Noise Response

Data Dictionary: Noise Response

This outlines the field types associated with the Noise IP Lookup and Multi-Lookup Endpoints and the Individual IP responses in the GNQL Endpoint.

Field Name

Field Type

Example

Description

actor

string

unknown

The confirmed owner/operator of this IP address.

bot

boolean

false

Data Enrichment - IP is associated with known bot activity.

classification

string

unknown

IP Classification - possible options: benign, unknown, malicious

cve

string list

[
"CVE-2021-38645",
"CVE-2021-38647"
]

List of CVEs the IP has been observed scanning for or exploiting

first_seen

date

2021-11-23

Date of first observed behavior on the GreyNoise Sensor network (format: YYYY-MM-DD)

ip

string

1.2.3.4

IP address that information is about

last_seen

date

2021-12-31

Date of last observed behavior on the GreyNoise Sensor network (format: YYYY-MM-DD)

metadata

object

{
"asn": "AS37963",
"category": "hosting",
"city": "Hangzhou",
"country": "China",
"country_code": "CN",
"organization": "Hangzhou Alibaba Advertising Co.,Ltd.",
"os": "Linux 3.11+",
"rdns": "",
"region": "Zhejiang",
"tor": false
}

Data Enrichment - Additional IP metadata

metadata.asn

string

AS37963

Data Enrichment - IPs attached ASN

metadata.category

string

hosting

Data Enrichment - IPs attached category

metadata.city

string

Miami

Data Enrichment - IPs attached city

metadata.country

string

United States

Data Enrichment - IPs attached country

metadata.country_code

string

US

Data Enrichment - IPs attached county code

metadata.organization

string

FranTech Solutions

Data Enrichment - IPs attached organization

metadata.os

string

Linux 2.2-3.x

Data Enrichment - IPs attached operating system

metadata.rdns

string

miamitor4.us

Data Enrichment - rDNS lookup for IP

metadata.region

string

Florida

Data Enrichment - IPs attached region

metadata.tor

boolean

true

Data Enrichment - IP is a known tor exit node

raw_data

object

{
"hassh": [
{
"fingerprint": "a7a87fbe86774c2e40cc4a7ea2ab1b3c",
"port": 22
}
],
"ja3": [
{
"fingerprint": "19e29534fd49dd27d09234e639c4057e",
"port": 8443
}
],
"scan": [
{
"port": 22,
"protocol": "TCP"
}
],
"web": {
"paths": [
"/favicon.ico"
],
"useragents": [
"Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
]
}
}

Observed Activity captured by the GreyNoise sensor network

raw_data.hassh

object list

[
{
"fingerprint": "a7a87fbe86774c2e40cc4a7ea2ab1b3c",
"port": 22
}
]

Observed HAASH activity

raw_data.hassh.fingerprint

string

a7a87fbe86774c2e40cc4a7ea2ab1b3c

HASSH Fingerprint captured

raw_data.hassh.port

string

22

Port observed activity occurred on

raw_data.ja3

object list

[
{
"fingerprint": "19e29534fd49dd27d09234e639c4057e",
"port": 8443
}
]

Observed JA3 activity

raw_data.ja3.fingerprint

string

19e29534fd49dd27d09234e639c4057e

JA3 Fingerprint captured

raw_data.ja3.port

int

8443

Port observed activity occurred on

raw_data.scan

object list

[
{
"port": 22,
"protocol": "TCP"
}
]

raw_data.scan.port

int

22

Port observed activity occurred on

raw_data.scan.protocol

string

TCP

Protocol observed activity occurred on

raw_data.web

object

{
"paths": [
"/favicon.ico"
],
"useragents": [
"Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
]
}

Observed scanning activity occurred with these web objects

raw_data.web.paths

string list

[
"/favicon.ico"
]

Observed scanning activity traversed this web path

raw_data.web.useragents

string list

[
"Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
]

Observed scanning activity used these user agents

seen

boolean

true

This IP was observed scanning the GreyNoise sensor network. May also be referenced as "noise" but serves the same purpose.

spoofable

boolean

false

Did this IP complete a three-way handshake with the GreyNoise sensor network? If false, indicates that traffic may be spoofed.

tags

string list

[
"Carries HTTP Referer",
"Cobalt Strike SSH Client",
"Follows HTTP Redirects"
]

List of GreyNoise tags associated with the observed scanning behavior performed by this IP

vpn

boolean

false

Data Enrichment - IP is a known VPN service IP

vpn_service

string

PIA_VPN

If IP is a known VPN, the name of the associated VPN Service


Did this page help you?