Skip to content
This repository has been archived by the owner on May 23, 2019. It is now read-only.

Tag Definitions

Nibor62 edited this page Apr 12, 2017 · 4 revisions

Botnet

The botnet assessment depicts:

  • typically a host used to control another host or malicious process
  • matching traffic would usually indicate infection
  • typically used to identify compromised hosts

Exploit / Malware

The malware assessment depicts:

  • typically a host used to exploit and/or drop malware to a host for the first time
  • typically NOT a botnet controller (although they could overlap)
  • communications with these indicators may lead to a compromise and then to a possible botnet controller communication (if the infection was successful).
  • typically used in preemptive blocking, alerts may not indicate infection was successful

Typical examples might include items from:

Phishing

The phishing assessment depicts:

  • a luring attempt at a victim to exfiltrate some sort of credential
  • a targeted attempt at getting someone to unintentionally cause infection (spear phishing)

Typical examples might include items from:

Fastflux

The fastflux assessment depicts:

  • typically describing a botnet profile where fastflux activity is taking place

Scanner

The scanner assessment depicts:

  • typically infrastructure being used to scan or brute-force (ssh, rdp, telnet, etc...)

Typical examples might include observations from:

Spam

The spam assessment depicts:

  • typically infrastructure being used to facilitate the sending of spam

Searches

The search assessment depicts:

  • identify's that someone searched for something of possible significance

Suspicious

The suspicious assessment depicts:

  • Unknown assessment
  • used as the "last default" assessment, combined with "description" for more accurate assessment (eg: assessment- suspicious, description- 'hijacked prefix', or assessment- suspicious, description- 'nameserver').

Whitelist

The Whitelist assessment depicts:

  • denotes that specific entity (usually an address) should be considered harmless in nature
  • denotes that blocking an entity would result in mass collateral damage (eg: yahoo virtually hosted servies)
  • confidence should be applied to each entry to help calculate risk associated with whitelist
Clone this wiki locally