new: [crowdsec] New taxonomy for classifications and behaviors categorizing on IP addresses from crowdsec CTI reports

pull/265/head
Christian Studer 2023-05-26 13:10:18 +02:00
parent 6b77005beb
commit 30e8643cce
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 314 additions and 0 deletions

314
crowdsec/machinetag.json Normal file
View File

@ -0,0 +1,314 @@
{
"version": 1,
"namespace": "crowdsec",
"description": "Crowdsec IP address classifications and behaviors taxonomy.",
"predicates": [
{
"value": "behavior",
"expanded": "Behavior",
"description": "Attack categories and behaviors associated with an IP address."
},
{
"value": "false-positive",
"expanded": "False positive",
"description": "Defines whether an IP address is a known false positive."
},
{
"value": "classification",
"expanded": "Classification",
"description": "Category associated to an IP address."
}
],
"values": [
{
"predicate": "behavior",
"entry": [
{
"value": "database-bruteforce",
"expanded": "Database Bruteforce",
"description": "IP has been reported for performing brute force on databases."
},
{
"value": "ftp-bruteforce",
"expanded": "FTP Bruteforce",
"description": "IP has been reported for performing brute force on FTP services."
},
{
"value": "generic-exploit",
"expanded": "Exploitation attempt",
"description": "IP has been reported trying to exploit known vulnerability/CVE on unspecified protocol."
},
{
"value": "http-bruteforce",
"expanded": "HTTP Bruteforce",
"description": "IP has been reported for performing a HTTP brute force attack (either generic http probing or applicative related brute force)."
},
{
"value": "http-crawl",
"expanded": "HTTP Crawl",
"description": "IP has been reported for performing aggressive crawling of web applications."
},
{
"value": "http-exploit",
"expanded": "HTTP Exploit",
"description": "IP has been reported for attempting to exploit a vulnerability in a web application."
},
{
"value": "http-scan",
"expanded": "HTTP Scan",
"description": "IP has been reported for performing actions related to HTTP vulnerability scanning and discovery."
},
{
"value": "http-spam",
"expanded": "Web form spam",
"description": "IP has been reported trying to perform spam via web forms/forums."
},
{
"value": "iot-bruteforce",
"expanded": "IOT Bruteforce",
"description": "IP has been reported for performing brute force on IOT management interfaces."
},
{
"value": "ldap-bruteforce",
"expanded": "LDAP Bruteforce",
"description": "IP has been reported for performing brute force on ldap services."
},
{
"value": "pop3/imap-bruteforce",
"expanded": "POP3/IMAP Bruteforce",
"description": "IP has been reported for performing a POP3/IMAP brute force attack."
},
{
"value": "sip-bruteforce",
"expanded": "SIP Bruteforce",
"description": "IP has been reported for performing a SIP (VOIP) brute force attack."
},
{
"value": "smb-bruteforce",
"expanded": "SMB Bruteforce",
"description": "IP has been reported for performing brute force on samba services."
},
{
"value": "smtp-spam",
"expanded": "SMTP spam",
"description": "IP has been reported trying to perform spam SMTP service."
},
{
"value": "ssh-bruteforce",
"expanded": "SSH Bruteforce",
"description": "IP has been reported for performing brute force on ssh services."
},
{
"value": "tcp-scan",
"expanded": "TCP Scan",
"description": "IP has been reported for performing TCP port scanning."
},
{
"value": "telnet-bruteforce",
"expanded": "TELNET Bruteforce",
"description": "IP has been reported for performing brute force on telnet services."
},
{
"value": "vm-management-bruteforce",
"expanded": "VM Management Bruteforce",
"description": "IP has been reported for performing brute force on virtual environement management applications."
},
{
"value": "windows-bruteforce",
"expanded": "SMB/RDP bruteforce",
"description": "IP has been reported for performing brute force on Windows (samba, remote desktop) services."
}
]
},
{
"predicate": "false-positive",
"entry": [
{
"value": "cdn-cloudflare_exit_node",
"expanded": "Cloudflare CDN",
"description": "IP is a Cloudflare CDN exit IP and should not be flagged as a threat."
},
{
"value": "cdn-exit_node",
"expanded": "CDN exit node",
"description": "IP is a CDN exit IP and should not be flagged as a threat."
},
{
"value": "ip-private_range",
"expanded": "Private IP address range",
"description": "This IP address is in a private IP range"
},
{
"value": "msp-scanner",
"expanded": "Legitimate Scanner",
"description": "IP belongs to a known 'legitimate' scanner (MSP) and should not be flagged as a threat."
},
{
"value": "seo-crawler",
"expanded": "SEO crawler",
"description": "IP belongs to a known SEO crawler and should not be flagged as a threat."
},
{
"value": "seo-duckduckbot",
"expanded": "Duckduckbot SEO crawler",
"description": "IP belongs to Duckduckbot SEO crawler and should not be flagged as a threat."
},
{
"value": "seo-pinterest",
"expanded": "Pinterest crawler",
"description": "IP belongs to Pinterest crawler and should not be flagged as a threat."
},
{
"value": "seo-crawler",
"expanded": "SEO crawler",
"description": "IP belongs to a known SEO crawler and should not be flagged as a threat."
}
]
},
{
"predicate": "classification",
"entry": [
{
"value": "community-blocklist",
"expanded": "CrowdSec Community Blocklist",
"description": "IP belong to the CrowdSec Community Blocklist"
},
{
"value": "profile-insecure_services",
"expanded": "Dangerous Services Exposed",
"description": "IP exposes dangerous services (vnc, telnet, rdp), possibly due to a misconfiguration or because it's a honeypot."
},
{
"value": "profile-many_services",
"expanded": "Many Services Exposed",
"description": "IP exposes many open port, possibly due to a misconfiguration or because it's a honeypot."
},
{
"value": "proxy-tor",
"expanded": "TOR exit node",
"description": "IP is being flagged as a TOR exit node."
},
{
"value": "proxy-vpn",
"expanded": "VPN",
"description": "IP exposes a VPN service or is being flagged as one."
},
{
"value": "range-data_center",
"expanded": "Data Center",
"description": "IP is known to be hosted in a data center."
},
{
"value": "scanner-alphastrike",
"expanded": "Known Security Company",
"description": "IP belongs to a company that scans internet : AlphaSrike."
},
{
"value": "scanner-binaryedge",
"expanded": "Known Security Company",
"description": "IP belongs to a company that scans internet : binaryedge."
},
{
"value": "scanner-censys",
"expanded": "Known Security Company",
"description": "IP belongs to a company that scans internet : Censys."
},
{
"value": "scanner-cert.ssi.gouv.fr",
"expanded": "Known CERT",
"description": "IP belongs to an entity that scans internet : cert.ssi.gouv.fr."
},
{
"value": "scanner-cisa.dhs.gov",
"expanded": "Known CERT",
"description": "IP belongs to an entity that scans internet : cisa.dhs.gov."
},
{
"value": "scanner-internet-census",
"expanded": "Known Security Company",
"description": "IP belongs to a company that scans internet : internet-census."
},
{
"value": "scanner-leakix",
"expanded": "Known Security Company",
"description": "IP belongs to a company that scans internet : leakix."
},
{
"value": "scanner-legit",
"expanded": "Legit scanner",
"description": "IP belongs to a company that scans internet"
},
{
"value": "scanner-shadowserver.org",
"expanded": "Known Security Company",
"description": "IP belongs to an entity that scans internet : www.shadowserver.org."
},
{
"value": "scanner-shodan",
"expanded": "Known Security Company",
"description": "IP belongs to a company that scans internet : Shodan."
},
{
"value": "scanner-stretchoid",
"expanded": "Known Security Company",
"description": "IP belongs to an entity that scans internet : stretchoid."
},
{
"value": "profile-fake_rdns",
"expanded": "Fake RDNS",
"description": "IP is using a fake RDNS"
},
{
"value": "profile-nxdomain",
"expanded": "NXDOMAIN",
"description": "RDNS doesn't exist"
},
{
"value": "profile-router",
"expanded": "Router",
"description": "IP belongs to a router exping services on the internet"
},
{
"value": "profile-proxy",
"expanded": "Proxy",
"description": "IP exposes services that are commonly used by proxies"
},
{
"value": "profile-jupiter-vpn",
"expanded": "JupiterVPN",
"description": "IP belongs to a jupiter vpn"
},
{
"value": "device-cyberoam",
"expanded": "Cyberoam",
"description": "IP belongs to a Cyberoam router"
},
{
"value": "device-microtik",
"expanded": "Mikrotik",
"description": "IP belongs to a Mikrotik router"
},
{
"value": "device-asuswrt",
"expanded": "AsusWRT",
"description": "IP belongs to a AsusWRT router"
},
{
"value": "device-hikvision",
"expanded": "Hikvision",
"description": "IP belongs to a Hikvision camera"
},
{
"value": "device-ipcam",
"expanded": "IpCamera",
"description": "IP belongs to a IP camera"
},
{
"value": "profile-likely_botnet",
"expanded": "Likely Botnet",
"description": "IP is likely to belong to a botnet (based on behaviour and/or characteristics)"
}
]
}
]
}