{"ip":"102.220.160.47","exported_at":"2026-07-18T19:29:29+00:00","period_days":30,"metrics":{"events7d":70,"distinct_ports":11,"distinct_classifications":6,"max_severity":6,"last_sensor_id":"paris-1","max_waf_score":0,"max_risk_score":50,"attack_stage":"exploit_attempt","attack_chain_stage":"exploitation","threat_family":["ddos"],"recommended_action":"monitor","confidence":0.49,"risk_breakdown":{"waf":8,"classification":80,"behavior":0,"geo":40,"protocol":38,"novelty":15},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":"TA0001","top_mitre_technique":"TA0007","top_mitre_count":280,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via SAP ICM","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":80,"behavior":0,"geo":40,"protocol":38,"novelty":15,"risk_score":46},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":49,"confidence_hint_fr":"Confiance mod\u00e9r\u00e9e \u2014 signal unique","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0418"],"tags_summary":["pat-0418"],"attack_vector":"http flood \u00b7 via SAP ICM:8000 \u00b7 (tentative d\u0027exploit)","protocol_details":{"payload_preview":"CONNECT 102.220.160.47:80 HTTP\/1.0\r\nHost: 102.220.160.47:80\r\nProxy-Authorization: Basic OTo5","port":8000,"service":"sap-icm","service_label_fr":"SAP ICM"},"protocol_summary_fr":"Payload CONNECT 102.220.160.47:80 HTTP\/1.0\r\nHost: 102.220.160.47:80\r\nPr\u2026 \u00b7 SAP ICM:8000","evidence_snippet":"CONNECT 102.220.160.47:80 HTTP\/1.0\r\nHost: 102.220.160.47:80\r\nProxy-Authorization: Basic OTo5","target_port_label":"8000 \u00b7 SAP ICM","emulator_service":"sap-icm","confidence_reason":"Confiance 49 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%","classification_reason_label_fr":"Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%","confidence_factors_fr":"Confiance 49 % \u2014 Score WAF 8","payload_preview":"CONNECT 102.220.160.47:80 HTTP\/1.0\r\nHost: 102.220.160.47:80\r\nProxy-Authorization: Basic OTo5"},"events":[{"id":12645160,"ip":"102.220.160.47","ts":"2026-07-17 07:25:49.000000","proto":"tcp","src_port":25624,"dst_port":8000,"service":"sap-icm","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 96, \u0022payload_entropy\u0022: 4.876324158019611, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223b442add0dfab1bc2a021fcf3ceb0276\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic OTo5\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic OTo5\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic OTo5\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic OTo5\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic OTo5\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228b02ddf3b6d40452fe00d40c88778b45c5bbe50e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic OTo5\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic OTo5\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SAP ICM:8000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via SAP ICM\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic OTo5\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SAP ICM:8000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic OTo5\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":96},{"id":12645157,"ip":"102.220.160.47","ts":"2026-07-17 07:25:44.000000","proto":"tcp","src_port":48874,"dst_port":8000,"service":"sap-icm","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 110, \u0022payload_entropy\u0022: 5.153262669088582, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022395b8fa6b92e6f4d030030dec8a26746\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic czlyb3NlbWFyeTpub2Rl\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic czlyb3NlbWFyeTpub2Rl\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic czlyb3NlbWFyeTpub2Rl\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic czlyb3NlbWFyeTpub2Rl\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic czlyb3NlbWFyeTpub2Rl\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002233279be665a2a46046affa64397672d3caeea991\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic czlyb3NlbWFyeTpub2Rl\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic czlyb3NlbWFyeTpub2Rl\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SAP ICM:8000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via SAP ICM\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic czlyb3NlbWFyeTpub2Rl\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SAP ICM:8000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic czlyb3NlbWFyeTpub2Rl\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":110},{"id":12645144,"ip":"102.220.160.47","ts":"2026-07-17 07:25:31.000000","proto":"tcp","src_port":30204,"dst_port":8000,"service":"sap-icm","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.290127998582259, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221168577f375c0b05b793fbddb148ba08\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpRQVp3c3gxMjMu\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpRQVp3c3gxMjMu\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpRQVp3c3gxMjMu\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpRQVp3c3gxMjMu\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpRQVp3c3gxMjMu\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223992bf860420b184e54af7077521be692135de24\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpRQVp3c3gxMjMu\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpRQVp3c3gxMjMu\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SAP ICM:8000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via SAP ICM\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpRQVp3c3gxMjMu\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SAP ICM:8000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpRQVp3c3gxMjMu\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":112},{"id":12645063,"ip":"102.220.160.47","ts":"2026-07-17 07:24:16.000000","proto":"tcp","src_port":31006,"dst_port":8000,"service":"sap-icm","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 108, \u0022payload_entropy\u0022: 5.111221128854476, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002273b28f56d46b5d20cad5dbae2ff170ac\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDp2cHMxMDI0\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDp2cHMxMDI0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDp2cHMxMDI0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDp2cHMxMDI0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDp2cHMxMDI0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dc07b8b008468c4da5fbe602a34f55844975b251\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDp2cHMxMDI0\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDp2cHMxMDI0\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SAP ICM:8000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via SAP ICM\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDp2cHMxMDI0\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SAP ICM:8000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDp2cHMxMDI0\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":108},{"id":12645052,"ip":"102.220.160.47","ts":"2026-07-17 07:23:57.000000","proto":"tcp","src_port":22552,"dst_port":8000,"service":"sap-icm","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 102, \u0022payload_entropy\u0022: 5.065274210312297, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220bf019f2c9dd156d8037ab5d4116fa0b\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022257ec0e3888f65dac0a4ad5baa0806513c2aec5d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SAP ICM:8000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via SAP ICM\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SAP ICM:8000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":102},{"id":12645033,"ip":"102.220.160.47","ts":"2026-07-17 07:23:40.000000","proto":"tcp","src_port":24832,"dst_port":8000,"service":"sap-icm","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 102, \u0022payload_entropy\u0022: 5.000282146752584, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221ed0c0a9b31b631dcc48b646130f8b8c\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ODAwMDo4MDAw\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ODAwMDo4MDAw\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ODAwMDo4MDAw\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ODAwMDo4MDAw\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ODAwMDo4MDAw\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002281dfb5a23de69fb28bd92e3e74c301217d979493\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ODAwMDo4MDAw\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ODAwMDo4MDAw\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SAP ICM:8000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via SAP ICM\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ODAwMDo4MDAw\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SAP ICM:8000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ODAwMDo4MDAw\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":102},{"id":12645030,"ip":"102.220.160.47","ts":"2026-07-17 07:23:37.000000","proto":"tcp","src_port":55402,"dst_port":8000,"service":"sap-icm","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c\u0022, \u0022emulator_response_len\u0022: 141, \u0022bytes_in\u0022: 116, \u0022payload_entropy\u0022: 5.217714996683305, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022sap-icm\u0022, \u0022app_proto\u0022: \u0022sap-icm\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8000, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 38.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002204ada829cf80285c4a0f515b998f0122f0ce49cc\u0022, \u0022event_fingerprint\u0022: \u002240ac2e001fc92fc4c26729171b1b914e26c42c6a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c2cca82dc5b10cb31e5c249d07f6c2e1\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpxd2VydHkxMjM0NTYh\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpxd2VydHkxMjM0NTYh\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpxd2VydHkxMjM0NTYh\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpxd2VydHkxMjM0NTYh\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpxd2VydHkxMjM0NTYh\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ee7f09296a405064bdb81d289a2d3ac8ea241d5f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpxd2VydHkxMjM0NTYh\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpxd2VydHkxMjM0NTYh\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SAP ICM:8000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via SAP ICM\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 38.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022, \u0022dst_port\u0022: 8000, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpxd2VydHkxMjM0NTYh\u0022, \u0022port\u0022: 8000, \u0022service\u0022: \u0022sap-icm\u0022, \u0022service_label_fr\u0022: \u0022SAP ICM\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via SAP ICM:8000 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpxd2VydHkxMjM0NTYh\u0022, \u0022target_port_label\u0022: \u00228000 \u00b7 SAP ICM\u0022, \u0022emulator_service\u0022: \u0022sap-icm\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sap_icm\u0022, \u0022service_banner\u0022: \u0022honeypot-sap-icm\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228000\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sap_web_probe\u0022, \u0022sap_icm_emulated\u0022, \u0022sap_icm_payload\u0022]","anomalies":"[]","severity":5,"bytes_in":116},{"id":12512152,"ip":"102.220.160.47","ts":"2026-07-16 13:05:43.000000","proto":"tcp","src_port":20998,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1159, \u0022payload_entropy\u0022: 4.83287105096246, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022pat-0392\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022pat-0392\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0392\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022libssh banner\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0392\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228c3d173d9de12f7faf89f71a549ad92b\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffdJ\ufffd\ufffd\\b#;\ufffdtS1\\tV\\u0014\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffdJ\ufffd\ufffd\\b#;\ufffdtS1\\tV\\u0014\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffdJ\ufffd\ufffd\\b#;\ufffdtS1\\tV\\u0014\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffdJ\ufffd\ufffd\\b#;\ufffdtS1\\tV\\u0014\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffdJ\ufffd\ufffd\\b#;\ufffdtS1\\tV\\u0014\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022690dbbeb3360d94f20064af6222eba772668572a\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffdJ\ufffd\ufffd\\b#;\ufffdtS1\\tV\\u0014\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffdJ\ufffd\ufffd\\b#;\ufffdtS1\\tV\\u0014\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\nl\ufffdJ\ufffd\ufffd#;\ufffdtS1\\tV\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022pat-0392\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022pat-0392\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffdJ\ufffd\ufffd\\b#;\ufffdtS1\\tV\\u0014\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffdJ\ufffd\ufffd\\b#;\ufffdtS1\\tV\\u0014\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\nl\ufffdJ\ufffd\ufffd#;\ufffdtS1\\tV\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1159},{"id":12511896,"ip":"102.220.160.47","ts":"2026-07-16 12:58:19.000000","proto":"tcp","src_port":42040,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1159, \u0022payload_entropy\u0022: 4.8162292000987605, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022pat-0392\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022pat-0392\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0392\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022libssh banner\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0392\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bb684a2914776d097758ae6f21daca0a\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffd\ufffdPa\ufffd\\u001c1\ufffd\u04cali-\\u0004\ufffdD\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffd\ufffdPa\ufffd\\u001c1\ufffd\u04cali-\\u0004\ufffdD\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffd\ufffdPa\ufffd\\u001c1\ufffd\u04cali-\\u0004\ufffdD\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffd\ufffdPa\ufffd\\u001c1\ufffd\u04cali-\\u0004\ufffdD\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffd\ufffdPa\ufffd\\u001c1\ufffd\u04cali-\\u0004\ufffdD\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002255ba0cc5487ff66dd090a2fab5efa55d5a408480\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffd\ufffdPa\ufffd\\u001c1\ufffd\u04cali-\\u0004\ufffdD\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffd\ufffdPa\ufffd\\u001c1\ufffd\u04cali-\\u0004\ufffdD\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\nl\ufffd\ufffdPa\ufffd1\ufffd\u04cali-\ufffdDhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022pat-0392\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022pat-0392\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffd\ufffdPa\ufffd\\u001c1\ufffd\u04cali-\\u0004\ufffdD\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffd\ufffdPa\ufffd\\u001c1\ufffd\u04cali-\\u0004\ufffdD\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\nl\ufffd\ufffdPa\ufffd1\ufffd\u04cali-\ufffdDhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1159},{"id":12511656,"ip":"102.220.160.47","ts":"2026-07-16 12:51:03.000000","proto":"tcp","src_port":63190,"dst_port":22,"service":"ssh","classification":"ssh_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a\u0022, \u0022emulator_response_len\u0022: 41, \u0022bytes_in\u0022: 1159, \u0022payload_entropy\u0022: 4.830250763113121, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022ssh\u0022, \u0022app_proto\u0022: \u0022ssh\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 22, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 36.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229a91c35ff8553fc24795f9eaf93692ffdae1839c\u0022, \u0022event_fingerprint\u0022: \u0022bc4e3fa786c83e0db7c1c892cb0c288f6b14388f\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 195, \u0022precision_signals\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022pat-0392\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022pat-0392\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0391\u0022, \u0022pat-0392\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SSH-2.0 banner RFC4253\u0022, \u0022libssh banner\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0391\u0022, \u0022pat-0392\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022da65ee989fc78237dc2b19c42c22fd25\u0022, \u0022path_pattern_hash\u0022: \u00224368b1c212b6962fb95d1d1144451aca\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffd$\ufffd\ufffd\ufffd\\u0000u\ufffd\\n:\\u00154DU\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022request_sample\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffd$\ufffd\ufffd\ufffd\\u0000u\ufffd\\n:\\u00154DU\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffd$\ufffd\ufffd\ufffd\\u0000u\ufffd\\n:\\u00154DU\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffd$\ufffd\ufffd\ufffd\\u0000u\ufffd\\n:\\u00154DU\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512,diffie-hellman-group-exchange-sha256,diffie\u0022, \u0022payload_snippet\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffd$\ufffd\ufffd\ufffd\\u0000u\ufffd\\n:\\u00154DU\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022, \u0022T1595\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ce32a249c3573a9e21e06471be220fdafd06024c\u0022, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffd$\ufffd\ufffd\ufffd\\u0000u\ufffd\\n:\\u00154DU\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffd$\ufffd\ufffd\ufffd\\u0000u\ufffd\\n:\\u00154DU\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022evidence_snippet\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\nl\ufffd$\ufffd\ufffd\ufffdu\ufffd\\n:4DU\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 36.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022, \u0022dst_port\u0022: 22, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-ssh-libssh-ua\u0022, \u0022pat-0391\u0022, \u0022pat-0392\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Client SSH libssh\/paramiko (scanner)\u0022, \u0022pat-0391\u0022, \u0022pat-0392\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022ssh_banner\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffd$\ufffd\ufffd\ufffd\\u0000u\ufffd\\n:\\u00154DU\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022payload_preview\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\n\\u0000\\u0000\\u0004l\\u0006\\u0014\ufffd$\ufffd\ufffd\ufffd\\u0000u\ufffd\\n:\\u00154DU\ufffd\ufffd\\u0000\\u0000\\u0001hcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022port\u0022: 22, \u0022service\u0022: \u0022ssh\u0022, \u0022service_label_fr\u0022: \u0022SSH\u0022}, \u0022attack_vector\u0022: \u0022Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022SSH-2.0-libssh_0.11.4\\r\\nl\ufffd$\ufffd\ufffd\ufffdu\ufffd\\n:4DU\ufffd\ufffdhcurve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nis\u0022, \u0022target_port_label\u0022: \u002222 \u00b7 SSH\u0022, \u0022emulator_service\u0022: \u0022ssh\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022ssh\u0022, \u0022service_banner\u0022: \u0022OpenSSH_8.9p1 Ubuntu\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002222\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022], \u0022asn_dc_heuristic\u0022: true, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 84}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_ssh_probe\u0022, \u0022ssh_banner\u0022, \u0022ssh_emulated\u0022, \u0022ssh_kex_probe\u0022, \u0022ssh_libssh\u0022]","anomalies":"[]","severity":6,"bytes_in":1159},{"id":12460265,"ip":"102.220.160.47","ts":"2026-07-16 10:02:55.000000","proto":"tcp","src_port":23130,"dst_port":9080,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.47:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002247:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_target_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 110, \u0022payload_entropy\u0022: 5.239187701035704, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cd04e782d239e46bc18ffa0b511d16368028d2c7\u0022, \u0022event_fingerprint\u0022: \u0022ee6d634bcf1e1f381195e928ec04863399d89c44\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228a6452f924d5462defdfd507264d9e47\u0022, \u0022path_pattern_hash\u0022: \u002221005405859c8de5d162bbe51133e31d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpwNHI0bjAxZA==\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpwNHI0bjAxZA==\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpwNHI0bjAxZA==\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpwNHI0bjAxZA==\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpwNHI0bjAxZA==\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226f57886db889a5e7453a50e561ca262255d9375a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpwNHI0bjAxZA==\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpwNHI0bjAxZA==\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.47:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":110},{"id":12459570,"ip":"102.220.160.47","ts":"2026-07-16 10:00:33.000000","proto":"tcp","src_port":16412,"dst_port":9080,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.47:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 0, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002247:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 36, \u0022payload_entropy\u0022: 4.062305474194333, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cd04e782d239e46bc18ffa0b511d16368028d2c7\u0022, \u0022event_fingerprint\u0022: \u0022ee6d634bcf1e1f381195e928ec04863399d89c44\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002281c098c8d4430024d7ae4217f8dcc2e2\u0022, \u0022path_pattern_hash\u0022: \u002221005405859c8de5d162bbe51133e31d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220ecb9a9e63a3cbd526b9823801e77793fa055f3\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":36},{"id":12458379,"ip":"102.220.160.47","ts":"2026-07-16 09:58:47.000000","proto":"tcp","src_port":11692,"dst_port":9080,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.47:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002247:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_target_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 106, \u0022payload_entropy\u0022: 5.174294955210346, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cd04e782d239e46bc18ffa0b511d16368028d2c7\u0022, \u0022event_fingerprint\u0022: \u0022ee6d634bcf1e1f381195e928ec04863399d89c44\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b05afd7f3b587dd0898a059f480f8fef\u0022, \u0022path_pattern_hash\u0022: \u002221005405859c8de5d162bbe51133e31d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YmVuOnRlc3QhQA==\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YmVuOnRlc3QhQA==\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YmVuOnRlc3QhQA==\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YmVuOnRlc3QhQA==\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YmVuOnRlc3QhQA==\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222f4f727957638f7b776fda9a5f95ac626c85b78b\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YmVuOnRlc3QhQA==\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YmVuOnRlc3QhQA==\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.47:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":106},{"id":12457648,"ip":"102.220.160.47","ts":"2026-07-16 09:56:19.000000","proto":"tcp","src_port":50120,"dst_port":9080,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.47:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002247:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_target_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 108, \u0022payload_entropy\u0022: 5.098166410945058, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cd04e782d239e46bc18ffa0b511d16368028d2c7\u0022, \u0022event_fingerprint\u0022: \u0022ee6d634bcf1e1f381195e928ec04863399d89c44\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223b21ae296c863905efd811301c478e24\u0022, \u0022path_pattern_hash\u0022: \u002221005405859c8de5d162bbe51133e31d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic d2VidXNlcjoxMjM=\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic d2VidXNlcjoxMjM=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic d2VidXNlcjoxMjM=\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic d2VidXNlcjoxMjM=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic d2VidXNlcjoxMjM=\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225b2a316df28e54022b1d0790fcd7cb9780bf641a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic d2VidXNlcjoxMjM=\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic d2VidXNlcjoxMjM=\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.47:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":108},{"id":12457513,"ip":"102.220.160.47","ts":"2026-07-16 09:54:21.000000","proto":"tcp","src_port":51434,"dst_port":9080,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.47:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022http_header_count\u0022: 0, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002247:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 36, \u0022payload_entropy\u0022: 4.062305474194333, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022cd04e782d239e46bc18ffa0b511d16368028d2c7\u0022, \u0022event_fingerprint\u0022: \u0022ee6d634bcf1e1f381195e928ec04863399d89c44\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002281c098c8d4430024d7ae4217f8dcc2e2\u0022, \u0022path_pattern_hash\u0022: \u002221005405859c8de5d162bbe51133e31d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220ecb9a9e63a3cbd526b9823801e77793fa055f3\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 9080, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:9080 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":36},{"id":12390508,"ip":"102.220.160.47","ts":"2026-07-16 05:02:24.000000","proto":"tcp","src_port":62370,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 36, \u0022payload_entropy\u0022: 4.062305474194333, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002281c098c8d4430024d7ae4217f8dcc2e2\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225a856bc25d757ab51f53b30feff16ae2237cac66\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":36},{"id":12388795,"ip":"102.220.160.47","ts":"2026-07-16 04:57:53.000000","proto":"tcp","src_port":51270,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 104, \u0022payload_entropy\u0022: 5.0516500610506645, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b34c05059b713f8bb369af2988c8c5dd\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ec226b298b433875d0b0e4745fb0ad2d976efae3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":104},{"id":12388516,"ip":"102.220.160.47","ts":"2026-07-16 04:54:13.000000","proto":"tcp","src_port":44810,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 110, \u0022payload_entropy\u0022: 5.087778409835216, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c67d9039639d16111103016eb67111d4\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4xMjM=\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4xMjM=\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4xMjM=\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4xMjM=\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4xMjM=\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022308592c4fa7ee6de547283890cc188753cb56536\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4xMjM=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4xMjM=\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4xMjM=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4xMjM=\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":110},{"id":12386365,"ip":"102.220.160.47","ts":"2026-07-16 04:51:03.000000","proto":"tcp","src_port":45736,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 110, \u0022payload_entropy\u0022: 5.208188523451913, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fd716c4d0f7613d30f59476a0e1ddd2b\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cHJveHk6cGFzc3dvcmQ=\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cHJveHk6cGFzc3dvcmQ=\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cHJveHk6cGFzc3dvcmQ=\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cHJveHk6cGFzc3dvcmQ=\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cHJveHk6cGFzc3dvcmQ=\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bfe2d8ce9deba48afe0636a09d4613c5bee5cbac\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cHJveHk6cGFzc3dvcmQ=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cHJveHk6cGFzc3dvcmQ=\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cHJveHk6cGFzc3dvcmQ=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cHJveHk6cGFzc3dvcmQ=\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":110},{"id":12385020,"ip":"102.220.160.47","ts":"2026-07-16 04:47:04.000000","proto":"tcp","src_port":43998,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 102, \u0022payload_entropy\u0022: 5.054936132738835, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222b21935cb1634b73cce4018ad258f8a6\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228bb0435a6c06840cb0a0ef020f24c87970cd805f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDoxMjM0\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":102},{"id":12384001,"ip":"102.220.160.47","ts":"2026-07-16 04:44:31.000000","proto":"tcp","src_port":40556,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 114, \u0022payload_entropy\u0022: 5.2541947561892615, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002253d83ef13fe7456e10fdfe9b9e0eafe3\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic bGlkaWFuOiV1c2VybmFtZSU=\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic bGlkaWFuOiV1c2VybmFtZSU=\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic bGlkaWFuOiV1c2VybmFtZSU=\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic bGlkaWFuOiV1c2VybmFtZSU=\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic bGlkaWFuOiV1c2VybmFtZSU=\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c0d3422c6aa8525fc8dbf0377ecab178dad1f13d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic bGlkaWFuOiV1c2VybmFtZSU=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic bGlkaWFuOiV1c2VybmFtZSU=\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic bGlkaWFuOiV1c2VybmFtZSU=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic bGlkaWFuOiV1c2VybmFtZSU=\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":114},{"id":12381665,"ip":"102.220.160.47","ts":"2026-07-16 04:40:38.000000","proto":"tcp","src_port":37264,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 102, \u0022payload_entropy\u0022: 5.055135016230372, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022eb5ac616ce8b90742e03158013c7cb97\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b5f07ed206728fca1c45f05ceaaf6033b796fb81\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":102},{"id":12381528,"ip":"102.220.160.47","ts":"2026-07-16 04:38:41.000000","proto":"tcp","src_port":21500,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 110, \u0022payload_entropy\u0022: 5.087778409835216, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c67d9039639d16111103016eb67111d4\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4xMjM=\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4xMjM=\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4xMjM=\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4xMjM=\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4xMjM=\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022308592c4fa7ee6de547283890cc188753cb56536\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4xMjM=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4xMjM=\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4xMjM=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YWRtaW46YWRtaW4xMjM=\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":110},{"id":12379685,"ip":"102.220.160.47","ts":"2026-07-16 04:34:32.000000","proto":"tcp","src_port":37552,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 102, \u0022payload_entropy\u0022: 5.051109078566647, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226c1c57e248adfe69f44c4d2ff5a439f7\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ZnRwOmZ0cA==\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ZnRwOmZ0cA==\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ZnRwOmZ0cA==\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ZnRwOmZ0cA==\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ZnRwOmZ0cA==\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b4262563447faa11eedc0324b759b730f69d474c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ZnRwOmZ0cA==\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ZnRwOmZ0cA==\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ZnRwOmZ0cA==\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ZnRwOmZ0cA==\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":102},{"id":12377927,"ip":"102.220.160.47","ts":"2026-07-16 04:32:45.000000","proto":"tcp","src_port":16468,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 114, \u0022payload_entropy\u0022: 5.1613232956355395, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222a4e247c0564dedd4c25b6c020e79df3\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ZnRwdXNlcjoxMjMxMjMxMjM=\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ZnRwdXNlcjoxMjMxMjMxMjM=\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ZnRwdXNlcjoxMjMxMjMxMjM=\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ZnRwdXNlcjoxMjMxMjMxMjM=\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ZnRwdXNlcjoxMjMxMjMxMjM=\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ee954ef4558f9c5ff7407385ecfbc534c71ea44f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ZnRwdXNlcjoxMjMxMjMxMjM=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ZnRwdXNlcjoxMjMxMjMxMjM=\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ZnRwdXNlcjoxMjMxMjMxMjM=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic ZnRwdXNlcjoxMjMxMjMxMjM=\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":114},{"id":12374957,"ip":"102.220.160.47","ts":"2026-07-16 04:28:25.000000","proto":"tcp","src_port":55574,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.204327637203358, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225a692f47ebf32c1432bedba6d61b2559\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cHJveHk6cGFzc3dvcmQ=\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cHJveHk6cGFzc3dvcmQ=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cHJveHk6cGFzc3dvcmQ=\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cHJveHk6cGFzc3dvcmQ=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cHJveHk6cGFzc3dvcmQ=\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223beb54a834490532fae434c97e18686acfe93c07\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cHJveHk6cGFzc3dvcmQ=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cHJveHk6cGFzc3dvcmQ=\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cHJveHk6cGFzc3dvcmQ=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cHJveHk6cGFzc3dvcmQ=\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":112},{"id":12374653,"ip":"102.220.160.47","ts":"2026-07-16 04:22:29.000000","proto":"tcp","src_port":27348,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 36, \u0022payload_entropy\u0022: 4.062305474194333, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002281c098c8d4430024d7ae4217f8dcc2e2\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225a856bc25d757ab51f53b30feff16ae2237cac66\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":36},{"id":12374383,"ip":"102.220.160.47","ts":"2026-07-16 04:16:27.000000","proto":"tcp","src_port":52498,"dst_port":9080,"service":"websphere","classification":"websphere_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a2049424d5f485454505f5365727665720d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c68746d6c3e3c626f64793e49424d20576562537068657265204170706c69636174696f6e2053\u0022, \u0022emulator_response_len\u0022: 147, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022websphere\u0022, \u0022app_proto\u0022: \u0022websphere\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 9080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 34, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f1aeee218360866f2e4a57aee6ace3b69d206b56\u0022, \u0022event_fingerprint\u0022: \u0022aea6e2a5981661f5cad72e19453c56aa15fd8d08\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab websphere_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.1, \u0022classification_confidence\u0022: 0.1, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022websphere\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022a8ef247ba3612b90c1c670387b185e85\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9080, \u0022service\u0022: \u0022websphere\u0022, \u0022service_name\u0022: \u0022websphere\u0022, \u0022risk_score\u0022: 34}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022enterprise_scan\u0022, \u0022enterprise_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e3b4ab5525dd4ae1a3498a13edcd66eb770e4b6f\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 9080, \u0022service\u0022: \u0022websphere\u0022, \u0022service_label_fr\u0022: \u0022WEBSPHERE\u0022}, \u0022attack_vector\u0022: \u0022websphere probe \u00b7 via WEBSPHERE:9080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229080 \u00b7 WEBSPHERE\u0022, \u0022emulator_service\u0022: \u0022websphere\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab websphere_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab websphere_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 34\/100\u0022, \u0022confidence_pct\u0022: 10, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 34, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 34, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022websphere\u0022, \u0022service_label_fr\u0022: \u0022WEBSPHERE\u0022, \u0022dst_port\u0022: 9080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-websphere\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 9080, \u0022service\u0022: \u0022websphere\u0022, \u0022service_label_fr\u0022: \u0022WEBSPHERE\u0022}, \u0022attack_vector\u0022: \u0022websphere probe \u00b7 via WEBSPHERE:9080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00229080 \u00b7 WEBSPHERE\u0022, \u0022emulator_service\u0022: \u0022websphere\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 2 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 10 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (102.220.160.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022websphere\u0022, \u0022service_banner\u0022: \u0022honeypot-websphere\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u0022102.220.160.0\/24\u0022, \u0022coordinated_ip_count\u0022: 3, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_websphere_probe\u0022, \u0022websphere_emulated\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_websphere_probe\u0022, \u0022websphere_emulated\u0022]","anomalies":"[]","severity":5,"bytes_in":0},{"id":12361016,"ip":"102.220.160.47","ts":"2026-07-16 02:45:57.000000","proto":"tcp","src_port":49700,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 8}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022socks5\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":12360975,"ip":"102.220.160.47","ts":"2026-07-16 02:45:05.000000","proto":"tcp","src_port":22318,"dst_port":8090,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.47:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 0, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002247:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 36, \u0022payload_entropy\u0022: 4.062305474194333, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8090, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ac92b13ee4ce944156da57e63243561c5d4bd794\u0022, \u0022event_fingerprint\u0022: \u0022cb91bbc7f59da2dea22d752b48ea2b6e50e59402\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002281c098c8d4430024d7ae4217f8dcc2e2\u0022, \u0022path_pattern_hash\u0022: \u002221005405859c8de5d162bbe51133e31d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.85, \u0022classification_confidence\u0022: 0.85, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223ba766e8ee03465c1bd4980039131c9b459da705\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 85, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8090, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 85 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022socks5\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":36},{"id":12360435,"ip":"102.220.160.47","ts":"2026-07-16 02:43:32.000000","proto":"tcp","src_port":20206,"dst_port":8090,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.47:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002247:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_target_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 104, \u0022payload_entropy\u0022: 5.061789329440021, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8090, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ac92b13ee4ce944156da57e63243561c5d4bd794\u0022, \u0022event_fingerprint\u0022: \u0022cb91bbc7f59da2dea22d752b48ea2b6e50e59402\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002277352442ce0a5ee88bf2b5447c36a426\u0022, \u0022path_pattern_hash\u0022: \u002221005405859c8de5d162bbe51133e31d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.85, \u0022classification_confidence\u0022: 0.85, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002251001df7e5819b8167549e61fa9cc94dd972a1dd\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 85, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8090, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 85 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022socks5\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.47:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":104},{"id":12357721,"ip":"102.220.160.47","ts":"2026-07-16 02:40:07.000000","proto":"tcp","src_port":52454,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 8}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022socks5\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":12357618,"ip":"102.220.160.47","ts":"2026-07-16 02:37:26.000000","proto":"tcp","src_port":27898,"dst_port":8090,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.47:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002247:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_target_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.198479226202879, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8090, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ac92b13ee4ce944156da57e63243561c5d4bd794\u0022, \u0022event_fingerprint\u0022: \u0022cb91bbc7f59da2dea22d752b48ea2b6e50e59402\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223221256fa7908fcf31b7bd38712caf23\u0022, \u0022path_pattern_hash\u0022: \u002221005405859c8de5d162bbe51133e31d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic b3BzOjIxb3BzLmNvbQ==\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic b3BzOjIxb3BzLmNvbQ==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic b3BzOjIxb3BzLmNvbQ==\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic b3BzOjIxb3BzLmNvbQ==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic b3BzOjIxb3BzLmNvbQ==\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.85, \u0022classification_confidence\u0022: 0.85, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ef99982d7335c403a5333951c51933f9afb030f5\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic b3BzOjIxb3BzLmNvbQ==\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 85, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8090, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic b3BzOjIxb3BzLmNvbQ==\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 85 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022socks5\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.47:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":112},{"id":12354931,"ip":"102.220.160.47","ts":"2026-07-16 02:34:13.000000","proto":"tcp","src_port":47874,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 8}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022socks5\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":12354303,"ip":"102.220.160.47","ts":"2026-07-16 02:31:48.000000","proto":"tcp","src_port":48188,"dst_port":8090,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.47:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 0, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002247:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 36, \u0022payload_entropy\u0022: 4.062305474194333, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8090, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ac92b13ee4ce944156da57e63243561c5d4bd794\u0022, \u0022event_fingerprint\u0022: \u0022cb91bbc7f59da2dea22d752b48ea2b6e50e59402\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002281c098c8d4430024d7ae4217f8dcc2e2\u0022, \u0022path_pattern_hash\u0022: \u002221005405859c8de5d162bbe51133e31d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.85, \u0022classification_confidence\u0022: 0.85, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223ba766e8ee03465c1bd4980039131c9b459da705\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 85, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8090, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 85 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022socks5\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":36},{"id":12354122,"ip":"102.220.160.47","ts":"2026-07-16 02:28:41.000000","proto":"tcp","src_port":61948,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 8}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022socks5\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":12354001,"ip":"102.220.160.47","ts":"2026-07-16 02:28:30.000000","proto":"tcp","src_port":11732,"dst_port":8090,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.47:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002247:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_target_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 102, \u0022payload_entropy\u0022: 5.055135016230372, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8090, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ac92b13ee4ce944156da57e63243561c5d4bd794\u0022, \u0022event_fingerprint\u0022: \u0022cb91bbc7f59da2dea22d752b48ea2b6e50e59402\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022eb5ac616ce8b90742e03158013c7cb97\u0022, \u0022path_pattern_hash\u0022: \u002221005405859c8de5d162bbe51133e31d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ccc44550f07f378da8f449f8c265a9ca28c9bbd0\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8090, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.47:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":102},{"id":12352029,"ip":"102.220.160.47","ts":"2026-07-16 02:26:10.000000","proto":"tcp","src_port":62866,"dst_port":8090,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.47:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 0, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002247:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 36, \u0022payload_entropy\u0022: 4.062305474194333, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8090, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ac92b13ee4ce944156da57e63243561c5d4bd794\u0022, \u0022event_fingerprint\u0022: \u0022cb91bbc7f59da2dea22d752b48ea2b6e50e59402\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002281c098c8d4430024d7ae4217f8dcc2e2\u0022, \u0022path_pattern_hash\u0022: \u002221005405859c8de5d162bbe51133e31d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223ba766e8ee03465c1bd4980039131c9b459da705\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8090, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":36},{"id":12350895,"ip":"102.220.160.47","ts":"2026-07-16 02:23:13.000000","proto":"tcp","src_port":62876,"dst_port":8090,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.47:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002247:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_target_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.22417423119018, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8090, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ac92b13ee4ce944156da57e63243561c5d4bd794\u0022, \u0022event_fingerprint\u0022: \u0022cb91bbc7f59da2dea22d752b48ea2b6e50e59402\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f6f84cad50b6956923fd8ebeae459ea7\u0022, \u0022path_pattern_hash\u0022: \u002221005405859c8de5d162bbe51133e31d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDphMTIzNDU2QQ==\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDphMTIzNDU2QQ==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDphMTIzNDU2QQ==\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDphMTIzNDU2QQ==\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDphMTIzNDU2QQ==\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.85, \u0022classification_confidence\u0022: 0.85, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b981d6632c81511b3a0668775706c5e76d4e743d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDphMTIzNDU2QQ==\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 85, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8090, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDphMTIzNDU2QQ==\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 85 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022socks5\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.47:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":112},{"id":12350811,"ip":"102.220.160.47","ts":"2026-07-16 02:20:58.000000","proto":"tcp","src_port":43126,"dst_port":8090,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.47:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002247:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_target_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 104, \u0022payload_entropy\u0022: 5.1194816371323295, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8090, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ac92b13ee4ce944156da57e63243561c5d4bd794\u0022, \u0022event_fingerprint\u0022: \u0022cb91bbc7f59da2dea22d752b48ea2b6e50e59402\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b45210edb6322a0aa9454a0761ef6c74\u0022, \u0022path_pattern_hash\u0022: \u002221005405859c8de5d162bbe51133e31d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YnJhZDpicmFk\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YnJhZDpicmFk\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YnJhZDpicmFk\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YnJhZDpicmFk\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YnJhZDpicmFk\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.85, \u0022classification_confidence\u0022: 0.85, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002235acf4fed56fb43e43468c3bfd2a208d0425da71\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YnJhZDpicmFk\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 85, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8090, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic YnJhZDpicmFk\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 85 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022socks5\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.47:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":104},{"id":12349294,"ip":"102.220.160.47","ts":"2026-07-16 02:18:27.000000","proto":"tcp","src_port":22970,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 8}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022socks5\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":12349070,"ip":"102.220.160.47","ts":"2026-07-16 02:18:11.000000","proto":"tcp","src_port":13456,"dst_port":8090,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.47:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002247:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_target_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 102, \u0022payload_entropy\u0022: 5.065274210312297, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8090, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ac92b13ee4ce944156da57e63243561c5d4bd794\u0022, \u0022event_fingerprint\u0022: \u0022cb91bbc7f59da2dea22d752b48ea2b6e50e59402\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220bf019f2c9dd156d8037ab5d4116fa0b\u0022, \u0022path_pattern_hash\u0022: \u002221005405859c8de5d162bbe51133e31d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.85, \u0022classification_confidence\u0022: 0.85, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228210e4655a53c063759563cb436b5212a1c5adeb\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 85, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8090, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic MTIzOjEyMw==\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 85 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022socks5\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.47:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":102},{"id":12347580,"ip":"102.220.160.47","ts":"2026-07-16 02:15:55.000000","proto":"tcp","src_port":51030,"dst_port":8090,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.47:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 2, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002247:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_target_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 102, \u0022payload_entropy\u0022: 5.055135016230372, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8090, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ac92b13ee4ce944156da57e63243561c5d4bd794\u0022, \u0022event_fingerprint\u0022: \u0022cb91bbc7f59da2dea22d752b48ea2b6e50e59402\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022eb5ac616ce8b90742e03158013c7cb97\u0022, \u0022path_pattern_hash\u0022: \u002221005405859c8de5d162bbe51133e31d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.85, \u0022classification_confidence\u0022: 0.85, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ccc44550f07f378da8f449f8c265a9ca28c9bbd0\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 85, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8090, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dGVzdDp0ZXN0\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 85 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022socks5\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.47:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":102},{"id":12347461,"ip":"102.220.160.47","ts":"2026-07-16 02:13:42.000000","proto":"tcp","src_port":61282,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 8}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022socks5\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":12347446,"ip":"102.220.160.47","ts":"2026-07-16 02:13:14.000000","proto":"tcp","src_port":65062,"dst_port":8090,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.47:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 1, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002247:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_target_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 61, \u0022payload_entropy\u0022: 4.167378526863898, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8090, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ac92b13ee4ce944156da57e63243561c5d4bd794\u0022, \u0022event_fingerprint\u0022: \u0022cb91bbc7f59da2dea22d752b48ea2b6e50e59402\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00221858163c0136e354fb4b9c1a13ea7f4e\u0022, \u0022path_pattern_hash\u0022: \u002221005405859c8de5d162bbe51133e31d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.85, \u0022classification_confidence\u0022: 0.85, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022de543813efd58eaa4ffadd73585d0b78e68dbcd1\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 85, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8090, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 85 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022socks5\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.47:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":61},{"id":12347302,"ip":"102.220.160.47","ts":"2026-07-16 02:10:47.000000","proto":"tcp","src_port":13700,"dst_port":8090,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.47:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 0, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002247:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: null, \u0022http_target_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 36, \u0022payload_entropy\u0022: 4.062305474194333, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8090, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ac92b13ee4ce944156da57e63243561c5d4bd794\u0022, \u0022event_fingerprint\u0022: \u0022cb91bbc7f59da2dea22d752b48ea2b6e50e59402\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002281c098c8d4430024d7ae4217f8dcc2e2\u0022, \u0022path_pattern_hash\u0022: \u002221005405859c8de5d162bbe51133e31d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.85, \u0022classification_confidence\u0022: 0.85, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223ba766e8ee03465c1bd4980039131c9b459da705\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 85, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8090, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 85 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022socks5\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":36},{"id":12347203,"ip":"102.220.160.47","ts":"2026-07-16 02:08:44.000000","proto":"tcp","src_port":61784,"dst_port":1080,"service":"socks5","classification":"socks5_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00220500\u0022, \u0022emulator_response_len\u0022: 2, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 1.5, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022socks5\u0022, \u0022app_proto\u0022: \u0022socks5\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 1080, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 50.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022426dec8df888ffa63f455322a8a4f2110dbd3010\u0022, \u0022event_fingerprint\u0022: \u00223331cd638f7f2882b3f28f93273086620fcbe7b5\u0022, \u0022classification_confidence\u0022: 0.58, \u0022confidence\u0022: 0.58, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 8}, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226ce5e83bce8f65c890fae2bc4bd3a7a8\u0022, \u0022path_pattern_hash\u0022: \u0022bfccf9f2989c411a7f395b1e4889bbc9\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022network_service_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f660764e133838b1f3c3a1f8264509dfee0592\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab socks5_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 58, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 50.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45, \u0022correlation_boost\u0022: 8}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022, \u0022dst_port\u0022: 1080, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022correlation_flags\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Multi-protocole corr\u00e9l\u00e9 (5 min)\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0002\\u0000\\u0002\u0022, \u0022port\u0022: 1080, \u0022service\u0022: \u0022socks5\u0022, \u0022service_label_fr\u0022: \u0022SOCKS5\u0022}, \u0022attack_vector\u0022: \u0022socks5 probe \u00b7 via SOCKS5:1080 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00221080 \u00b7 SOCKS5\u0022, \u0022emulator_service\u0022: \u0022socks5\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022socks5\u0022, \u0022service_banner\u0022: \u0022honeypot-socks5\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221080\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022multi_protocol_correlation\u0022: true, \u0022multi_protocol_count\u0022: 2, \u0022multi_protocol_sample\u0022: [\u0022http\u0022, \u0022socks5\u0022], \u0022multi_protocol_window_s\u0022: 300, \u0022behavior_alerts\u0022: [\u0022multi_protocol_correlation\u0022], \u0022correlation_confidence_boost\u0022: 8, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_socks5_probe\u0022, \u0022socks5_emulated\u0022, \u0022socks5_handshake\u0022]","anomalies":"[]","severity":4,"bytes_in":4},{"id":12347172,"ip":"102.220.160.47","ts":"2026-07-16 02:08:18.000000","proto":"tcp","src_port":62150,"dst_port":8090,"service":"http","classification":"web_probe","waf_score":0,"waf_tags":"[]","http_method":"CONNECT","http_target":"102.220.160.47:80","sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022http_header_count\u0022: 1, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u002247:80\u0022, \u0022http_ua_hash\u0022: null, \u0022http_host_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_target_hash\u0022: \u0022d4c0cacd362d1a0e66ac6473f0cb35590412e2c5\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: false, \u0022bytes_in\u0022: 63, \u0022payload_entropy\u0022: 4.182444011484596, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8090, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 43.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ac92b13ee4ce944156da57e63243561c5d4bd794\u0022, \u0022event_fingerprint\u0022: \u0022cb91bbc7f59da2dea22d752b48ea2b6e50e59402\u0022, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002212f44f335a600cbd00b1ed67f6407d12\u0022, \u0022path_pattern_hash\u0022: \u002221005405859c8de5d162bbe51133e31d\u0022}, \u0022service_name\u0022: \u0022http\u0022, \u0022target_context\u0022: {\u0022dst_port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\n\\r\\n\u0022, \u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022CONNECT\u0022, \u0022path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022}, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022confidence\u0022: 0.77, \u0022classification_confidence\u0022: 0.77, \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224be87f44a5477cfa14e0c9dec49092990547b43f\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\u0022, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 77, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 43.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 8090, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022CONNECT\u0022, \u0022http_path\u0022: \u0022102.220.160.47:80\u0022, \u0022request_line\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.1\u0022, \u0022port\u0022: 8090, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022Sonde HTTP \u00b7 via HTTP:8090 \u00b7 (sonde \/ probe) \u00b7 \u2192 102.220.160.47:80\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\u0022, \u0022target_port_label\u0022: \u00228090 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 77 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228090\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.0","http_host":"102.220.160.47:80","http_user_agent":null,"http_referer":null,"tags":"[\u0022http_dangerous_method\u0022, \u0022http_method_uncommon\u0022, \u0022http_no_ua\u0022, \u0022net_web_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":63},{"id":12274415,"ip":"102.220.160.47","ts":"2026-07-15 21:40:16.000000","proto":"tcp","src_port":53432,"dst_port":8020,"service":"hdfs-namenode","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63\u0022, \u0022emulator_response_len\u0022: 144, \u0022bytes_in\u0022: 110, \u0022payload_entropy\u0022: 5.143231732290761, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022app_proto\u0022: \u0022hdfs-namenode\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 8020, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a3f0406cb9859f918547e7d9724ae04de9b35cbf\u0022, \u0022event_fingerprint\u0022: \u0022f86f2f8585eddb17139e72dd9eb2eb48cccd1028\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223a1a9b701247194fc91f6e95ef1ebed3\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dHVyYm86dHVyYm8xMjM=\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dHVyYm86dHVyYm8xMjM=\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dHVyYm86dHVyYm8xMjM=\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dHVyYm86dHVyYm8xMjM=\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dHVyYm86dHVyYm8xMjM=\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228e659b3981eaca57fd6b343bb150626e046fa17b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dHVyYm86dHVyYm8xMjM=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dHVyYm86dHVyYm8xMjM=\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HDFS NAMENODE\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022, \u0022dst_port\u0022: 8020, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dHVyYm86dHVyYm8xMjM=\u0022, \u0022port\u0022: 8020, \u0022service\u0022: \u0022hdfs-namenode\u0022, \u0022service_label_fr\u0022: \u0022HDFS NAMENODE\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HDFS NAMENODE:8020 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic dHVyYm86dHVyYm8xMjM=\u0022, \u0022target_port_label\u0022: \u00228020 \u00b7 HDFS NAMENODE\u0022, \u0022emulator_service\u0022: \u0022hdfs-namenode\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022hdfs_namenode\u0022, \u0022service_banner\u0022: \u0022honeypot-hdfs-namenode\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00228020\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022hdfs_namenode_emulated\u0022, \u0022hdfs_namenode_payload\u0022, \u0022net_hdfs_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":110},{"id":12267827,"ip":"102.220.160.47","ts":"2026-07-15 21:28:01.000000","proto":"tcp","src_port":48320,"dst_port":9443,"service":"https","classification":"http_flood","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u0022485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b\u0022, \u0022emulator_response_len\u0022: 82, \u0022bytes_in\u0022: 112, \u0022payload_entropy\u0022: 5.2186994271536875, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022service\u0022: \u0022https\u0022, \u0022app_proto\u0022: \u0022https\u0022, \u0022asn\u0022: 197769, \u0022country\u0022: \u0022SI\u0022, \u0022dst_port\u0022: 9443, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 80.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 40.0, \u0022risk_protocol\u0022: 33.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 46, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002280c828df2c78c8e2ac4c1c341013d811b61f83b0\u0022, \u0022event_fingerprint\u0022: \u00225b8d9bc7bcb6d0b9bee3faac4a80649a400d4176\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0418\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0418\u0022], \u0022matched_patterns\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022, \u0022pat-0600\u0022], \u0022matched_pattern_names\u0022: [\u0022Cred Basic auth spray\u0022, \u0022HTTP CONNECT method\u0022, \u0022ActiveMQ STOMP\u0022, \u0022Squid HTTP proxy\u0022, \u0022HTTPS alt 9443 probe\u0022], \u0022pattern_ids\u0022: [\u0022pat-0463\u0022, \u0022pat-0418\u0022, \u0022pat-0559\u0022, \u0022pat-0568\u0022, \u0022pat-0600\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022SI\u0022, \u0022asn\u0022: 197769, \u0022org\u0022: \u0022VPS Dedicated LLC\u0022, \u0022is_datacenter\u0022: true, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220a9f6368845815c25d47240f993148d3\u0022, \u0022path_pattern_hash\u0022: \u00224d7cc3b45cbf3e5b6ce484f88d569789\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022risk_score\u0022: 46}, \u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpQQCQkdzByZCE=\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpQQCQkdzByZCE=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpQQCQkdzByZCE=\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpQQCQkdzByZCE=\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpQQCQkdzByZCE=\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022ddos\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002277905325d3df74e6130559b5ce480339f6fe6299\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpQQCQkdzByZCE=\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpQQCQkdzByZCE=\u0022, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_flood \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 49 % \u2014 via HTTPS\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 80.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 40.0, \u0022protocol\u0022: 33.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 46}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 46, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022, \u0022dst_port\u0022: 9443, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0418\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0418\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-https\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpQQCQkdzByZCE=\u0022, \u0022port\u0022: 9443, \u0022service\u0022: \u0022https\u0022, \u0022service_label_fr\u0022: \u0022HTTPS\u0022}, \u0022attack_vector\u0022: \u0022http flood \u00b7 via HTTPS:9443 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022CONNECT 102.220.160.47:80 HTTP\/1.0\\r\\nHost: 102.220.160.47:80\\r\\nProxy-Authorization: Basic cm9vdDpQQCQkdzByZCE=\u0022, \u0022target_port_label\u0022: \u00229443 \u00b7 HTTPS\u0022, \u0022emulator_service\u0022: \u0022https\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022https\u0022, \u0022service_banner\u0022: \u0022honeypot-https\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229443\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_alt_port\u0022, \u0022net_web_probe\u0022, \u0022websphere_probe\u0022], \u0022asn_dc_heuristic\u0022: true}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_alt_port\u0022, \u0022net_web_probe\u0022, \u0022websphere_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":112}],"total_events":317}