Méthode
CONNECT
Port
3128
Chemin / cible
cloudflare.com:443
Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 77%
Confiance classification
77%
Risque capteur
Moyen
· 40
Confiance : Confiance 77 % — Score WAF 8
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
CONNECT cloudflare.com:443 HTTP/1.1
User-Agent
Go-http-client/1.1
Règles WAF
—
Payload (extrait)
CONNECT cloudflare.com:443 HTTP/1.1
Host: cloudflare.com:443
User-Agent: Go-http-client/1.1
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2",
"http_host_hash": "ce112ec83ad0c4839af68ddc8da531ceb72411de",
"http_target_hash": "ce112ec83ad0c4839af68ddc8da531ceb72411de",
"http_referer_hash": null,
"http_method": "CONNECT",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 97,
"payload_entropy": 4.989469549315329,
"port_category": "registered",
"org": "Megacore Technology Company Limited",
"service": "http",
"app_proto": "http",
"asn": 140810,
"country": "VN",
"dst_port": 3128,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 40,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "2bc7ae0bcc4ae14f1e133c1121a155b76b1471f2",
"event_fingerprint": "c0b07581a0214d7aa6a0ab0087ece281dd843191",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 140810,
"org": "Megacore Technology Company Limited",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1",
"payload_hash": "295ef9e0ad9af5165c9c6e52feb93d0b",
"path_pattern_hash": "0eefa7eccad631c4e98dac3ebb39ee10"
},
"service_name": "http",
"target_context": {
"dst_port": 3128,
"service": "http",
"service_name": "http",
"risk_score": 40
},
"payload_preview": "CONNECT cloudflare.com:443 HTTP\/1.1\r\nHost: cloudflare.com:443\r\nUser-Agent: Go-http-client\/1.1\r\n\r\n",
"method": "CONNECT",
"path": "cloudflare.com:443",
"user_agent": "Go-http-client\/1.1",
"request_line": "CONNECT cloudflare.com:443 HTTP\/1.1",
"request_sample": "CONNECT cloudflare.com:443 HTTP\/1.1\r\nHost: cloudflare.com:443\r\nUser-Agent: Go-http-client\/1.1\r\n\r\n",
"payload_snippet": "CONNECT cloudflare.com:443 HTTP\/1.1\r\nHost: cloudflare.com:443\r\nUser-Agent: Go-http-client\/1.1",
"evidence": {
"method": "CONNECT",
"path": "cloudflare.com:443",
"user_agent": "Go-http-client\/1.1",
"request_line": "CONNECT cloudflare.com:443 HTTP\/1.1",
"request_sample": "CONNECT cloudflare.com:443 HTTP\/1.1\r\nHost: cloudflare.com:443\r\nUser-Agent: Go-http-client\/1.1\r\n\r\n",
"payload_snippet": "CONNECT cloudflare.com:443 HTTP\/1.1\r\nHost: cloudflare.com:443\r\nUser-Agent: Go-http-client\/1.1",
"classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%"
},
"classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%",
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 40
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"confidence": 0.77,
"classification_confidence": 0.77,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4734e71718b0f2323d0280d2c2c9cb65f2729fa4",
"protocol_details": {
"http_method": "CONNECT",
"http_path": "cloudflare.com:443",
"request_line": "CONNECT cloudflare.com:443 HTTP\/1.1",
"http_user_agent": "Go-http-client\/1.1",
"port": 3128,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "CONNECT cloudflare.com:443 HTTP\/1.1\r\nHost: cloudflare.com:443\r\nUser-Agent: Go-http-client\/1.1",
"attack_vector": "Sonde HTTP \u00b7 via HTTP:3128 \u00b7 (sonde \/ probe) \u00b7 \u2192 cloudflare.com:443",
"target_port_label": "3128 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 77 % \u2014 Score WAF 8",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%",
"classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 77%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100",
"confidence_pct": 77,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 40
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 40,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 3128,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "CONNECT",
"http_path": "cloudflare.com:443",
"request_line": "CONNECT cloudflare.com:443 HTTP\/1.1",
"http_user_agent": "Go-http-client\/1.1",
"port": 3128,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "Sonde HTTP \u00b7 via HTTP:3128 \u00b7 (sonde \/ probe) \u00b7 \u2192 cloudflare.com:443",
"evidence_snippet": "CONNECT cloudflare.com:443 HTTP\/1.1\r\nHost: cloudflare.com:443\r\nUser-Agent: Go-http-client\/1.1",
"target_port_label": "3128 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 77 % \u2014 Score WAF 8",
"confidence_factors_fr": "Confiance 77 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "3128"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_dangerous_method",
"http_method_uncommon",
"http_ua_suspicious",
"net_web_probe"
]
}
|