A classification indicator is included in both the GreyNoise Visualizer and the GreyNoise Context API endpoint for each IP address in our collection. The following explains how IPs are classified by GreyNoise.

Classification Criteria

Benign

The benign classification for an IP address is applied using knowledge about the Actor associated with the IP. The Actor must meet the below criteria:

• Is a legitimate company, search engine, security research organization, university or individual
• GreyNoise has determined that the actor is not malicious in nature
• The source IP's page includes some kind of opt-out functionality

📘

Benign actors and malicious tags

The benign classification takes precedence over malicious tags. Certain benign actors perform checks that would be malicious (e.g. checking admin:admin credentials against SSH) if it was coming from an unknown source.

GreyNoise periodically audits actors and will revoke a benign classification if their intent crosses a line into questionable activity.

Some benign examples include:

• Search engine crawlers such as GoogleBot
• Universities such as University of California Berkeley
• Security researchers such as Alpha Strike Labs

Malicious

The malicious classification for an IP is determined by its associated tags, which capture behaviors GreyNoise has directly observed an IP address engage in. Some of our tags are classified as "malicious" for harmful behaviors seen. If an IP address is not classified as benign and has at least one malicious tag, it is classified as malicious.

Unknown

IPs not classified as Benign or Malicious under the above criteria are classified as Unknown. Both Benign and Malicious classifications are highly vetted, so any other IP seen engaging in internet scanning behavior is classified as Unknown.

📘

Contact Us

Do you have a question about the classification of an IP? Do you see an issue with our data, tagging, or process? Please let us know: [email protected]