The remote server has been identified as a Radius server.

The client is communicating with a Radius server via the Radius accounting protocol.

The client is communicating with a Radius server via the Radius authentication protocol.

The IANA Vendor has been detected via the Radius protocol.

The remote host is affected by a remote code execution vulnerability in Remote Desktop Protocol (RDP). An unauthenticated, remote attacker can exploit this, via a series of specially crafted requests, to execute arbitrary code.

FHIR has been detected via HTTP in XML format. FHIR is a standard describing data formats and elements and an application programming interface for exchanging healthcare information electronically. The standard was created by the Health Level Seven International (HL7) health-care standards organization.

FHIR has been detected via HTTP in JSON format. FHIR is a standard describing data formats and elements and an application programming interface for exchanging healthcare information electronically. The standard was created by the Health Level Seven International (HL7) health-care standards organization.

One of the remote hosts is a SolarWinds Network Performance Monitor. It has been observed sending an ICMP Echo Request.

The remote host is running the Trend Micro OfficeScan agent and certain version information has been obtained from requests made to the Trend Micro OfficeScan server.

The remote host is running the NETBIOS protocol, and an operating system has been identified.

The remote server is running a NTP (protocol version 4) server service (Stratum 1) which is used to synchronize time amongst multiple machines.

The remote server is running a NTP (protocol version 4) server service (Stratum 2) which is used to synchronize time amongst multiple machines.

The remote host is a DNS client which was observed sending a Tunneled DNS request to a DNS server.

The remote host is using the Session Initiation Protocol (SIP) which is a communication protocol for video and voice calls over the Internet.

The remote host is running an ExtremeXOS device on the network. ExtremeXOS is an operating system used in newer Extreme Networks network switches. It is an Extreme Networks second generation operating system after the VxWorks based ExtremeWare.

The remote host supports the use of RC4 in one or more cipher suites. The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into the stream, decreasing its randomness. If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens of millions) ciphertexts, the attacker may be able to derive the plaintext.

The remote host is using a hardcoded, non-unique SSH host key. This may allow a remote, unauthenticated attacker to carry out impersonation, man-in-the-middle, or passive decryption attacks, resulting in sensitive information exposure.

The remote host is using a hardcoded, non-unique X.509 certificate. This may allow a remote, unauthenticated attacker to carry out impersonation, man-in-the-middle, or passive decryption attacks, resulting in sensitive information exposure.

The version of ntpd running on the remote host is vulnerable to a DoS attack if the 'monlist' command is enabled. The 'monlist' command returns a list of recent hosts that have connected to the service. However, it is affected by a denial of service vulnerability in ntp_request.c that allows an unauthenticated, remote attacker to saturate network traffic to a specific IP address by using forged REQ_MON_GETLIST or REQ_MON_GETLIST_1 requests. Furthermore, an attacker can exploit this issue to conduct reconnaissance or distributed denial of service (DDoS) attacks.

The remote host is an Avanti Kiosk which may be affected by the Poseidon Malware kit. This malware could allow an attacker to steal both credit card info as well as biometric information.

The remote host is an Avanti Kiosk. These kiosks act as a Point of Sale (POS) system which allow customers to pay for drinks, snacks and other items with a credit card, fingerprint scan or cash.

One or more requests to potential Petya ransomware related malware hosts have been detected. Petya differs from typical ransomware as it does not just encrypt files, it also overwrites and encrypts the master boot record (MBR), demanding payment via cryptocurrency. Petya propagates itself similar to "WannaCry" by exploiting the MS17-010 vulnerability, also known as EternalBlue which was part of the ShadowBrokers dump.

Foscam C1 IP Camera installs with hardcoded default FTP user credentials. The 'r' account has a password of 'r'. This allows a remote attacker to trivially access the FTP service on port 50021 and gain access to the mounted Micro-SD card.

Versions of Cisco a flaw that is triggered when handling Cluster Management Protocol-specific Telnet options while establishing a Telnet session on a device which accepts Telnet connections. This may allow a remote attacker to potentially execute arbitrary code or cause a DoS.

The remote host has just accepted an SMBv2 or higher connection.

The remote host supports Server Message Block Protocol version 1 (SMBv1). Microsoft recommends that users discontinue the use of SMBv1 due to the lack of security features that were included in later SMB versions. Additionally, the Shadow Brokers group has an exploit that affects SMB however, it is unknown if the exploit affects SMBv1 or another version. In response to this, US-CERT recommends that users disable SMBv1 per SMB best practices to mitigate these potential issues. Additionally, the ETERNALBLUE exploit uses SMBv1.

The host is using h.225.0, a common VoIP protocol, and IP address information was identified from this traffic. This may indicate a host behind NAT.

The remote system may be affected by ransomware that encrypts most or all of the files on a user's computer. Then, the software demands that a ransom be paid in order to have the files decrypted. This attack is related to the recent ShadowBrokers dump containing NSA weaponized software exploits.

Internet Printing Protocol (IPP) is an HTTP/S based printing protocol that supports various levels of authentication and enables secure printing within an organization. While responding to an IPP request, the remote host has exposed details about the printer and/or print server.

Internet Printing Protocol (IPP) is an HTTP/S based printing protocol that supports various levels of authentication and enables secure printing within an organization. The remote host was observed advertising an IPP print server to the network via multicast DNS.

Internet Printing Protocol (IPP) is an HTTP/S based printing protocol that supports various levels of authentication and enables secure printing within an organization. The remote host was observed making an IPP request to a remote print server.

Internet Printing Protocol (IPP) is an HTTP/S based printing protocol that supports various levels of authentication and enables secure printing within an organization. The remote host was observed responding to an IPP request from another host.

When sending an email, the display name of the remote user was observed. In most cases, this identifier corresponds with the sender's full name.

Versions of Intel Active Management Technology 11.5.x and 11.6.x prior to 11.6.27.3264 are affected by a flaw that is triggered as it insecurely performs read and write operations. This may allow a remote attacker to potentially execute arbitrary code depending on the Intel software installed, or a local attacker to gain privileges in other configurations.

Versions of Intel Active Management Technology 11.0.x prior to 11.0.25.3001 are affected by a flaw that is triggered as it insecurely performs read and write operations. This may allow a remote attacker to potentially execute arbitrary code depending on the Intel software installed, or a local attacker to gain privileges in other configurations.

Versions of Intel Active Management Technology 10.x prior to 10.0.55.3000 are affected by a flaw that is triggered as it insecurely performs read and write operations. This may allow a remote attacker to potentially execute arbitrary code depending on the Intel software installed, or a local attacker to gain privileges in other configurations.

Versions of Intel Active Management Technology 9.5.x prior to 9.5.61.3012 are affected by a flaw that is triggered as it insecurely performs read and write operations. This may allow a remote attacker to potentially execute arbitrary code depending on the Intel software installed, or a local attacker to gain privileges in other configurations.

Versions of Intel Active Management Technology 9.x prior to 9.1.41.3024 are affected by a flaw that is triggered as it insecurely performs read and write operations. This may allow a remote attacker to potentially execute arbitrary code depending on the Intel software installed, or a local attacker to gain privileges in other configurations.

Versions of Intel Active Management Technology 8.x prior to 8.1.71.3608 are affected by a flaw that is triggered as it insecurely performs read and write operations. This may allow a remote attacker to potentially execute arbitrary code depending on the Intel software installed, or a local attacker to gain privileges in other configurations.

Versions of Intel Active Management Technology 7.x prior to 7.1.91.3272 are affected by a flaw that is triggered as it insecurely performs read and write operations. This may allow a remote attacker to potentially execute arbitrary code depending on the Intel software installed, or a local attacker to gain privileges in other configurations.

Versions of Intel Active Management Technology 6.x prior to 6.2.61.3535 are affected by a flaw that is triggered as it insecurely performs read and write operations. This may allow a remote attacker to potentially execute arbitrary code depending on the Intel software installed, or a local attacker to gain privileges in other configurations.

The H.225 protocol is part of the H.323 family of telecommunication protocols.  NNM observed the host using the H.225 protocol for Registration, Admission and Status (RAS).

The H.225 protocol is part of the H.323 family of telecommunication protocols.  NNM observed the host using the H.225 protocol for Call Signaling (CS).

The host is using h.225.0, a common VoIP protocol, and manufacturer information was identified from this traffic.

The host is using h.225.0, a common VoIP protocol, and a username was identified from this traffic.

ID	Name	Severity
701143	Radius Accounting Protocol Detection	Info
701142	Radius Accounting Protocol Detection	Info
701141	Radius Authentication Protocol Detection	Info
701140	Radius Authentication Protocol Detection	Info
701138	Radius Accounting Protocol Detection	Info
701137	Radius Accounting Protocol Detection	Info
701136	Radius Authentication Protocol Detection	Info
701135	Radius Authentication Protocol Detection	Info
7293	IANA Vendor (Radius Accounting Request)	Info
7286	Windows RDP RCE (BlueKeep)	Critical
700663	FHIR (Fast Healthcare Interoperability Resources) over HTTP detection in XML format	Info
700662	FHIR (Fast Healthcare Interoperability Resources) over HTTP detection in JSON format.	Info
700475	SolarWinds Network Performance Monitor ICMP Detection	Info
7285	Trend Micro Client Version Information	Info
7284	Windows Browser Operating System Detection	Info
700232	NTP Server Protocol Version 4 Detection	Info
700231	NTP Server Protocol Version 4 Detection	Info
7283	DNS Client Tunneled Queries	Info
700199	SIP Server Detection	Info
700193	ExtremeXOS Device Version Detection via SNMP	Info
7282	SSL RC4 Cipher Suites Supported (Bar Mitzvah)	Low
7281	Hardcoded SSH Host Key Detection	Info
7280	Hardcoded SSL Certificate Detection	Info
700174	Network Time Protocol Daemon (ntpd) 'monlist' DoS	Medium
700158	Avanti Kiosk Poseidon Infection	High
700157	Avanti Kiosk Detection	Info
700152	Petya Ransomware Malicious Host Detection	Info
700147	Foscam C1 Hardcoded FTP Credentials (CVE-2016-8731)	Medium
700129	Cisco IOS Denilal of Service (DoS) attack attempt	Critical
700101	SMBv2+ Server Detection	Info
700100	SMBv1 Server Detection	Medium
7275	h.225.0 IP Address Detection	Info
700099	Ransomware Traffic Detected (WannaCry)	Critical
7274	IPP Printer Information Detection	Info
700096	IPP Server Detection via mDNS	Info
700095	IPP Client Detection (Internet Printing Protocol)	Info
700093	IPP Server Detection (Internet Printing Protocol)	Info
7273	User Full Name Detection via SMTP	Info
700085	Intel Active Management Technology 11.5.x / 11.6.x < 11.6.27.3264 RCE	Critical
700084	Intel Active Management Technology 11.0.x < 11.0.25.3001 RCE	Critical
700083	Intel Active Management Technology 10.x < 10.0.55.3000 RCE	Critical
700082	Intel Active Management Technology 9.5.x < 9.5.61.3012 RCE	Critical
700081	Intel Active Management Technology 9.x < 9.1.41.3024 RCE	Critical
700080	Intel Active Management Technology 8.x < 8.1.71.3608 RCE	Critical
700079	Intel Active Management Technology 7.x < 7.1.91.3272 RCE	Critical
700071	Intel Active Management Technology 6.x < 6.2.61.3535 RCE	Critical
700061	H.225 RAS Application Detection	Info
700060	H.225 CS Application Detection	Info
7271	h.225.0 Manufacturer Detection	Info
7270	h.225.0 Username Detection	Info

Generic Family for Nessus Network Monitor