Reputation Definitions
Reputation is an attribute of an IP address, host, domain, or URL.Stellar Cyber uses feeds from several threat intelligence providers (such as ET Pro, PhishTank, OpenPhish, abuse.ch, and others) as well as network traffic analysis to assign reputations. These reputations are visible in the Interflow as srcip_reputation and dstip_reputation, and in the event tables under the Source Reputation and Dest Reputation columns.
Following are the reputations in use, and their definitions.
| Reputation | Definition |
|---|---|
| Activex | ActiveX attacks and vulnerabilities. |
| Abused TLD | Rogue TLD and GTLD activity that might be of interest. Limited to registrars who cannot or will not police their domains, and TLDs that lack accountability or are free. For example, ICANN cannot claim .su back from the Soviet Union, as that country no longer exists. |
| Attack Response | Indicates the results of a successful attack. For example, LMHost file download, certain banners, Metasploit Meterpreter kill command detected. |
| Bitcoin | Bitcoin clients running in the Bitcoin P2P network. This can help identify the rogue use of computing resources in Bitcoin mining operations. |
| Blackhole | A known black hole, this category often overlaps with CnC. |
| Bot, Botcc | Clear indications of unwanted or criminal code on the host, or a host checking in to a command and control server. |
| Botcc Portgrouped | Same as Botcc, but grouped by destination port. |
| Brute Forcer | Authentication brute forcing, such as SSH, IMAP, and VNC. |
| Chat, ChatServer | Chat activity, such as IRC, Jabber, Google Talk, MSN, AIM, ICQ, Baidu, or GaduGadu. Correlate this with CnC to identify networks used for CnC. |
| CIArmy | IP rules for blocking from Collective Intelligence . |
| CnC | Domains and IPs that are command & control for known Trojans. This reputation is for criminal command & control; spyware and user tracking domains are classified in SpywareCnC. |
| Compromised | Known compromised hosts, updated daily. |
| Current Events | Currently active campaigns expected to be short-lived, such as fraud related to a current natural disaster. |
| DDoS Attacker | Source of DDoS traffic. |
| DDoSTarget | Target of DDoS traffic, or commands to launch attacks. |
| Decoder-events | Normalization events related to decoding. |
| DNS | DNS attacks and vulnerabilities, which can include DNS tunneling. |
| DOS | Inbound Denial of Service activity, as well as outbound indications. |
| DriveBySrc | Sites used by an exploit kit like Neosploit or Blackhole, where HTML injection is used to redirect a browser to sites that deliver an exploit by java or some other method. |
| Drop | From the Spamhaus Don't Route Or Peer list, updated daily. A site where stolen data or credentials are being pushed. Excludes droppers being served or other .exe movement. |
| Dshield | DShield top attackers, updated daily. |
| DynDNS | A dynamic DNS entry or request host, or a domain using DynDNS. |
| EXE_Source | Serving an executable file. Can indicate CnC. |
| Exploit | Exploits not covered by other, specific categories. |
| FakeAV | Fake anti-spyware and anti-virus sites. Often overlaps with CnC. |
| Files | Example rules for Suricata file handling and extraction. |
| FTP | DNS attacks and vulnerabilities. Also logs basic activity, such as logins. |
| Games | Popular online games, such as Starcraft and WoW. Not malicious, just not necessarily appropriate. |
| Good | Does not have a reputation. |
| HTTP-Events | Logging of HTTP events, typically not malicious. |
| ICMP | ICMP attacks and vulnerabilities. Typically not malicious. |
| ICMP_info | Logging of ICMP events, typically not malicious. |
| IMAP | IMAP identification, attacks, and vulnerabilities. Also logs basic activity. |
| Inappropriate | Pornography. Not malicious, but not appropriate. |
| IPCheck | IP address and geolocation checking services. These public services can be abused by malware or DynDNS. |
| Malware | Malware and spyware tracking with no obvious criminal intent. Not criminal, but certainly undesired. |
| Misc | Miscellaneous things not covered in other categories. |
| Mobile Malware | Mobile malware and spyware tracking with no obvious criminal intent. Not criminal, but certainly undesired. |
| Netbios | NetBIOS identification, attacks, and vulnerabilities. Also logs basic activity. |
| OnlineGaming | Gaming sites that install a client to report or track user activity. Not necessarily criminal, but possibly of interest. This is different from outright spyware. |
| P2P | Clients and sources of file sharing, including Bittorrent, Gnutella, Kazaa, LimeWire, and Qvod. Not malicious, just not necessarily appropriate. |
| P2PCnC | P2P used as a CnC mechanism. Separated from P2P used for file sharing. |
| Parking | A parked domain or domain parking server. |
| Policy | Applications often disallowed by company or organization policy, such as DropBox, Google Apps, eBay, Facebook. |
| POP3 | POP3 identification, attacks, and vulnerabilities. Also logs basic activity. |
| Proxy | Proxy endpoint for protocols such as HTTP, STUN, and SOCKS. |
| Remote Access Service | Remote access services such as Kaseya, GoToMyPC, and Citrix. |
| RPC | RPC identification, attacks, and vulnerabilities. Also logs basic activity. |
| SCADA | SCADA attacks and vulnerabilities. Also logs basic activity. |
| SCADA_special | Snort Digital Bond based SCADA preprocessor. |
| SCAN, Scanner | Vulnerability scanning, open relay scanning, network and service reconnaissance, or other scanning activity. |
| SelfSignedSSL | Self-signed or invalid SSL certificates, which can be suspicious. |
| Shellcode | Remote shell access to a machine on a local network. |
| SMTP | SMTP attacks and vulnerabilities. Also logs basic activity. |
| SMTP-events | SMTP operational logging. |
| SNMP | SNMP attacks and vulnerabilities. Also logs basic activity. |
| Spam | Blacklisted spam sources. |
| SpywareCnC | Servers and domains serving or tracking user activity. Not criminal, but could be of interest. Generally toolbars, rogue gaming, free screensavers, and such. |
| SQL | SQL attacks and vulnerabilities. Also logs basic activity. |
| Steam-events | TCP streaming events. |
| TELNET | Telnet attacks and vulnerabilities. Also logs basic activity. |
| TFTP | TFTP attacks and vulnerabilities. Also logs basic activity. |
| TLS-Events | TLS events and anomalies. |
| TOR, TorNode | Tor exit nodes and participants in the network. |
| Trojan | Clearly malicious software. Could be in transit, active, infecting, attacking, updating, or in any other state. |
| Undesirable | Hacking tool forums, metasploit updates, and such. Not criminal, but of interest. |
| User Agents | User agent identification and detection. |
| Utility | Known good services, such as Google search front ends, Bing, and others. |
| VOIP | VoIP attacks and vulnerabilities. |
| VPN | VPN concentrator. This is a potential anonymizing service. |
| Web Client | Web client attacks and vulnerabilities. |
| Web Server | Web server attacks and vulnerabilities. |
| Web Specific Apps | Specific web applications. |
| WORM | Indications of a worm in the network. |
