IP Reputation category values

As flows are ingested into the system, lookups are done on both source IP and destination IP so that their reputation is determined at the time the flow happened.

Every flow record contains an array of categories for both source and destination IP that represents what's known about the IP, if anything. An empty array simply means there was
no information found about that particular IP (not that it was "good").

IP Reputation Categories

Category

Flow key (NQL)
srciprep.categories ==

Description

BotNets

botnets

Botnet category includes Botnet C&C channels and infected zombie machine controlled by Bot master.

Denial of Service

dos

Denial of Services category includes DOS, DDOS, anomalous syn flood, anomalous traffic detection.

Mobile Threats

mobilethreats

IP addresses used by malicious mobile apps.

Phishing

phishing

Phishing category includes IP addresses hosting phishing sites, other kind of fraud activities such as Ad Click Fraud or Gaming fraud.

Proxy

proxy

Proxy category includes IP addresses providing proxy and anonymization services.

IP Reputation

reputation

Deny access from IP addresses currently known to be infected with malware.

Scanners

scanners

Scanners category includes all reconnaissance such as probes, host scan, domain scan and password brute force.

Spam Sources

spamsources

Spam Sources includes Tunneling Spam messages through proxy, anomalous SMTP activities, Forum Spam activities.

TOR Proxy

torproxy

TOR anonymizer IP addresses.

Web Attacks

webattacks

Web attacks category includes cross site scripting, iFrame injection, SQL injection, cross domain injection or domain password brute force.

Windows Exploits

windowsexploits

Windows exploit category includes active IP Address offering or distributing malware, shell code, rootkits, worms or viruses.