A classification indicator is included in both the GreyNoise Visualizer and the GreyNoise Context API endpoint for each IP address in our collection. The following explains how IPs are classified by GreyNoise.
The benign classification for an IP address is applied using knowledge about the Actor associated with the IP. The Actor must meet the below criteria:
- Is a legitimate company, search engine, security research organization, university or individual
- GreyNoise has determined that the actor is not malicious in nature
- The source IP's page includes some kind of opt-out functionality
Benign actors and malicious tags
The benign classification takes precedence over malicious tags. Certain benign actors perform checks that would be malicious (e.g. checking admin:admin credentials against SSH) if it was coming from an unknown source.
GreyNoise periodically audits actors and will revoke a benign classification if their intent crosses a line into questionable activity.
Some benign examples include:
- Search engine crawlers such as GoogleBot
- Universities such as University of California Berkeley
- Security researchers such as Alpha Strike Labs
The malicious classification for an IP is determined by its associated tags, which capture behaviors GreyNoise has directly observed an IP address engage in. Some of our tags are classified as "malicious" for harmful behaviors seen. If an IP address is not classified as benign and has at least one malicious tag, it is classified as malicious.
Malicious Tags on Benign Actors
A benign classification will supersede all associated malicious tags. IPs associated with a benign Actor will override all tag classifications, so it is possible to see a malicious Tag associated with a benign Actor or IP. So, even though a benign IP may be seen engaging in malicious behavior, the intent is benign since it's associated with a known benign Actor.
IPs not classified as Benign or Malicious under the above criteria are classified as Unknown. Both Benign and Malicious classifications are highly vetted, so any other IP seen engaging in internet scanning behavior is classified as Unknown.
Do you have a question about the classification of an IP? Do you see an issue with our data, tagging, or process? Please let us know: [email protected]
Updated about a month ago