100PROCENT_IT_KOMMUNIKATION |
https://www.100procent.com/ |
AFP_SCANNER |
AFP - Apple Filing protocol Scanner |
AFS_SCANNER |
AFSVersionRequest Scanner |
ANDROMOUSE_SCANNER |
AndroMouse Scanner - Android Wireless Mouse And Keyboard |
AMPEREINNOTECH |
Internet wide scanner https://ampereinnotech.com/ |
AMPLIFICATION |
Association with amplification attacks |
AMQP_SCANNER |
Scanning for a technology of Advanced Message Queuing Protocol such as RabbitMQ |
ASTERISK_SCANNER |
Scanning for Asterisk/VOIP Technology |
ADWARE |
Malware delivered via advertisement |
ADWIND |
Adwind RAT, a cross-platform, multifunctional malware program also known as AlienSpy, Frutas, Unrecom, Sockrat, JSocket and jRat |
APACHE_JSERV_SCANNER |
The Apache JServ Protocol (AJP) is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server |
APPLERD_SCANNER |
Apple Remote Desktop Scanner |
ARUCER_BACKDOOR_SCANNER |
Malware |
BACKDOOR |
Scanning for a known backdoor |
BAIDUSPIDER |
http://www.baidu.com/ |
BENIGN |
Known and confirmed actor or actions that have been classified by us as non malicious |
BGP_SCANNER |
Scanning for BGP protocol |
BINARYEDGE |
Internet wide scanner https://www.binaryedge.io/ |
BINGBOT |
https://www.bing.com/ |
BITSIGHT |
Internet wide scanner https://www.bitsight.com/ |
BITTORRENT_SCANNER |
Scanning for Bittorrent protocol |
BOTNET |
Known botnet traffic |
BLUEKEEP_SCANNER |
Vulnerability affecting RDP protocol (CVE-2019-0708) |
BLUEKEEP_RDPSCAN |
https://github.com/robertdavidgraham/rdpscan |
BLUEKEEP_ZEROSUM |
https://github.com/zerosum0x0/CVE-2019-0708 |
BUSYBOX_SCANNER |
Scanning for BusyBox |
CASSANDRA_SCANNER |
Scanning for Apache Cassandra |
CENSYS |
Internet wide scanner https://censys.io/ |
CISCO_LINKSYS_SCANNER |
Scanning for vulnerabilities associated with Cisco or Linksys |
CISCO_SMART_INSTALL |
Scanning for Cisco Smart Install |
CITRIX_SCANNER |
Scanner looking for Citrix instances |
COAP_SCANNER |
CoAP GET .well-known/core Scanner |
COCCOC |
Cốc Cốc browser is a freeware web browser focused on the Vietnamese market, developed by Vietnamese company Cốc Cốc and based on Chromium open source code |
CODESYS_SCANNER |
Scanning for Codesys protocol, typically used in SCADA environments |
CORBA_SCANNER |
The Common Object Request Broker Architecture is a standard defined by the Object Management Group designed to facilitate the communication of systems that are deployed on diverse platforms |
CRIMINALIP |
Internet wide scanner http://security.criminalip.com/ |
CROSSMATCH_SERVER |
Crossmatch Biometric server |
CRYPTOCURRENCY_SCANNER |
Scanning for cryptocurrency API or exposed nodes |
CVE-2012-0152 |
The Remote Desktop Protocol service in Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 allows remote attackers to cause a denial of service via a series of crafted packets |
CVE-2012-0432 |
Stack-based buffer overflow in the Novell NCP implementation in NetIQ eDirectory 8.8.7.x before 8.8.7.2 |
CVE-2015-4852 |
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic |
CVE-2015-7808 |
The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments |
CVE-2015-8562 |
Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header |
CVE-2017-5638 |
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string |
CVE-2017-12615 |
Apache Tomcat 7.0.0 to 7.0.79 has a remote code execution vulnerability |
CVE-2017-17215 |
Huawei HG532 with some customized versions has a remote code execution vulnerability |
CVE-2018-13379 |
Some versions of Fortinet FortiOS under SSL VPN web portal allows an unauthenticated attacker to download system files via HTTP resource requests |
CVE-2019-0604 |
Microsoft SharePoint Remote Code Execution Vulnerability |
CVE-2019-11510 |
File reading vulnerability in Pulse Secure Pulse Connect Secure |
CVE-2019-15107 |
Command injection vulnerability on Webmin through 1.920 |
CVE-2019-19781 |
An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal |
CVE-2021-22941-EXPLOIT |
Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller. |
CVE-2021-22941-RECON |
Improper Access Control in Citrix ShareFile storage zones controller before 5.11.20 may allow an unauthenticated attacker to remotely compromise the storage zones controller. |
CVE-2022-26318 |
On WatchGuard Firebox and XTM appliances, an unauthenticated user can execute arbitrary code, aka FBX-22786. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. |
CVE-2022-22963 |
Remote code execution in Spring Cloud Function by malicious Spring Expression. |
CYBERGREEN |
The CyberGreen Institute is a global non-profit and collaborative organization conducting activities focused on helping to improve the health of the global Cyber Ecosystem |
CYMRU |
http://www.team-cymru.com |
DAHUA_DVR_SCANNER |
Scanning for Dahua DVR devices |
DAHUA_NVR_SCANNER |
Scanning for Dahua NVR devices |
DRDA_SCANNER |
DRDA Protocol Scanner |
DFIND_SCANNER |
Scanner using ZmEu vulnerability scanner |
DICT_SCANNER |
Dictionary Network Protocol |
DIGI_DISCOVERY_SCANNER |
Scanning for Digi Device Discovery |
DLINK_SCANNER |
Scanning for DLink vulnerabilities |
DNS_SCANNER |
The Domain Name System is a hierarchical and decentralized naming system for computers, services, or other resources connected to the Internet or a private network |
DNS_SD_SCANNER |
Scanning for DNS Service Discovery |
DOMAINTOOLS |
https://www.domaintools.com/ |
DRIDEX |
Dridex also known as Bugat and Cridex is a form of malware that specializes in stealing bank credentials |
DRUPAL_SCANNER |
Scanning for Drupal framework vulnerabilities |
DTLS_SCANNER |
Valid DTLS Connections |
DUCKDUCKBOT |
https://duckduckgo.com/ |
DVR_SCANNER |
Scanning for DVR devices |
ECSHOP_SCANNER |
Scanning for eCShop |
EPMD_SCANNER |
Erlang Port Mapper Daemon Scanner |
ELASTICSEARCH_SCANNER |
Scanning for exposed Elasticsearch databases |
EMAIL_SCANNER |
Scanning for known email protocols |
EMOTET |
The Emotet banking Trojan was first identified by security researchers in 2014 |
ENTTEC_DMX |
Scanning for ENTTEC DMX devices |
EOS_NODE_SCANNER |
Scanning for EOS Blockchain nodes |
ETHEREUM_NODE_SCANNER |
Scanning for Ethereum Blockchain nodes |
EXABOT |
Exabot is a web scraper for Exalead https://www.exalead.com |
EXPLOITATION |
Validated exploitation of known vulnerability |
EXPOSURE_MONITORING |
https://www.exposuremonitoring.in/ |
FACEBOOKEXTERNALHIT |
https://www.facebook.com/ crawler |
FINDMALWARE |
http://research.findmalware.org/ |
FINGER_SCANNER |
Scanner for fing protocol |
FIREBIRD_SCANNER |
Firebird is an open-source SQL relational database management system |
FOX_SCANNER |
Scanner for Tridium Fox scada protocol |
FTP_SCANNER |
Scanner for FTP servers |
GAME_SERVER_STATUS_SCANNER |
Looking for status for freelancer game |
GENERICLINES |
Normal new line scanner, typically initial probe |
GIT_SCANNER |
Scanner for open git repositories |
GOODOR |
Scanner for the goodor backdoor |
GOOGLE |
www.google.com hosted content |
GOOGLEBOT |
https://www.google.com/ crawler |
GOOTKIT |
Trojan.GootKit is a Trojan horse that steals confidential information and also opens a back door and downloads additional files on to the compromised computer |
GOZI |
GOZI is a spyware that monitors network traffic. It also gets login credentials stored in browsers and mail applications |
GPON_ONT_SCANNER |
Scanner for GPON Network terminals |
GKRELLM_SCANNER |
GKrellM System Monitor Scanner |
HADOOP_HDFS_SCANNER |
Scanning for Hadoop HDFS |
HADOOP_YARN_SCANNER |
Scanning for Hadoop Yarn |
HAMLIB_SCANNER |
Hamlib rotctld Scanner |
HISILICON_DVR |
Scanning fot a remote code execution vulnerability on HiSilicon DVR devices |
HNAP_SCANNER |
Scanning for HNAP routers |
HTTP_CRAWLER |
HTTP Crawler |
HTTP_REFLECTION |
Source of event tried to make one of our sensors access something from 3rd party, potential DDoS |
HTTP_SCANNER |
Scanning for HTTP Services |
HUAWEI_HG532_SCANNER |
Scanning for vulnerabilities associated with the Huawei HG532 Router |
IBM_DB2_SCANNER |
Scanning for IBM DB2 databases |
IBM_TN3270 |
Scanning for IBM TN3270 terminals |
IBM_NJE_SCANNER |
IBM Network Job Entry Scanner |
IBM_MQ_SCANNER |
IBM MQ Scanner |
ICMP_ECHO_REQUEST |
Ping event |
IKE_SCANNER |
Internet Key Exchange protocol scanner |
INFORMIX_SCANNER |
IBM Informix is a product family within IBM's Information Management division that is centered on several relational database management system offerings. |
INTERNET_CENSUS |
Internet wide scanner actor seemly associated with Bitsight |
INTERNET_TTL |
http://www.internettl.org/ |
INTRINSEC |
https://intrinsecsecurity.com/ |
IPFIRE_EXPLOIT |
Scanning for IPFire router software exploits |
IPIP |
https://en.ipip.net/ |
IPMI_SCANNER |
Scanning for devices using IPMI |
IRC_SCANNER |
Scanning for IRC servers |
IS_ARCHIVER |
The Internet Archive https://archive.org/ |
JABBER_SCANNER |
Scanning for the Jabber protocol |
JANUARY |
January Malware https://bitninja.io/blog/2018/12/28/goodbye-peppa-hello-january?PageSpeed=noscript |
JAVA_SCANNER |
Scanning for JRMI endpoints |
JBIFROST |
Also called ADWind, the Adwind Remote Access Trojan (RAT) is a popular Java-based backdoor capable of infecting Windows, Linux, Mac OS and Android operating systems |
JBOSS_MALWARE |
Known Malware of JBOSS framework |
JDWP_SCANNER |
Scanning for Java Debug Wire Protocol |
JENKINS_SCANNER |
Scanning for Jenkins |
JOOMLA_SCANNER |
Scanning for Joomla |
JUNIPER_SCANNER |
Scanning for exposed Juniper network devices |
KERBEROS_SCANNER |
Scanning for Kerberos protocol |
KGUARD_SCANNER |
Scanning for Kguard Cameras |
KUDELSKI-NAGRA |
Internet wide scanner https://www.nagra.com/ |
KUMOFS_SCANNER |
Kumofs is a simple and fast distributed key-value store |
LANDESK_SCANNER |
Scanning for Landesk software |
LINUX_BACKDOOR_SCANNER |
Scanning for Linux backdoors |
LINUXSAMPLER_SCANNER |
LinuxSampler Control Protocol Scanner |
LDAP_SCANNER |
Scanning for LDAP protocol |
LPD_SCANNER |
Line Printer Daemon protocol |
LOSEC |
Internet wide scanner lo-sec.online |
MAIL_RU |
Mail.Ru Group, ООО (commonly referred to as Mail.Ru) is a Russian Internet company |
MALICIOUS |
Known and confirmed malicious actions |
MALIGN |
Known and confirmed malicious actions |
MALWARE |
Known and confirmed malware |
MARBLE_COIN_SCANNER |
Scanning for Marble Coin |
MASSCAN_SCANNER |
Scanner using Masscan |
MEMCACHED_SCANNER |
Scanning for exposed memcached endpoints |
METASPLOIT |
Actor using the Metasploit |
MICROSOFT_SQL_SERVER |
Scanning for exposed Microsoft SQL server |
MIKROTIK_ROUTEROS |
Scanning for a remote shell vulnerability on Mikrotik devices running certain versions of RouterOS |
MINERPOOL |
www.minerpool.net |
MIRAI |
Mirai-family botnet |
MNUBOT |
MnuBot is a banking trojan discovered by IBM X-Force researchers |
MODBUS_SCANNER |
Scanning for the SCADA protocol modbus |
MONGODB_SCANNER |
Scanning for exposed mongoDB databases |
MUMBLE_SCANNER |
Mumble Voice Chat Server Scanner |
MQTT_SCANNER |
A lightweight messaging protocol for small sensors and mobile devices |
NFS_SCANNER |
NFS version 2 Scanner |
NETCRAFT |
Netcraft is an Internet services company based in Bath, Somerset, England. https://www.netcraft.com/ |
NETSYSTEMS |
http://netsystemsresearch.com |
NETMOTION_MOBILITY_SCANNER |
NetMotion Mobility VPN Scanner |
NEUTRINO |
Neutrino malware |
NMAP_SCANNER |
Actor using the NMAP scanner |
NOCTION_IRP |
Scanning for Noction IRP BGP software |
NOMACHINE_SCANNER |
NoMachine Network Server Scanner |
NOVELL_NCP_SCANNER |
Scanning for Novell NetWare Core Protocol |
NUUO_NVR_SCANNER |
Scanning for Nuuo CCTV Cameras |
NTP_SCANNER |
Scanning for NTP servers |
NVMS9000_DVR_SCANNER |
Scanning for NVMS-9000 Digital Video Recorder devices |
ONYPHE |
Internet wide scanner https://www.onyphe.io/ |
OPENPORTSTATS |
Internet wide scanner http://openportstats.com/ |
OPENVPN_SCANNER |
OpenVPN software scanner |
ORACLE_TNS_SCANNER |
Scanning for Oracle Databases exposing the TNS endpoint |
ORACLE_WEBLOGIC |
Scanning for Oracle Weblogic Servers |
PC_ANYWHERE_SCANNER |
pcAnywhere was a suite of computer programs by Symantec which allows a user of the pcAnywhere remote program on a computer to connect to a personal computer running the pcAnywhere host |
PCWORX_SCANNER |
Scanning for PCWorx protocol |
PEPPA |
Peppa malware |
PERVASIVE_SQL_SCANNER |
Pervasive PSQL is an ACID-compliant database management system (DBMS) developed by Pervasive Software |
PLC_SCANNER |
Scanning for Programmable Logic Controllers |
PHP_FPM |
Scanning for PHP FastCGI Process Manager panels |
PHPMYADMIN |
Scanning for PHPMyAdmin panels |
POSTGRESQL_SCANNER |
Scanning for PostgreSQL servers |
PRINTER_SCANNER |
Scanning for exposed printers |
PROBETHENET |
Internet wide scanner http://probethenet.com/ |
PROCONOS_SCANNER |
ProConOs scada protocol Scanner |
PROJECT25499 |
Internet wide scanner http://project25499.com/ |
PROXY_SCANNER |
Scanning for open proxies |
PUTTY_CLIENT |
SSH Connections using Putty Client |
QUADMETRICS |
https://quadmetrics.com/ |
QUAKE_SCANNER |
Scanner for Quake 3 servers |
QUEENS_COLLEGE_UNI_NY |
https://www.qc.cuny.edu Queens College, City University of New York |
QUIC_SCANNER |
Scanning for QUIC protocol |
QWANT |
https://www.qwant.com/ Qwant, the European search engine that respects your privacy |
RABBITMQ_SCANNER |
Scanning for RabbitMQ Protocol |
RADMIN_SCANNER |
Scanning for Radmin software https://www.radmin.com |
RADWARE_SCANNER |
Scanning for Radware software https://www.radware.com/ |
RANSOMWARE |
General ransomware tag, when we cant classify the family |
RAPID7 |
Internet wide scanner https://www.rapid7.com/ |
RCONFIG_SCANNER |
Scanning for rConfig network management tool |
RDP_SCANNER |
Scanning for Remote Desktop Protocols |
RDS_SCANNER |
Scanning for Microsoft Remote Desktop Services |
REALTEK_MINIIGD_UPNP |
Scanning for Realtek SDK Miniigd UPnP command execution vulnerability |
REDIS_SCANNER |
Scanning for exposed REDIS databases |
RFB_SCANNER |
Scanning for VNC Protocol |
RIAK_PBC_SCANNER |
Basho Riak PBC Scanner |
RLOGIN_SCANNER |
Scanning for Rlogin protocol |
ROUTER_SCANNER |
Scanning for exposed routers |
RPC_SCANNER |
Most likely looking for Ethereum Nodes |
RSYNC_SCANNER |
Scanning for Rsync servers |
RTSP_SCANNER |
Scanning for Realtime Stream Protocol |
RUBY |
Actor using a Ruby-based tool |
RWTH_AACHEN_UNIVERSITY |
http://www.rwth-aachen.de RWTH Aachen University or Rheinisch-Westfälische Technische Hochschule Aachen is a research university located in Aachen, North Rhine-Westphalia, Germany |
SAP_SCANNER |
Scanning for SAP Servers |
SCADA_SCANNER |
Scanning for SCADA protocols |
SERIALNUMBERD |
Scanning for serialnumberd |
SERVICES_HELP |
Services Help Scanner |
SEZNAM |
https://www.seznam.cz/ crawler |
SHADOWSERVER |
https://www.shadowserver.org/wiki/ scanner |
SHAREPOINT_EXPLOIT |
Exploit for Sharepoint |
SHAREPOINT_SCANNER |
Scanning for Sharepoint |
SHODAN |
Internet wide scanner https://www.shodan.io/ |
SIP_SCANNER |
Scanning for SIP /VOIP Servers |
SLURP |
Slurp bot for Yahoo |
SMB_SCANNER |
Scanner for SMB Protocol often affiliated with exploitation of Microsoft Windows |
SMTP_SCANNER |
Scanner for SMTP protocol |
SNMP_SCANNER |
Scanner for SNMP protocol |
SOAP_SCANNER |
Scanning for software based on SOAP requests |
SOCKS_SCANNER |
Scanning for SOCKS |
SOGOU |
https://www.sogou.com/ |
SQLPING_SCANNER |
Sqlping Scanner |
SQUEEZECENTER_SCANNER |
SqueezeCenter is the media server component of Slim Devices's (now a Logitech company) media playing devices such as Squeezebox |
SOLARWINDS_ORION_SCANNER |
Scanner for Solarwinds Orion |
SOURCE_ENGINE |
Valve Source Engine - Games |
SSH_SCANNER |
Valid SSH connections |
SSL_SCANNER |
Valid SSL Connections |
STANFORD_UNIVERSITY |
https://www.stanford.edu/ Leland Stanford Junior University is a private research university in Stanford, California |
STRATUM_SCANNER |
Scanning for Stratum software |
STRUTS_OGNL_SCANNER |
Apache Struts Jakarta Multipart Parser OGNL Injection Scanner |
STRETCHOID |
http://stretchoid.com/ Stetchoid is a platform that helps identify an organization's online services |
SYBASE_ASA_DISCOVER |
Scanning for Sybase Anywhere servers on the LAN by sending broadcast discovery messages |
TARANTOOL_SCANNER |
Tarantool is an open-source NoSQL database management system and Lua application server |
TALAIA |
https://www.talaia.io/ A highly scalable, NetFlow/IPFIX based big-data platform that is designed for network operators taking complex decisions |
TCP_SYN |
SYN packet received |
TFTP_SCANNER |
Scanner for FTP servers |
THINK_PHP |
Exploitation of ThinkPHP vulnerability |
THINKCMF_SCANNER |
ThinkCMF RCE |
TOFSEE |
Backdoor.Tofsee is capable of making changes to the settings on affected systems and stealing information from them. Once executed, it is capable of tracking users online activities, opening affected systems for infiltration to steal personal information and credentials, and changing browser and DNS settings |
TOR |
Tor node |
TOR_SCANNER |
Scanning for the Tor Protocol |
TORRENTLOCKER |
TorrentLocker is a ransomware trojan targeting Microsoft Windows. TorrentLocker scans the system for programs and files, and conceals the contents through AES encryption leaving ransom instructions to the victim on what has to be done, and how to pay the decryption ransom |
TREND_MICRO_OFFICESCAN_SCANNER |
Trendmicro endpoint protection |
TRICKBOT |
Trickbot Malware |
TROJAN |
A trojan horse or trojan is a type of malware that is often disguised as legitimate software |
TROLDESH |
Ransom.Troldesh is a Trojan horse that encrypts files on the compromised computer and asks the user to pay in order to decrypt them. It may also download potentially malicious files |
TEAMSPEAK2_SCANNER |
Team Speak 2 VoIp Communication Server |
UNIFI_SCANNER |
Scanning for Ubiquiti devices - UNIFI family |
UBIQUITI_SCANNER |
Scanning for Ubiquiti devices |
UNIVERSITY_BERKELEY |
https://www.berkeley.edu/ The University of California, Berkeley is a public research university in Berkeley, California |
UNIVERSITY_BROWN |
https://www.brown.edu/ Brown University is a private Ivy League research university in Providence, Rhode Island |
UNIVERSITY_MICHIGAN |
https://umich.edu/ The University of Michigan, often simply referred to as Michigan, is a public research university in Ann Arbor, Michigan |
UPNP_SCANNER |
Scanner for UPNP protocol |
VBULLETIN_SCANNER |
Scanner for vBulletin software |
VNC_SCANNER |
Scanner for the VNC Protocol |
VTIGERCRM_SCANNER |
Scanner for the Vtiger CRM |
VXWORKS_SCANNER |
Scanning for VxWorks systems |
VXWORKS_DOS |
VxWorks vulnerability that can cause a Denial of Service |
WATCHGUARD_EXPLOIT |
A Watchguard Firebox vulnerability and XTM and classified as critical. |
WEBMIN |
Scanning for Webmin |
WEBLOGIC_SCANNER |
Weblogic Scanner - Java Deserialization |
WMSREQUEST_SCANNER |
Web Map Service request |
WWWOFFLE_SCANNER |
WWWOFFLE is a proxy server and web caching software |
WORDPRESS_SCANNER |
Scanning for Wordpress |
WSDISCOVERY_SCANNER |
Scanning for Web Services Dynamic Discovery protocol |
X11_SCANNER |
Scanning for the X11 protocol |
YANDEXBOT |
https://yandex.com/ |
ZENNOLAB_SCANNER |
Scanning for Zennolab tools |
ZEND_JAVA_BRIDGE_SCANNER |
Zend Java Bridge Scanner |
ZGRAB_SCANNER |
Scanner using zgrab software - https://github.com/zmap/zgrab2 |
ZMAP_SCANNER |
Scanner using zmap software - https://github.com/zmap/zmap |
ZMEU_SCANNER |
Scanner using ZmEu vulnerability scanner |
ZTE_F460_SCANNER |
Scanning for ZTE F460 Routers |
ZTE_F660_SCANNER |
Scanning for ZTE F660 Routers |