSTALL Scanning for Cisco Smart Install
CITRIX_ADC_GATEWAY Scanning for Citrix ADC Gateway Panel
CITRIX_ADM Scanning for Citrix ADM Panel
CITRIX_SCANNER Scanner looking for Citrix instances
CITRIX_INJECTION Citrix NetScaler and CloudBridge devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID or CAKEPHP cookie
CITRIX_VPN Scanning for Citrix VPN Panel
CITRIX_XENMOBILE_CONSOLE Scanning for Citrix Xenmobile Console panel
COAP_SCANNER CoAP GET .well-known/core Scanner
COCCOC Cốc Cốc browser is a freeware web browser focused on the Vietnamese market, developed by Vietnamese company Cốc Cốc and based on Chromium open source code
CODESYS_SCANNER Scanning for Codesys protocol, typically used in SCADA environments
CONNECTWISE_SCREENCONNECT_AUTH_BYPASS_2024_2 Attempting to exploit the authentication bypass vulnerability in ConnectWise ScreenConnect that was publicised February 2024.
CORBA_SCANNER The Common Object Request Broker Architecture is a standard defined by the Object Management Group designed to facilitate the communication of systems that are deployed on diverse platforms
CRIMINALIP Internet wide scanner http://security.criminalip.com/
CRLF_INJECTION This event is attempting a CRLF injection.
CROSSMATCH_SERVER Crossmatch Biometric server
CRYPTOCURRENCY_SCANNER Scanning for cryptocurrency API or exposed nodes
CVE-2002-1717 Microsoft Internet Information Server (IIS) 5.1 allows remote attackers to view path information via a GET request to (1) /_vti_pvt/access.cnf, (2) /_vti_pvt/botinfs.cnf, (3) /_vti_pvt/bots.cnf, or (4) /_vti_pvt/linkinfo.cnf.
CVE-2012-0152 The Remote Desktop Protocol service in Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 allows remote attackers to cause a denial of service via a series of crafted packets
CVE-2012-0432 Stack-based buffer overflow in the Novell NCP implementation in NetIQ eDirectory 8.8.7.x before 8.8.7.2
CVE-2015-4852 The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic
CVE-2015-7808 The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments
CVE-2015-8562 Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header
CVE-2016-2386 SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2101079.
CVE-2016-2388 The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846.
CVE-2017-12615 Apache Tomcat 7.0.0 to 7.0.79 has a remote code execution vulnerability
CVE-2017-12617 When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CVE-2017-12635 Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keys for 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON, the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.
CVE-2017-16894 In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting the .env permissions. The .env filename is not used exclusively by Laravel framework.
CVE-2017-17215 Huawei HG532 with some customized versions has a remote code execution vulnerability
CVE-2017-5638 The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string
CVE-2017-6316 Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On CloudBridge (the former name of NetScaler SD-WAN) devices, the cookie name was CAKEPHP rather than CGISESSID.
CVE-2018-15517 The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI.
CVE-2018-2628 Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
CVE-2018-13379 Some versions of Fortinet FortiOS under SSL VPN web portal allows an unauthenticated attacker to download system files via HTTP resource requests
CVE-2018-15961 Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.
CVE-2018-7841 A SQL Injection (CWE-89) vulnerability exists in U.motion Builder software version 1.3.4 which could cause unwanted code execution when an improper set of characters is entered.
CVE-2019-0604 Microsoft SharePoint Remote Code Execution Vulnerability
CVE-2019-0230 Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
CVE-2019-1003029 A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.
CVE-2019-17662 ThinVNC 1.0b1 is vulnerable to arbitrary file read, which leads to a compromise of the VNC server. The vulnerability exists even when authentication is turned on during the deployment of the VNC server. The password for authentication is stored in cleartext in a file that can be read via a ../../ThinVnc.ini directory traversal attack vector.
CVE-2019-5513 Information Leaks in VMWare Horizon
CVE-2019-11510 File reading vulnerability in Pulse Secure Pulse Connect Secure
CVE-2019-15107 Command injection vulnerability on Webmin through 1.920
CVE-2019-19781 An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal
CVE-2019-7192 This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
CVE-2019-7194 This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
CVE-2019-7195 This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
CVE-2019-7256 Linear eMerge E3-Series devices allow Command Injections.
CVE-2020-11978 A remote code/command injection vulnerability was discovered in Apache Airflow versions 1.10.10 and below.
CVE-2020-13927 The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at https://airflow.apache.org/docs/1.10.11/security.html#api-authentication.
CVE-2020-14882 Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
CVE-2020-5902 In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.
CVE-2021-21974 OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.
CVE-2021-22941-EXPLOIT Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller.
CVE-2021-22941-RECON Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller.
CVE-2021-22986 On BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2, the iControl REST interface has an unauthenticated remote command execution vulnerability.
CVE-2021-26086 Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.
CVE-2021-39144 XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVE-2021-44228 Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints.
CVE-2021-45046 It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations.
CVE-2022-1388 On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication.
CVE-2022-22241 An Improper Input Validation vulnerability in the J-Web component of Juniper Networks Junos OS may allow an unauthenticated attacker to access data without proper authorization. Utilizing a crafted POST request, deserialization may occur which could lead to unauthorized local file access or the ability to execute arbitrary commands.
CVE-2022-22242 A Cross-site Scripting (XSS) vulnerability in the J-Web component of Juniper Networks Junos OS allows an unauthenticated attacker to run malicious scripts reflected off of J-Web to the victim's browser in the context of their session within J-Web.
CVE-2022-22947 In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.
CVE-2022-22954 VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.
CVE-2022-22963 Remote code execution in Spring Cloud Function by malicious Spring Expression.
CVE-2022-22972 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
CVE-2022-24706 In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without authenticating and gain admin privileges. The CouchDB documentation has always made recommendations for properly securing an installation, including recommending using a firewall in front of all CouchDB installations.
CVE-2022-26134 In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.
CVE-2022-27925 Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.
CVE-2022-29499 The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.
CVE-2022-31664 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability. A malicious actor with local access can escalate privileges to 'root'.
CVE-2022-31674 VMware vRealize Operations contains an information disclosure vulnerability. A low-privileged malicious actor with network access can access log files that lead to information disclosure.
CVE-2022-31675 VMware vRealize Operations contains an authentication bypass vulnerability. An unauthenticated malicious actor with network access may be able to create a user with administrative privileges.
CVE-2022-42122 A SQL injection vulnerability in the Friendly Url module in Liferay Portal 7.3.7, and Liferay DXP 7.3 fix pack 2 through update 4 allows attackers to execute arbitrary SQL commands via a crafted payload injected into the title field of a friendly URL.
CVE-2023-22515 Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.
CVE-2023-23752 An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
CVE-2022-26138 The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.
CVE-2022-26318 On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2.
CVE-2022-30525 A OS command injection vulnerability in the CGI program of Zyxel USG FLEX 100(W) firmware versions 5.00 through 5.21 Patch 1, USG FLEX 200 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 500 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 700 firmware versions 5.00 through 5.21 Patch 1, USG FLEX 50(W) firmware versions 5.10 through 5.21 Patch 1, USG20(W)-VPN firmware versions 5.10 through 5.21 Patch 1, ATP series firmware versions 5.10 through 5.21 Patch 1, VPN series firmware versions 4.60 through 5.21 Patch 1, which could allow an attacker to modify specific files and then execute some OS commands on a vulnerable device.
CVE-2022-31711 VMware vRealize Log Insight contains an Information Disclosure Vulnerability. A malicious actor can remotely collect sensitive session and application information without authentication.
CVE-2022-36804 Multiple API endpoints in Atlassian Bitbucket Server and Data Center 7.0.0 before version 7.6.17, from version 7.7.0 before version 7.17.10, from version 7.18.0 before version 7.21.4, from version 8.0.0 before version 8.0.3, from version 8.1.0 before version 8.1.3, and from version 8.2.0 before version 8.2.2, and from version 8.3.0 before 8.3.1 allows remote attackers with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request.
CVE-2022-39952 A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request.
CVE-2022-40684 Fortinet FortiOS and FortiProxy authentication bypass vulnerability.
CVE-2022-41040 Microsoft Exchange Server Elevation of Privilege Vulnerability.
CVE-2022-41082 Microsoft Exchange Server Remote Code Execution Vulnerability.
CVE-2023-0669 Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.
CVE-2023-37474 Copyparty is a portable file server. Versions prior to 1.8.2 are subject to a path traversal vulnerability detected in the .cpr subfolder. The Path Traversal attack technique allows an attacker access to files, directories, and commands that reside outside the web document root directory. This issue has been addressed in commit 043e3c7d which has been included in release 1.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-4966 Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA  virtual server.
CVE-2023-20887 Aria Operations for Networks contains a command injection vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution.
CVE-2023-20198 Cisco IOS XE vulnerability in the web UI feature that allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access.
CVE-2023-22518 All versions of Confluence Data Center and Server are affected by this unexploited vulnerability. This Improper Authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to Confluence instance administrator leading to - but not limited to - full loss of confidentiality, integrity and availability. Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
CVE-2023-24955 Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2023-25157 GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore encode functions setting to mitigate strEndsWith, strStartsWith and PropertyIsLike misuse and enable the PostGIS DataStore preparedStatements setting to mitigate the FeatureId misuse.
CVE-2023-25717 Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring.
CVE-2023-27350 PaperCut MF/NG contains an improper access control vulnerability within the SetupCompleted class that allows authentication bypass and code execution in the context of system.
CVE-2023-27524 Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.
CVE-2023-28432 MinIO contains a vulnerability in a cluster deployment where MinIO returns all environment variables, which allows for information disclosure.
CVE-2023-29084 Zoho ManageEngine ADManager Plus through 7180 allows for authenticated users to exploit command injection via Proxy settings.
CVE-2023-29298 Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.
CVE-2023-29300 Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
CVE-2023-34362 In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS.
CVE-2023-34723 An issue was discovered in TechView LA-5570 Wireless Gateway 1.0.19_T53, allows attackers to gain sensitive information via /config/system.conf.
CVE-2023-35078 Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, through 11.10 allows remote attackers to obtain PII, add an administrative account, and change the configuration because of an authentication bypass, as exploited in the wild in July 2023. A patch is available.
CVE-2023-35708 In Progress MOVEit Transfer before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).
CVE-2023-36844 A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify certain PHP environments variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on EX Series: * All versions prior to 20.4R3-S9; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S4; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R3-S1; * 22.4 versions prior to 22.4R2-S2, 22.4R3.
CVE-2023-36845 A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify a certain PHP environment variable leading to partial loss of integrity, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on SRX Series: * All versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S4; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; * 22.4 versions prior to 22.4R2-S1, 22.4R3; * 23.2 versions prior to 23.2R1-S1, 23.2R2.
CVE-2023-36846 A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on SRX Series: * All versions prior to 20.4R3-S8; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3.
CVE-2023-36847 A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on EX Series: * All versions prior to 20.4R3-S8; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S4; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S1; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3.
CVE-2023-46805 An authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.
CVE-2024-21887 A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
CVE-2023-42793 In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
CVE-2023-49103 An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.
CVE-2024-10781 The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an missing empty value check on the 'api_key' value in the 'perform' function in all versions up to, and including, 6.44. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
CVE-2024-10924 The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
CVE-2024-11680 ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.
CVE-2024-1708 ConnectWise ScreenConnect 23.9.7 and prior are affected by path-traversal vulnerability, which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.
CVE-2024-1709 ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
CVE-2024-1709 OpenSSH RegreSSHion Vulnerability between versions 8.5p1 and 9.8p1 and Open SSH versions earlier than 4.4p1. It allows for RCE
CVE-2024-21793 An OData injection vulnerability exists in the BIG-IP Next Central Manager API (URI).
CVE-2024-26026 A SQL injection vulnerability exists in the BIG-IP Next Central Manager API (URI).
CVE-2024-27198 In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
CVE-2024-30265 Collabora Online is a collaborative online office suite based on LibreOffice technology. Any deployment of voilà dashboard allow local file inclusion. Any file on a filesystem that is readable by the user that runs the voilà dashboard server can be downloaded by someone with network access to the server. Whether this still requires authentication depends on how voilà is deployed. This issue has been patched in 0.2.17, 0.3.8, 0.4.4 and 0.5.6.
CVE-2024-36401 Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
CVE-2024-4577 In PHP versions 8.1. before 8.1.29, 8.2. before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
CVE-2024-51567 CyberPanel (versions up to 2.3.7) allows unauthenticated remote command execution through /dataBases/upgrademysqlstatus by exploiting shell metacharacters in the statusfile field, bypassing security middleware intended only for POST requests.
CWE-288 Authentication Bypass Using an Alternate Path or Channel. A product requires authentication, but the product has an alternate path or channel that does not require authentication.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-473 A PHP application does not properly protect against the modification of variables from external sources, such as query parameters or cookies.
CWE-502 The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CYBERGREEN The CyberGreen Institute is a global non-profit and collaborative organization conducting activities focused on helping to improve the health of the global Cyber Ecosystem
CYMRU http://www.team-cymru.com
DAHUA_DVR_SCANNER Scanning for Dahua DVR devices
DAHUA_NVR_SCANNER Scanning for Dahua NVR devices
DFIND_SCANNER Scanner using ZmEu vulnerability scanner
DICT_SCANNER Dictionary Network Protocol
DIGI_DISCOVERY_SCANNER Scanning for Digi Device Discovery
DIRECTORY_TRAVERSAL TODO: Add description for this tag.
DLINK_SCANNER Scanning for DLink vulnerabilities
DNS_SCANNER The Domain Name System is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network
DNS_SD_SCANNER Scanning for DNS Service Discovery
DOMAINTOOLS https://www.domaintools.com/
DRDA_SCANNER DRDA Protocol Scanner
DRIDEX Dridex also known as Bugat and Cridex is a form of malware that specializes in stealing bank credentials
DRUPAL_SCANNER Scanning for Drupal framework vulnerabilities
DTLS_SCANNER Valid DTLS Connections
DUCKDUCKBOT https://duckduckgo.com/
DVR_SCANNER Scanning for DVR devices
ECSHOP_SCANNER Scanning for eCShop
ELASTICSEARCH_SCANNER Scanning for exposed Elasticsearch databases
EMAIL_SCANNER Scanning for known email protocols
EMOTET The Emotet banking Trojan was first identified by security researchers in 2014
ENTTEC_DMX Scanning for ENTTEC DMX devices
EOS_NODE_SCANNER Scanning for EOS Blockchain nodes
EPMD_SCANNER Erlang Port Mapper Daemon Scanner
ETHEREUM_NODE_SCANNER Scanning for Ethereum Blockchain nodes
EXABOT Exabot is a web scraper for Exalead https://www.exalead.com
EXPLOITATION Validated exploitation of known vulnerability
EXPOSURE_MONITORING https://www.exposuremonitoring.in/
F5_BIG_IP_ICONTROL_REST_BASH F5 BIG-IP REST endpoint allows arbitrary bash commands to be executed remotely without authentication
F5_BIG_IP_ICONTROL_REST_INTERFACE F5 BIG-IP REST API authentication endpoint: (IP)/mgmt/shared/authn/login
FACEBOOKEXTERNALHIT https://www.facebook.com/ crawler
FATPIPE_WARP Scanning for FatPipe WARP Login panel
FINDMALWARE http://research.findmalware.org/
FINGER_SCANNER Scanner for fing protocol
FIREBIRD_SCANNER Firebird is an open-source SQL relational database management system
FORTINET_FORTIGATE_SSL_VPN Scanning for Fortinet Fortigate SSL VPN panel
FOX_SCANNER Scanner for Tridium Fox scada protocol
FTP_SCANNER Scanner for FTP servers
GAME_SERVER_STATUS_SCANNER Looking for status for freelancer game
GCP Google Cloud Platform
GENERICLINES Normal new line scanner, typically initial probe
GIT_SCANNER Scanner for open git repositories
GITLAB Scanning for GitLab panel
GITLAB_OMNIAUTH Scanning for Gitlab OmniAuth Login panel
GKRELLM_SCANNER GKrellM System Monitor Scanner
GLPI Scanning for GLPI panel
GOODOR Scanner for the goodor backdoor
GOOGLE www.google.com hosted content
GOOGLEBOT https://www.google.com/ crawler
GOOTKIT Trojan.GootKit is a Trojan horse that steals confidential information and also opens a back door and downloads additional files on to the compromised computer
GOZI GOZI is a spyware that monitors network traffic. It also gets login credentials stored in browsers and mail applications
GPON_ONT_SCANNER Scanner for GPON Network terminals
HADOOP_HDFS_SCANNER Scanning for Hadoop HDFS
HADOOP_YARN_SCANNER Scanning for Hadoop Yarn
HAMLIB_SCANNER Hamlib rotctld Scanner
HISILICON_DVR Scanning for a remote code execution vulnerability on HiSilicon DVR devices
HIVEMANAGER Scanning for a HiveManager panel
HNAP_SCANNER Scanning for HNAP routers
HTTP_CRAWLER HTTP Crawler
HTTP_REFLECTION Source of event tried to make one of our sensors access something from 3rd party, potential DDoS
HTTP_SCANNER Scanning for HTTP Services
HUAWEI_HG532_SCANNER Scanning for vulnerabilities associated with the Huawei HG532 Router
IBM_DB2_SCANNER Scanning for IBM DB2 databases
IBM_MQ_SCANNER IBM MQ Scanner
IBM_NJE_SCANNER IBM Network Job Entry Scanner
IBM_TN3270 Scanning for IBM TN3270 terminals
ICMP_ECHO_REQUEST Ping event
IKE_SCANNER Internet Key Exchange protocol scanner
INFORMIX_SCANNER IBM Informix is a product family within IBM's Information Management division that is centered on several relational database management system offerings.
INTERNET_CENSUS Internet wide scanner actor seemly associated with Bitsight
INTERNET_TTL http://www.internettl.org/
INTRINSEC https://intrinsecsecurity.com/
IPFIRE_EXPLOIT Scanning for IPFire router software exploits
IPIP https://en.ipip.net/
IPMI_SCANNER Scanning for devices using IPMI
IRC_SCANNER Scanning for IRC servers
IS_ARCHIVER The Internet Archive https://archive.org/
JABBER_SCANNER Scanning for the Jabber protocol
JANUARY January Malware https://bitninja.io/blog/2018/12/28/goodbye-peppa-hello-january?PageSpeed=noscript
JAVA_SCANNER Scanning for JRMI endpoints
JBIFROST Also called ADWind, the Adwind Remote Access Trojan (RAT) is a popular Java-based backdoor capable of infecting Windows, Linux, Mac OS and Android operating systems
JBOSS_JMX_MANAGEMENT_CONSOLE Scanning for JBoss JMX Management Console Panel
JBOSS_MALWARE Known Malware of JBOSS framework
JDWP_SCANNER Scanning for Java Debug Wire Protocol
JENKINS_PORTAL Scanning for Jenkins Portal
JENKINS_SCANNER  Scanning for Jenkins
JENKINS_SCRIPT_SECURITY_PLUGIN Jenkins Script Security Plugin
JOOMLA_SCANNER  Scanning for Joomla
JUNIPER_SCANNER Scanning for exposed Juniper network devices
KERBEROS_SCANNER Scanning for Kerberos protocol
KGUARD_SCANNER Scanning for Kguard Cameras
KUDELSKI-NAGRA Internet wide scanner https://www.nagra.com/
KUMOFS_SCANNER Kumofs is a simple and fast distributed key-value store
LANDESK_SCANNER Scanning for Landesk software
LDAP_SCANNER Scanning for LDAP protocol
LINUX_BACKDOOR_SCANNER Scanning for Linux backdoors
LINUXSAMPLER_SCANNER LinuxSampler Control Protocol Scanner
LOSEC Internet wide scanner lo-sec.online
LPD_SCANNER Line Printer Daemon protocol
MAIL_RU Mail.Ru Group, ООО (commonly referred to as Mail.Ru) is a Russian Internet company
MALICIOUS Known and confirmed malicious actions
MALIGN Known and confirmed malicious actions
MALWARE Known and confirmed malware
MARBLE_COIN_SCANNER Scanning for Marble Coin
MASSCAN_SCANNER Scanner using Masscan
MEMCACHED_SCANNER Scanning for exposed memcached endpoints
METASPLOIT Actor using the Metasploit
MICROSOFT_EXCHANGE Scanning for Microsoft Exchange Admin Center panel
MICROSOFT_SQL_SERVER Scanning for exposed Microsoft SQL server
MIKROTIK_ROUTEROS Scanning for a remote shell vulnerability on Mikrotik devices running certain versions of RouterOS
MINERPOOL www.minerpool.net
MIRAI Mirai-family botnet
MITEL_MIVOICE_CONNECT Mitel MiVoice Connect Service Appliance
MNUBOT MnuBot is a banking trojan discovered by IBM X-Force researchers
MODBUS_SCANNER Scanning for the SCADA protocol modbus
MONGODB_SCANNER Scanning for exposed mongoDB databases
MQTT_SCANNER A lightweight messaging protocol for small sensors and mobile devices
MSMQ_SCANNER Scanning for Microsoft Message Queueing (MSMQ)
MUMBLE_SCANNER Mumble Voice Chat Server Scanner
NETCRAFT Netcraft is an Internet services company based in Bath, Somerset, England. https://www.netcraft.com/
NETMOTION_MOBILITY_SCANNER NetMotion Mobility VPN Scanner
NETSYSTEMS http://netsystemsresearch.com
NEUTRINO Neutrino malware
NFS_SCANNER NFS version 2 Scanner
NMAP_SCANNER Actor using the NMAP scanner
NOCTION_IRP Scanning for Noction IRP BGP software
NOMACHINE_SCANNER NoMachine Network Server Scanner
NOMAD_JOBS Scanning for Nomad Jobs Panel
NOVELL_NCP_SCANNER Scanning for Novell NetWare Core Protocol
NTP_SCANNER Scanning for NTP servers
NUCLEI_DEFAULT_CALLBACK Default callback domains for Nuclei scans. https://github.com/projectdiscovery/interactsh
NUUO_NVR_SCANNER Scanning for Nuuo CCTV Cameras
NVMS9000_DVR_SCANNER Scanning for NVMS-9000 Digital Video Recorder devices
ONYPHE Internet wide scanner https://www.onyphe.io/
OPENPORTSTATS Internet wide scanner http://openportstats.com/
OPENSSH A suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture
OPENVPN_SCANNER OpenVPN software scanner
ORACLE_TNS_SCANNER Scanning for Oracle Databases exposing the TNS endpoint
ORACLE_WEBLOGIC Scanning for Oracle Weblogic Servers
ORACLE_WEBLOGIC_UNAUTH_RCE Exploiting CVE-2020-14882
PALOALTO_NETWORKS_GLOBALPROTECT Scanning for Palo Alto Global Protect Panel
PALOALTO_NETWORKS_GLOBALPROTECT_GENERIC Scanning for generic Palo Alto Global Protect devices
PANEL This event is related to a login panel.
PAN_GLOBALPROTECT_DEFAULT_KEY Scanning for Palo Alto Global Protect default master key
PARALLELS_HTML5 Scanning for Parallels HTML5 panel
PATH_TRAVERSAL_ATTACK TODO: Add description for this tag.
PC_ANYWHERE_SCANNER pcAnywhere was a suite of computer programs by Symantec which allows a user of the pcAnywhere remote program on a computer to connect to a personal computer running the pcAnywhere host
PCWORX_SCANNER Scanning for PCWorx protocol
PEPPA Peppa malware
PERVASIVE_SQL_SCANNER Pervasive PSQL is an ACID-compliant database management system (DBMS) developed by Pervasive Software
PHP_FPM Scanning for PHP FastCGI Process Manager panels
PHPMYADMIN Scanning for PHPMyAdmin panels
PLC_SCANNER Scanning for Programmable Logic Controllers
POC This event is directly related to a known exploit proof-of-concept.
POSTGRESQL_SCANNER Scanning for PostgreSQL servers
PRINTER_SCANNER Scanning for exposed printers
PROBETHENET Internet wide scanner http://probethenet.com/
PROCONOS_SCANNER ProConOs scada protocol Scanner
PROJECT25499 Internet wide scanner http://project25499.com/
PROXY_SCANNER Scanning for open proxies
PRTG_TRAFFIC_GRAPHER PRTG Traffic Grapher Sensor List
PUTTY_CLIENT SSH Connections using Putty Client
QNAP_QTS_PHOTO_STATION QNAP QTS running Photo Station
QUADMETRICS https://quadmetrics.com/
QUAKE_SCANNER Scanner for Quake 3 servers
QUEENS_COLLEGE_UNI_NY https://www.qc.cuny.edu Queens College, City University of New York
QUIC_SCANNER Scanning for QUIC protocol
QWANT https://www.qwant.com/ Qwant, the European search engine that respects your privacy
RABBITMQ_SCANNER Scanning for RabbitMQ Protocol
RADIUS_MANAGER_CONTROL Scanning for Radius Manager Control panel
RADMIN_SCANNER Scanning for Radmin software https://www.radmin.com
RADWARE_SCANNER Scanning for Radware software https://www.radware.com/
RANSOMWARE General ransomware tag, when we cant classify the family
RAPID7 Internet wide scanner https://www.rapid7.com/
RCONFIG_SCANNER  Scanning for rConfig network management tool
RDP_SCANNER Scanning for Remote Desktop Protocols
RDS_SCANNER Scanning for Microsoft Remote Desktop Services
REALTEK_MINIIGD_UPNP Scanning for Realtek SDK Miniigd UPnP command execution vulnerability
REDIS_SCANNER Scanning for exposed REDIS databases
RFB_SCANNER Scanning for VNC Protocol
RIAK_PBC_SCANNER Basho Riak PBC Scanner
RLOGIN_SCANNER Scanning for Rlogin protocol
ROUTER_SCANNER Scanning for exposed routers
RPC_SCANNER Most likely looking for Ethereum Nodes
RSA_SELF_SERVICE Scanning for RSA Self Service panel
RSYNC_SCANNER Scanning for Rsync servers
RTSP_SCANNER Scanning for Realtime Stream Protocol
RUBY Actor using a Ruby-based tool
RWTH_AACHEN_UNIVERSITY http://www.rwth-aachen.de RWTH Aachen University or Rheinisch-Westfälische Technische Hochschule Aachen is a research university located in Aachen, North Rhine-Westphalia, Germany
SAP_NETWEAVER This event is related to SAP NetWeaver.
SAP_SCANNER Scanning for SAP Servers
SCADA_SCANNER Scanning for SCADA protocols
SCANNER_ORACLE_WEBLOGIC IP is scanning for Oracle Weblogic.
SCHNEIDER_ELECTRIC_UMOTION_BUILDER Schneider Electric U.motion Builder software
SERIALNUMBERD Scanning for serialnumberd
SERVICES_HELP Services Help Scanner
SEZNAM https://www.seznam.cz/ crawler
SHADOWSERVER https://www.shadowserver.org/wiki/ scanner
SHAREPOINT_EXPLOIT Exploit for Sharepoint
SHAREPOINT_SCANNER Scanning for Sharepoint
SHODAN Internet wide scanner https://www.shodan.io/
SIP_SCANNER Scanning for SIP /VOIP Servers
SLURP Slurp bot for Yahoo
SMB_SCANNER Scanner for SMB Protocol often affiliated with exploitation of Microsoft Windows
SMTP_SCANNER Scanner for SMTP protocol
SNMP_SCANNER Scanner for SNMP protocol
SOAP_SCANNER Scanning for software based on SOAP requests
SOCKS_SCANNER Scanning for SOCKS
SOGOU https://www.sogou.com/
SOLARWINDS_ORION_EXPOSED Scanning for Solarwinds Orion Network Performance Monitor
SOLARWINDS_ORION_SCANNER Scanner for Solarwinds Orion
SONARQUBE Scanning for SonarQube panel
SONICWALL_VIRTUAL_OFFICE_PANEL Scanning for Sonicwall Virtual Office panel
SOURCE_ENGINE Valve Source Engine - Games
SPHIDER_ADMIN Scanning for Sphider Admin panel
SPRING_CLOUD_CONNECTOR_EXPLOIT Exploit for Spring Cloud Function - see: CVE-2022-22963
SQLPING_SCANNER Sqlping Scanner
SQUEEZECENTER_SCANNER SqueezeCenter is the media server component of Slim Devices's (now a Logitech company) media playing devices such as Squeezebox
SSH_SCANNER Valid SSH connections
SSL_SCANNER Valid SSL Connections
STANFORD_UNIVERSITY https://www.stanford.edu/ Leland Stanford Junior University is a private research university in Stanford, California
STRATUM_SCANNER Scanning for Stratum software
STRETCHOID http://stretchoid.com/ Stetchoid is a platform that helps identify an organization's online services
STRUTS_OGNL_SCANNER Apache Struts Jakarta Multipart Parser OGNL Injection Scanner
SYBASE_ASA_DISCOVER Scanning for Sybase Anywhere servers on the LAN by sending broadcast discovery messages
TALAIA https://www.talaia.io/ A highly scalable, NetFlow/IPFIX based big-data platform that is designed for network operators taking complex decisions
TARANTOOL_SCANNER Tarantool is an open-source NoSQL database management system and Lua application server
TCP_SYN SYN packet received
TEAMSPEAK2_SCANNER Team Speak 2 VoIp Communication Server
TECHNOLOGY_3CX_MANAGEMENT_CONSOLE This event is related to 3CX Management Console.
TECHNOLOGY_ADOBE_COLDFUSION This event is related to Adobe ColdFusion.
TECHNOLOGY_ADOBE_EXPERIENCE_MANAGER This event is related to Adobe Experience Manager.
TECHNOLOGY_APACHE_COUCHDB This event is related to Apache Couchdb.
TECHNOLOGY_APACHE_GUACAMOLE This event is related to Apache Guacamole.
TECHNOLOGY_APACHE_SOLR This event is related to Apache Solr.
TECHNOLOGY_APACHE_STRUTS This event is related to Apache Struts.
TECHNOLOGY_APACHE_SUPERSET This event is related to Apache Superset.
TECHNOLOGY_APACHE_TOMCAT This event is related to Apache Tomcat.
TECHNOLOGY_ATLASSIAN_CONFLUENCE_DATA_CENTER This event is related to Atlassian Confluence Data Center.
TECHNOLOGY_ATLASSIAN_CONFLUENCE_SERVER This event is related to Atlassian Confluence Server.
TECHNOLOGY_ATLASSIAN_JIRA This event is related to Atlassian Jira.
TECHNOLOGY_BASIC_B2B This event is related to Basic B2b.
TECHNOLOGY_CHECK_POINT_CLOUDGUARD This event is related to Check Point CloudGuard Network Security
TECHNOLOGY_CISCO_IOS_XE This event is related to Cisco IOS XE
TECHNOLOGY_CITRIX_NETSCALER_ADC This event is related to Citrix NetScaler ADC.
TECHNOLOGY_CITRIX_NETSCALER_GATEWAY This event is related to Citrix NetScaler Gateway.
TECHNOLOGY_CLEANTALK_WORDPRESS_PLUGIN This event is related to the Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress.
TECHNOLOGY_COLLABORA_ONLINE This event is related to Collabora Online.
TECHNOLOGY_CONNECTWISE_R1SOFT Scanning for ConnectWise R1Soft Panel
TECHNOLOGY_CONNECTWISE_SCREENCONNECT This event is related to ConnectWise ScreenConnect.
TECHNOLOGY_CONSUL This event is related to Consul.
TECHNOLOGY_COPYPARTY This event is related to Copyparty.
TECHNOLOGY_CRUSHFTP_SERVER This event is related to CrushFTP.
TECHNOLOGY_CYBERPANEL This event is relate to CyberPanel.
TECHNOLOGY_DLINK_CENTRAL_WIFIMANAGER This event is related to Dlink Central Wifimanager.
TECHNOLOGY_DLNA This event is related to Dlna.
TECHNOLOGY_DOCKER This event is related to Docker.
TECHNOLOGY_ELASTICSEARCH This event is related to Elasticsearch.
TECHNOLOGY_F5_BIG_IP_NEXT_CENTRAL_MANAGER This event is related to F5 Big IP Next Central Manager.
TECHNOLOGY_F5_BIG_IP_TMUI This event is related to F5 Big Ip Tmui.
TECHNOLOGY_FORTINET_FORTICLIENT_EMS This event is related to Fortinet FortiClient EMS.
TECHNOLOGY_FORTINET_FORTINAC This event is related to Fortinet FortiNAC.
TECHNOLOGY_FORTINET_FORTIOS This event is related to Fortinet Fortios.
TECHNOLOGY_FORTINET_FORTIPROXY This event is related to Fortinet Fortiproxy.
TECHNOLOGY_FORTINET_FORTISWITCHMANAGER This event is related to Fortinet Fortiswitchmanager.
TECHNOLOGY_FORTRA_GOANYWHERE_MFT This event is related to Fortra GoAnywhere MFT.
TECHNOLOGY_GEOSERVER This event is related to GeoServer.
TECHNOLOGY_GLPI This event is related to Glpi.
TECHNOLOGY_GRAFANA This event is related to Grafana.
TECHNOLOGY_HTMLAWED This event is related to Htmlawed.
TECHNOLOGY_IBM_WEBSPHERE_PORTAL This event is related to Ibm Websphere Portal.
TECHNOLOGY_IVANTI_ENDPOINT_MANAGER_MOBILE This event is related to Ivanti Endpoint Manager Mobile (formerly MobileIron Core).
TECHNOLOGY_IVANTI_CONNECT_SECURE This event is related to Ivanti Connect Secure.
TECHNOLOGY_IVANTI_ICS This event is related to Ivanti ICS.
TECHNOLOGY_IVANTI_POLICY_SECURE This event is related to Ivanti Policy Secure.
TECHNOLOGY_IWEB_OFFICE This event is related to Iweb Office.
TECHNOLOGY_JBOSS_JMX_CONSOLE This event is related to Jboss Jmx Console.
TECHNOLOGY_JBOSS_MANAGEMENT_CONSOLE This event is related to Jboss Management Console.
TECHNOLOGY_JMX This event is related to Jmx.
TECHNOLOGY_JOLOKIA This event is related to Jolokia.
TECHNOLOGY_JOOMLA This event is related to Joomla.
TECHNOLOGY_LARAVEL This event is related to Laravel.
TECHNOLOGY_LETS_ENCRYPT This event is related to Lets Encrypt.
TECHNOLOGY_LIFERAY_PORTAL This event is related to Liferay Portal.
TECHNOLOGY_LINEAR_EMERGE This event is related to Linear eMerge.
TECHNOLOGY_LUCEE This event is related to Lucee.
TECHNOLOGY_MICROSOFT_IIS This event is related to Microsoft Iis.
TECHNOLOGY_NUXEO This event is related to Nuxeo.
TECHNOLOGY_ORACLE_TALARI_SDWAN This event is related to Oracle Talari Sdwan.
TECHNOLOGY_ORACLE_WEBLOGIC This event is related to Oracle Weblogic.
TECHNOLOGY_OSGEO_GEOSERVER This event is related to OSGeo GeoServer.
TECHNOLOGY_JOOMLA_CMS This event is related to Joomla! CMS.
TECHNOLOGY_JUNIPER_NETWORKS_JUNOS_OS This event is related to Juniper Networks Junos OS.
TECHNOLOGY_JUNIPER_NETWORKS_WEB_DEVICE_MANAGER This event is related to Juniper Networks Web Device Manager.
TECHNOLOGY_MICROSOFT_EXCHANGE_SERVER This event is related to Microsoft Exchange Server.
TECHNOLOGY_MICROSOFT_REMOTE_DESKTOP_2008 This event is related to Microsoft Remote Desktop 2008.
TECHNOLOGY_MICROSOFT_REMOTE_DESKTOP_2012 This event is related to Microsoft Remote Desktop 2012.
TECHNOLOGY_MICROSOFT_REMOTE_DESKTOP_2016 This event is related to Microsoft Remote Desktop 2016.
TECHNOLOGY_MICROSOFT_REMOTE_DESKTOP_2019 This event is related to Microsoft Remote Desktop 2019.
TECHNOLOGY_MICROSOFT_REMOTE_DESKTOP_2022 This event is related to Microsoft Remote Desktop 2022.
TECHNOLOGY_MICROSOFT_SHAREPOINT_SERVER This event is related to Microsoft SharePoint Server.
TECHNOLOGY_MINIO This event is related to MinIO.
TECHNOLOGY_MOBILEIRON_CORE This event is related to MobileIron Core (now Ivanti Endpoint Manager Mobile).
TECHNOLOGY_MOVEIT_TRANSFER This event is related to MOVEit Transfer.
TECHNOLOGY_MSMQ This event is related to Microsoft Message Queuing (MSMQ)
TECHNOLOGY_OWNCLOUD This event is related to ownCloud.
TECHNOLOGY_PAPERCUT_MF This event is related to PaperCut MF
TECHNOLOGY_PAPERCUT_NG This event is related to PaperCut NG
TECHNOLOGY_PHP This event is related to PHP.
TECHNOLOGY_PHPMYADMIN This event is related to Phpmyadmin.
TECHNOLOGY_POSTNUKE This event is related to Postnuke.
TECHNOLOGY_PROJECTSEND This event is related to ProjectSend.
TECHNOLOGY_PULSE_CONNECT_SECURE This event is related to Pulse Connect Secure.
TECHNOLOGY_REALLY_SIMPLE_SECURITY_WORDPRESS_PLUGIN This event is related to the Really Simple Security plugin for Wordpress.
TECHNOLOGY_RUCKUS_WIRELESS_ADMIN This event is related to Ruckus Wireless Admin.
TECHNOLOGY_SAVVII This event is related to Savvii.
TECHNOLOGY_SONATYPE_NEXUS This event is related to Sonatype Nexus 3 Repository Panel Manager.
TECHNOLOGY_SSL_PKI_VALIDATION This event is related to Ssl Pki Validation.
TECHNOLOGY_JETBRAINS_TEAMCITY This event is related to TeamCity, a popular Continuous Integration and Continuous Deployment (CI/CD) server from JetBrains.
TECHNOLOGY_TECHVIEW_LA5570_WIRELESS_GATEWAY This event is related to Techview La5570 Wireless Gateway.
TECHNOLOGY_THINKPHP This event is related to Thinkphp.
TECHNOLOGY_THINVNC This event is related to Thinvnc.
TECHNOLOGY_UPNP This event is related to Upnp.
TECHNOLOGY_VMWARE_ARIA_OPERATIONS This event is related to VMware Aria Operations.
TECHNOLOGY_VMWARE_ESXI This event is related to VMware ESXi.
TECHNOLOGY_VMWARE_HORIZON This event is related to Vmware Horizon.
TECHNOLOGY_VMWARE_NSX_MANAGER This event is related to Vmware Nsx Manager.
TECHNOLOGY_VMWARE_SPRING_CLOUD_GATEWAY This event is related to Vmware Spring Cloud Gateway.
TECHNOLOGY_VMWARE_VREALIZE_LOG_INSIGHT This event is related to Vmware Vrealize Log Insight.
TECHNOLOGY_VMWARE_VREALIZE_NETWORK_INSIGHT This event is related to VMware vRealize Network Insight.
TECHNOLOGY_WEBADMIN This event is related to Webadmin.
TECHNOLOGY_WEBUPLOADER This event is related to Webuploader.
TECHNOLOGY_WORDPRESS This event is related to Wordpress.
TECHNOLOGY_XCHAIN This event is related to Xchain.
TECHNOLOGY_XSTREAM This event is related to Xstream.
TECHNOLOGY_ZENTAO This event is related to Zentao.
TECHNOLOGY_ZK_SPRINGBOOT This event is related to Zk Springboot.
TECHNOLOGY_ZOHO_MANAGE_ENGINE_ADMANAGER_PLUS This event is related to Zoho ManageEngine ADManager Plus.
TFTP_SCANNER Scanner for FTP servers
THINK_PHP Exploitation of ThinkPHP vulnerability
THINKCMF_SCANNER ThinkCMF RCE
TOFSEE Backdoor.Tofsee is capable of making changes to the settings on affected systems and stealing information from them. Once executed, it is capable of tracking users online activities, opening affected systems for infiltration to steal personal information and credentials, and changing browser and DNS settings
TOR Tor node
TOR_SCANNER Scanning for the Tor Protocol
TORRENTLOCKER TorrentLocker is a ransomware trojan targeting Microsoft Windows. TorrentLocker scans the system for programs and files, and conceals the contents through AES encryption leaving ransom instructions to the victim on what has to be done, and how to pay the decryption ransom
TREND_MICRO_OFFICESCAN_SCANNER Trendmicro endpoint protection
TRICKBOT Trickbot Malware
TROJAN A trojan horse or trojan is a type of malware that is often disguised as legitimate software
TROLDESH Ransom.Troldesh is a Trojan horse that encrypts files on the compromised computer and asks the user to pay in order to decrypt them. It may also download potentially malicious files
UBIQUITI_SCANNER Scanning for Ubiquiti devices
UNIFI_SCANNER Scanning for Ubiquiti devices - UNIFI family
UNIVERSITY_BERKELEY https://www.berkeley.edu/ The University of California, Berkeley is a public research university in Berkeley, California
UNIVERSITY_BROWN https://www.brown.edu/ Brown University is a private Ivy League research university in Providence, Rhode Island
UNIVERSITY_MICHIGAN https://umich.edu/ The University of Michigan, often simply referred to as Michigan, is a public research university in Ann Arbor, Michigan
UPNP_SCANNER Scanner for UPNP protocol
VBULLETIN_SCANNER Scanner for vBulletin software
VMWARE_HORIZON Scanning for VMWare Horizon panel
VMWARE_IDENTITY_MANAGER This event is related to VMware Identity manager.
VMWARE_SITE_RECOVERY_MANAGER VMWare Site Recovery Manager landing page
VMWARE_SPRING_CLOUD_GATEWAY_INJECTION VMware Spring Cloud Gateway allows arbitrary remote code execution when the Gateway Actuator endpoint is enabled, exposed and unsecured
VMWARE_VREALIZE_AUTOMATION This event is related to VMware vRealize Automation.
VMWARE_VREALIZE_LOG_INSIGHT VMware vRealize Log Insight
VMWARE_VREALIZE_OPERATIONS_MANAGER VMware vRealize Operations Manager
VMWARE_WORKSPACE_ONE VMware Workspace ONE authentication endpoint: /catalog-portal/ui/oauth/verify
VMWARE_WORKSPACE_ONE_UEM_AIRWATCH Scanning for VMWare Workspace ONE Unified Endpoint Management (UEM) AirWatch Panel
VNC_SCANNER Scanner for the VNC Protocol
VOIP_SCANNER Scanning for the Voice Over IP protocol.
VTIGERCRM_SCANNER Scanner for the Vtiger CRM
VULN_CCTV_DVR_RCE This indicates an attack attempt to exploit a Remote Code Execution vulnerability in Multiple CCTV DVR products. The vulnerability is due to insufficient sanitization of user supplied inputs in the application. A remote attacker may be able to exploit this to execute arbitrary code within the context of the application, via a crafted request. https://www.fortiguard.com/encyclopedia/ips/43360
VXWORKS_DOS VxWorks vulnerability that can cause a Denial of Service
VXWORKS_SCANNER Scanning for VxWorks systems
WATCHGUARD_EXPLOIT A Watchguard Firebox vulnerability and XTM and classified as critical.
WEBLOGIC_SCANNER Weblogic Scanner - Java Deserialization
WEBMIN Scanning for Webmin
WMSREQUEST_SCANNER Web Map Service request
WORDPRESS_SCANNER Scanning for Wordpress
WSDISCOVERY_SCANNER Scanning for Web Services Dynamic Discovery protocol
WWWOFFLE_SCANNER WWWOFFLE is a proxy server and web caching software
X11_SCANNER Scanning for the X11 protocol
XMLRPC_JAVA_DESERIALIZATION_EXPLOIT Exploitation of XMLRPC Java Deserialization, nonspecific service or application
YANDEXBOT https://yandex.com/
ZEND_JAVA_BRIDGE_SCANNER Zend Java Bridge Scanner
ZENNOLAB_SCANNER Scanning for Zennolab tools
ZGRAB_SCANNER Scanner using zgrab software - https://github.com/zmap/zgrab2
ZIMBRA_COLLABORATION Zimbra Collaboration aka ZCS
ZMAP_SCANNER Scanner using zmap software - https://github.com/zmap/zmap
ZMEU_SCANNER Scanner using ZmEu vulnerability scanner
ZTE_F460_SCANNER Scanning for ZTE F460 Routers
ZTE_F660_SCANNER Scanning for ZTE F660 Routers
ZYXEL_CGI ZyXel Common Gate Interface