A type follows the format: indicator_rule
Types are lowercase alpha characters, except for a single underscore splitting the indicator
and rule
.
An indicator
is a keyword or keyphrase to distinguish different scan intentions (see below examples).
The rule
MUST be either active
or passive
which describes the impact.
passive
scanning is anything with a very low impact potential, meaning it is very unlikely to cause any disruption, alerting or data loss. An example is a crawler running at 1 request per second performing HTTP GET requests to capture the content with no exploit attempts.
active
scanning is where there could be an impact to the targeted system, meaning it may cause disruption to legitimate users, it may trigger alerts and it may impact data integrity or confidentiality. An example is attempting to exploit a known vulnerability to assess whether a system is vulnerable. Another example is load testing where legitimate users may be prevented from accessing.
Including an example of what that might be.
vulnerability_active
- exploit attemptsvulnerability_passive
- version detection for out-of-date software or librariesconfiguration_passive
- assessing the configuration for alignment to a standardaccessibility_passive
- testing a webpage for accessibility issuesseo_passive
- testing a webpage for SEO (Search Engine Optimisation)banner_passive
- software identificationindexer_passive
- content indexing for text searchingcrawler_passive
- following links and indexing contentperformance_active
- slow-link testing or dropping connections to test the servers responseperformance_passive
- assessing the performance of a standard user’s experienceloadtesting_active
- stress testing or simulated denial-of-servicetesting_active
- general testing with a likely impacttesting_passive
- general testing that has a very low impact