You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Classification of Threat Intelligence follows the format “cateogry:name”, where category is a broad type of classification encapsulating different elements.
27
27
A summary of the main classification category is provided below, and you can use the search bar in the table to filter the classification you are looking for.
28
28
29
-
## Hosts Malware
30
-
Hosts identified as hosting live payloads associated with known malware families.
31
-
## Botnet
32
-
Hosts associated with known botnets, based on the exploited CVE(s) and the payload they spread (e.g. Mirai).
33
-
## Profile
34
-
A type of classification that relates to the exposed services on the machine. Examples:
35
-
36
-
-`profile:insecure_services`: IP exposing dangerous services (e.g. Telnet, RDP, etc.)
37
-
-`profile:fake_rdns`: IP reverse DNS doesn't resolve to the IP address
38
-
39
-
## AI Crawler
40
-
41
-
AI Company using crawlers to index the data used to train Large Language Models. Such companies (OpenAPI, ByteDance, Anthropic ... ) are heavy consumers of the internet bandwidth and result in a large amount of traffic.
42
-
They can be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/67b3524151bbde7a12b60be0).
43
-
## AI Search
44
-
AI Search engines that are used by users to search the internet. They are coming from an AI agent, and are not used directly to train the AI models compared to the AI crawlers category. But the results is the same in terms of traffic load, as they can be part of an automation workflow
45
-
IPs can be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/67b3524151bbde7a12b60be0).
46
-
47
-
## Device
48
-
The IP is associated with a device having known security weaknesses.
49
-
50
-
## Proxy
51
-
Hosts identified as proxies based on the services they expose and/or their behaviour. IPs be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/65a56839ec04bcd4f51670be)
52
-
## Cohorts [Experimental]
53
-
Cohorts are groups of machines seen attacking in a coordinated fashion. IPs belonging to the same cohort or cluster have been seen to exhibit a new behaviour in a synchronised manner, such as starting to exploit a known vulnerability at the same time.
54
-
You can explore the IPs of a cluster using the CTI search query and the `classifications.classifications.label` : [query example](https://app.crowdsec.net/cti?q=classifications.classifications.label%3A%22Attacker+Group%3A+Bold+Peachpuff+Euphonia%22&page=1).
55
-
The names of the clusters are auto-generated and do not imply any form of attribution.
56
-
They are used by CTI teams to perform further investigation.
29
+
## Summary
30
+
31
+
*`hosts_malware:*`: IP identified as hosting live payloads associated with known malware families.
32
+
*`botnet:*`: IP associated with known botnets, based on the exploited CVE(s) and the payload they spread (e.g. Mirai).
33
+
*`profile:*`: Describe the services publicly exposed by the machine (e.g. `profile:insecure_services`).
34
+
*`ai-crawler:*`: AI company using to index the data used to train Large Language Models. Such companies (OpenAPI, ByteDance, Anthropic ... ) are heavy consumers of the internet bandwidth and result in a large amount of traffic. They can be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/67b3524151bbde7a12b60be0).
35
+
*`ai-search:*`: AI search engine that is used by users to search the internet. They are coming from an AI agent, and are not used directly to train the AI models compared to the AI crawlers category. But the results is the same in terms of traffic load, as they can be part of an automation workflow. IPs can be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/67b3524151bbde7a12b60be0).
36
+
*`device:*`: The IP is associated with a device having known security weaknesses.
37
+
*`proxy:*`: Hosts identified as proxies based on the services they expose and/or their behaviour. IPs be directly consumed inside a specialized blocklist available [here](https://app.crowdsec.net/blocklists/65a56839ec04bcd4f51670be).
38
+
*`group:*`: Cohort of machines seen attacking in a coordinated fashion. IPs belonging to the same cohort or cluster have been seen to exhibit a new behaviour in a synchronised manner, such as starting to exploit a known vulnerability at the same time (experimental feature).
0 commit comments