|
|
TCP |
53 · DNS
|
dns
|
dns probe
dns probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
JDWP-Handshake
Pourquoi cette classification : Type « dns_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 33
Confiance : Confiance 0 % — 3 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
JDWP-Handshake
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "4a44d0532d480000647368616b65",
"emulator_response_len": 14,
"bytes_in": 14,
"payload_entropy": 3.6644977792004623,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 33,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b8c4aaf6dc0dcca2d5434fbaf863fbcc49abe4fe",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d7cf99dd7541d7bd514fc0d9a1b2d531",
"path_pattern_hash": "1ff272bdca0ffa92c866625cbd3295f6"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 33
},
"payload_preview": "JDWP-Handshake",
"request_sample": "JDWP-Handshake",
"payload_snippet": "JDWP-Handshake",
"evidence": {
"request_sample": "JDWP-Handshake",
"payload_snippet": "JDWP-Handshake",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1deba559e0e3159a47a55e238eee21acceadca59",
"protocol_details": {
"payload_preview": "JDWP-Handshake",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "JDWP-Handshake",
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "JDWP-Handshake",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "JDWP-Handshake",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
Sonde Java RMI
java rmi probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Faible · 32
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
JRMI��K
Pourquoi cette classification : Type « java_rmi_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 32
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0604
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Java RMI JRMI
User-Agent
—
Règles WAF
—
Payload (extrait)
JRMI��K
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "000081830000000000000000",
"emulator_response_len": 12,
"bytes_in": 7,
"payload_entropy": 2.807354922057604,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 56,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 32,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b8c4aaf6dc0dcca2d5434fbaf863fbcc49abe4fe",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0604"
],
"kb_rule_ids": [
"pat-0604"
],
"matched_patterns": [
"pat-0604"
],
"matched_pattern_names": [
"Java RMI JRMI"
],
"pattern_ids": [
"pat-0604"
],
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 32
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d8c49a0f759e2102fb8fa8368049d06a",
"path_pattern_hash": "7a566ca86213ccd15a91c0b5a885a24f"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 32
},
"payload_preview": "JRMI\u0000\u0002K",
"request_sample": "JRMI\u0000\u0002K",
"payload_snippet": "JRMI\u0000\u0002K",
"evidence": {
"request_sample": "JRMI\u0000\u0002K",
"payload_snippet": "JRMI\u0000\u0002K",
"classification_reason": "Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"enterprise_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c42e19c9fcccc68c00a1d274efd8cb218cd01659",
"protocol_details": {
"payload_preview": "JRMI\u0000\u0002K",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "JRMIK",
"attack_vector": "java rmi probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 32
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 32,
"risk_label": "Faible",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": [
"pat-0604"
],
"tags_summary_labels_fr": [
"pat-0604"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "JRMI\u0000\u0002K",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "java rmi probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "JRMIK",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
mqtt probe
mqtt probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Moyen · 49
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
mqtt_connect
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
����MQTT���<���AAAAA
Pourquoi cette classification : Type « mqtt_probe » (signaux protocolaires) · confiance 97%
Confiance classification
97%
Risque capteur
Moyen
· 49
Confiance : Confiance 97 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0373
pat-0615
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
MQTT protocol
MQTT alt CONNECT
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
����MQTT���<���AAAAA
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "101280034d5100000502003c0000054141414141",
"emulator_response_len": 20,
"bytes_in": 20,
"payload_entropy": 3.1414460711655217,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 54,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 49,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "72b6a90724b0c9c53493319cd9ace0921aa39735",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%",
"confidence": 0.97,
"classification_confidence": 0.97,
"precision_score": 110,
"precision_signals": [
"pat-0373",
"pat-0615"
],
"kb_rule_ids": [
"pat-0373",
"pat-0615"
],
"matched_patterns": [
"pat-0373",
"pat-0615",
"pat-0554"
],
"matched_pattern_names": [
"MQTT protocol",
"MQTT alt CONNECT",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0373",
"pat-0615",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 49
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 97,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "8cbaa0e25147458ba5f5f0e8603c4f19",
"path_pattern_hash": "4449b927317468afa12a2f935a413459"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 49
},
"payload_preview": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"request_sample": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"payload_snippet": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"evidence": {
"request_sample": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"payload_snippet": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"classification_reason": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "25ee486365e433518b45840730d49266b25f4c04",
"protocol_details": {
"payload_preview": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "MQTT<AAAAA",
"attack_vector": "mqtt probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%",
"classification_reason_label_fr": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100",
"confidence_pct": 97,
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 49
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 49,
"risk_label": "Moyen",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": [
"pat-0373",
"pat-0615"
],
"tags_summary_labels_fr": [
"pat-0373",
"pat-0615"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0010\u0012\u0000\u0004MQTT\u0005\u0002\u0000<\u0000\u0000\u0005AAAAA",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "mqtt probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "MQTT<AAAAA",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 97 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"mqtt_connect",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
dns probe
dns probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
@RSYTCD: 29
Pourquoi cette classification : Type « dns_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 33
Confiance : Confiance 0 % — 3 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
@RSYTCD: 29
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "4052d053544300002032390a00010001",
"emulator_response_len": 16,
"bytes_in": 12,
"payload_entropy": 3.584962500721156,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 33,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b8c4aaf6dc0dcca2d5434fbaf863fbcc49abe4fe",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b2993d6e4414a846683a71de5eb18653",
"path_pattern_hash": "1ff272bdca0ffa92c866625cbd3295f6"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 33
},
"payload_preview": "@RSYTCD: 29\n",
"request_sample": "@RSYTCD: 29\n",
"payload_snippet": "@RSYTCD: 29",
"evidence": {
"request_sample": "@RSYTCD: 29\n",
"payload_snippet": "@RSYTCD: 29",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bd66f7d3915a3156cc4cbd2f5819e94b256e66ee",
"protocol_details": {
"payload_preview": "@RSYTCD: 29",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "@RSYTCD: 29",
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "@RSYTCD: 29",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "@RSYTCD: 29",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
oracle tns probe
oracle tns probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Moyen · 45
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
���������<�,�������������:������������������������������(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123
Pourquoi cette classification : Type « oracle_tns_probe » (signaux protocolaires) · confiance 47%
Confiance classification
47%
Confiance modérée — signal unique
Risque capteur
Moyen
· 45
Confiance : Confiance 47 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0520
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Oracle TNS connect
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������<�,�������������:������������������������������(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123
Requête brute (extrait)
��������<�,�������������:������������������������������(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=53)))
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "00ee800301000000013c012c000080007fff7f080000000100b4003a000004000000000000000000000000000000000000000000000000000000284445534352495054494f4e3d28434f4e4e4543545f444154413d28534552564943455f4e414d453d6e6f6e2d6162632d6578697374656e742d7365722d766963652d313233",
"emulator_response_len": 238,
"bytes_in": 238,
"payload_entropy": 5.115023504291628,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 54,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 45,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b8c4aaf6dc0dcca2d5434fbaf863fbcc49abe4fe",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab oracle_tns_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%",
"confidence": 0.47,
"classification_confidence": 0.47,
"precision_score": 56,
"precision_signals": [
"pat-0520"
],
"kb_rule_ids": [
"pat-0520"
],
"matched_patterns": [
"pat-0520",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"Oracle TNS connect",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0520",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 47,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "4be59595c5c961f90e9fe38dcaaaf9c2",
"path_pattern_hash": "420e91c120535c16728a9791d446fafc"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 45
},
"payload_preview": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"request_sample": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=53)))",
"payload_snippet": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"evidence": {
"request_sample": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123-a-a-bc-asdf)(CID=(PROGRAM=sqlplus)(HOST=__jdbc__)(USER=)))(ADDRESS=(PROTOCOL=tcp)(HOST=62.3.50.33)(PORT=53)))",
"payload_snippet": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"classification_reason": "Type \u00ab oracle_tns_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a79b7543fbedd2c52923ba0605d93d8eaf902533",
"protocol_details": {
"payload_preview": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "\ufffd<,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"attack_vector": "oracle tns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab oracle_tns_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%",
"classification_reason_label_fr": "Type \u00ab oracle_tns_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 47,
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": [
"pat-0520"
],
"tags_summary_labels_fr": [
"pat-0520"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0000\ufffd\u0000\u0000\u0001\u0000\u0000\u0000\u0001<\u0001,\u0000\u0000\ufffd\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000\ufffd\u0000:\u0000\u0000\u0004\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "oracle tns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd<,\ufffd\ufffd\ufffd:(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=non-abc-existent-ser-vice-123",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 47 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
Protocole TDS MSSQL
mssql tds · via DNS:53 · (sonde / probe)
|
Élevée
|
Faible · 32
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
net_dns_probe
postgres_startup
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
���T����user�postgres�database�postgres�application_name�psql�client_encoding�UTF8��
Pourquoi cette classification : Type « mssql_tds » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 32
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0356
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
MSSQL TDS prelogin
ET H.323 setup
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
T����user�postgres�database�postgres�application_name�psql�client_encoding�UTF8
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "0054800300000000657200706f73746772657300646174616261736500706f737467726573006170706c69636174696f6e5f6e616d65007073716c00636c69656e745f656e636f64696e6700555446380000",
"emulator_response_len": 82,
"bytes_in": 84,
"payload_entropy": 4.139167728978457,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 56,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 10,
"risk_boost": 0,
"risk_granularity": 5.3,
"risk_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 10
},
"risk_score": 32,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "41bf145ff35d88b3fa20d5f42614d666cab2dfc2",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0356"
],
"kb_rule_ids": [
"pat-0356"
],
"matched_patterns": [
"pat-0348",
"pat-0356",
"pat-0868",
"pat-0554"
],
"matched_pattern_names": [
"RDP TPKT header",
"MSSQL TDS prelogin",
"ET H.323 setup",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0348",
"pat-0356",
"pat-0868",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 10,
"risk_score": 32
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "94e606a42613d0ef095b8001a98bf6ed",
"path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 32
},
"payload_preview": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"request_sample": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"payload_snippet": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"evidence": {
"request_sample": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"payload_snippet": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0bb7ec3809dcb02fc4f63d050acdbfe2aa769748",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8",
"attack_vector": "mssql tds \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 10,
"risk_score": 32
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 32,
"risk_label": "Faible",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": [
"pat-0356"
],
"tags_summary_labels_fr": [
"pat-0356"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000T\u0000\u0003\u0000\u0000user\u0000postgres\u0000database\u0000postgres\u0000application_name\u0000psql\u0000client_encoding\u0000UTF8\u0000\u0000",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "mssql tds \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "Tuserpostgresdatabasepostgresapplication_namepsqlclient_encodingUTF8",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"net_dns_probe",
"postgres_startup",
"postgresql_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
Sonde RTSP
rtsp probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
OPTIONS rtsp://example.com RTSP/1.0 Cseq: 4801
Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0382
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
RTSP protocol
HTTP OPTIONS method
User-Agent
—
Règles WAF
—
Payload (extrait)
OPTIONS rtsp://example.com RTSP/1.0
Cseq: 4801
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "4f50d0434f4e0000727473703a2f2f6578616d706c652e636f6d20525453502f312e300d0a437365713a20343830310d0a0d0a",
"emulator_response_len": 51,
"bytes_in": 51,
"payload_entropy": 4.774887351563314,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 44,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b8c4aaf6dc0dcca2d5434fbaf863fbcc49abe4fe",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0382"
],
"kb_rule_ids": [
"pat-0382"
],
"matched_patterns": [
"pat-0103",
"pat-0382",
"pat-0420"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"RTSP protocol",
"HTTP OPTIONS method"
],
"pattern_ids": [
"pat-0103",
"pat-0382",
"pat-0420"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 44
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "4729ca6caad8d08f6cc6d141ab3abb08",
"path_pattern_hash": "b1dd2a100b4c2489a836875293183168"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 44
},
"payload_preview": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 4801\r\n\r\n",
"request_sample": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 4801\r\n\r\n",
"payload_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 4801",
"evidence": {
"request_sample": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 4801\r\n\r\n",
"payload_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 4801",
"classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "684b58cafe86059536eaa65ae5e8cb925811f002",
"protocol_details": {
"payload_preview": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 4801",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 4801",
"attack_vector": "rtsp probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": [
"pat-0382"
],
"tags_summary_labels_fr": [
"pat-0382"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 4801",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "rtsp probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "OPTIONS rtsp:\/\/example.com RTSP\/1.0\r\nCseq: 4801",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
dns probe
dns probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Pourquoi cette classification : Type « dns_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 33
Confiance : Confiance 0 % — 2 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "000081830000000000000000",
"emulator_response_len": 12,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 33,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "136c5209db2645e97756c194727dfc874630a793",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "1ff272bdca0ffa92c866625cbd3295f6"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 33
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "09cc2185acee4f4ad5805c1af1b8969057feadc4",
"protocol_details": {
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
mqtt probe
mqtt probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Moyen · 49
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
mqtt_connect
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
����MQTT���<��AAAAA
Pourquoi cette classification : Type « mqtt_probe » (signaux protocolaires) · confiance 97%
Confiance classification
97%
Risque capteur
Moyen
· 49
Confiance : Confiance 97 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0373
pat-0615
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
MQTT protocol
MQTT alt CONNECT
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
����MQTT���<��AAAAA
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "101180034d5100000302003c00054141414141",
"emulator_response_len": 19,
"bytes_in": 19,
"payload_entropy": 3.281373409411991,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 54,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 49,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "72b6a90724b0c9c53493319cd9ace0921aa39735",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%",
"confidence": 0.97,
"classification_confidence": 0.97,
"precision_score": 110,
"precision_signals": [
"pat-0373",
"pat-0615"
],
"kb_rule_ids": [
"pat-0373",
"pat-0615"
],
"matched_patterns": [
"pat-0373",
"pat-0615",
"pat-0554"
],
"matched_pattern_names": [
"MQTT protocol",
"MQTT alt CONNECT",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0373",
"pat-0615",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 49
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 97,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "146feb4208f989935534a353df60ec62",
"path_pattern_hash": "4449b927317468afa12a2f935a413459"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 49
},
"payload_preview": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"request_sample": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"payload_snippet": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"evidence": {
"request_sample": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"payload_snippet": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"classification_reason": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "77852ae3f724dca078aae3a91bbeea5f7e750cca",
"protocol_details": {
"payload_preview": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "MQTT<AAAAA",
"attack_vector": "mqtt probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%",
"classification_reason_label_fr": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 49\/100",
"confidence_pct": 97,
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 49
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 49,
"risk_label": "Moyen",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": [
"pat-0373",
"pat-0615"
],
"tags_summary_labels_fr": [
"pat-0373",
"pat-0615"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0010\u0011\u0000\u0004MQTT\u0003\u0002\u0000<\u0000\u0005AAAAA",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "mqtt probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "MQTT<AAAAA",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 97 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 97 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"mqtt_connect",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
dns probe
dns probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
mongodb_probe
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
���(r������������������|��������������������
Pourquoi cette classification : Type « dns_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0532
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
���(r������������������|
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "8000802372fe00000000000000000002000186a00001977c0000000000000000000000000000000000000000",
"emulator_response_len": 44,
"bytes_in": 44,
"payload_entropy": 1.9235205817738175,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 44,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "e0940d356b31a142aa2471c1184090e98e10f378",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0532"
],
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 44
},
"service_name": "dns",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2a177602bee0d039f41fbd6da5240e04",
"path_pattern_hash": "1ff272bdca0ffa92c866625cbd3295f6"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 44
},
"payload_preview": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"request_sample": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e44ccda04eb7975453022f0b298670a96e331356",
"protocol_details": {
"payload_preview": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "\ufffd(r\ufffd\ufffd\ufffd\ufffd|",
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": [
"pat-0532"
],
"tags_summary_labels_fr": [
"pat-0532"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd(r\ufffd\ufffd\ufffd\ufffd|",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"mongodb_probe",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
dns probe
dns probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
���f�SMB@�����������������������������������������������������������$������������333333333333337����������
Pourquoi cette classification : Type « dns_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0532
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
f�SMB@�����������������������������������������������������������$������������333333333333337����������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "0066f8534d4200000000000000000000001f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002400010001000000000000001333333333333333333333333333333700000000000000000202",
"emulator_response_len": 104,
"bytes_in": 106,
"payload_entropy": 1.562219115128654,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 44,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b8c4aaf6dc0dcca2d5434fbaf863fbcc49abe4fe",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0532"
],
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 44
},
"service_name": "dns",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c410cf23b3d85ec98026baf9f8231d24",
"path_pattern_hash": "1ff272bdca0ffa92c866625cbd3295f6"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 44
},
"payload_preview": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"request_sample": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"payload_snippet": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"evidence": {
"request_sample": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"payload_snippet": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2c808543def168ce91311d23cd424a5c577f90f5",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "f\ufffdSMB@$333333333333337",
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": [
"pat-0532"
],
"tags_summary_labels_fr": [
"pat-0532"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000f\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0013333333333333337\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0002",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "f\ufffdSMB@$333333333333337",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
dns probe
dns probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
1q����������
Pourquoi cette classification : Type « dns_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
1q����������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "31718003000600000000000100010001",
"emulator_response_len": 16,
"bytes_in": 12,
"payload_entropy": 2.125814583693911,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 44,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b8c4aaf6dc0dcca2d5434fbaf863fbcc49abe4fe",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 44
},
"service_name": "dns",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "266ac3da010c1e757ff9269229ebf991",
"path_pattern_hash": "1ff272bdca0ffa92c866625cbd3295f6"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 44
},
"payload_preview": "1q\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"request_sample": "1q\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"payload_snippet": "1q\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"evidence": {
"request_sample": "1q\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"payload_snippet": "1q\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "66e5b35d2fbfa988037a3daa2f4f85363a706cf5",
"protocol_details": {
"payload_preview": "1q\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "1q",
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "1q\u0000\u0000\u0000\u0006\u0001\u0002\u0000\u0000\u0000\u0001",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "1q",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"net_dns_probe"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 3,
"behavior_priority": 84
}
|
|
|
TCP |
53 · DNS
|
dns
|
dns probe
dns probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
*1 $4 PING
Pourquoi cette classification : Type « dns_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 33
Confiance : Confiance 0 % — 3 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Redis PING RESP
User-Agent
—
Règles WAF
—
Payload (extrait)
*1
$4
PING
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2a3188032434000050494e470d0a",
"emulator_response_len": 14,
"bytes_in": 14,
"payload_entropy": 3.128085278891395,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 33,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b8c4aaf6dc0dcca2d5434fbaf863fbcc49abe4fe",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"matched_patterns": [
"pat-0414"
],
"matched_pattern_names": [
"Redis PING RESP"
],
"pattern_ids": [
"pat-0414"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a43cb6a3b9d261112714d00e36b33106",
"path_pattern_hash": "1ff272bdca0ffa92c866625cbd3295f6"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 33
},
"payload_preview": "*1\r\n$4\r\nPING\r\n",
"request_sample": "*1\r\n$4\r\nPING\r\n",
"payload_snippet": "*1\r\n$4\r\nPING",
"evidence": {
"request_sample": "*1\r\n$4\r\nPING\r\n",
"payload_snippet": "*1\r\n$4\r\nPING",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "19e01b7a782dad0299c231352dba8cac6b8e72c8",
"protocol_details": {
"payload_preview": "*1\r\n$4\r\nPING",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "*1\r\n$4\r\nPING",
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "*1\r\n$4\r\nPING",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "*1\r\n$4\r\nPING",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
Sonde Kafka
kafka probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Faible · 32
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
���C�����3���consumer-Offset Explorer 2.2-18��apache-kafka-java�2.4.0�
Pourquoi cette classification : Type « kafka_probe » (signaux protocolaires) · confiance 47%
Confiance classification
47%
Confiance modérée — signal unique
Risque capteur
Faible
· 32
Confiance : Confiance 47 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0556
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Kafka ApiVersions key
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
C�����3���consumer-Offset Explorer 2.2-18��apache-kafka-java�2.4.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "0043801300000000f481001f636f6e73756d65722d4f6666736574204578706c6f72657220322e322d313800126170616368652d6b61666b612d6a61766106322e342e3000",
"emulator_response_len": 69,
"bytes_in": 71,
"payload_entropy": 4.83906190787142,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 56,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 32,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b8c4aaf6dc0dcca2d5434fbaf863fbcc49abe4fe",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%",
"confidence": 0.47,
"classification_confidence": 0.47,
"precision_score": 56,
"precision_signals": [
"pat-0556"
],
"kb_rule_ids": [
"pat-0556"
],
"matched_patterns": [
"pat-0556",
"pat-0554"
],
"matched_pattern_names": [
"Kafka ApiVersions key",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0556",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 32
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 47,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d9bcc621186ef441cc445f2b3dbd5f10",
"path_pattern_hash": "369bfdf011acc5969bcb68a7ffd2ca13"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 32
},
"payload_preview": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"request_sample": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"payload_snippet": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"evidence": {
"request_sample": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"payload_snippet": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"classification_reason": "Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"enterprise_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ef381c3c083f8504ca4405067cdbaf77c3d2f08b",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "C3\ufffdconsumer-Offset Explorer 2.2-18apache-kafka-java2.4.0",
"attack_vector": "kafka probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%",
"classification_reason_label_fr": "Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100",
"confidence_pct": 47,
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 32
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 32,
"risk_label": "Faible",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": [
"pat-0556"
],
"tags_summary_labels_fr": [
"pat-0556"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000C\u0000\u0012\u0000\u0000\u001e3\ufffd\u0000\u001fconsumer-Offset Explorer 2.2-18\u0000\u0012apache-kafka-java\u00062.4.0\u0000",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "kafka probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "C3\ufffdconsumer-Offset Explorer 2.2-18apache-kafka-java2.4.0",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 47 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 47 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
Sonde port 53/TCP
port 53 tcp · via DNS:53 · (sonde / probe)
|
Élevée
|
Moyen · 40
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
net_dns_probe
postgres_startup
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Preuve honeypot — Sonde port 53/TCP
Connexion détectée sur le port 53 (TCP) du capteur simulé.
Service
DNS
Payload
���#�����3�� adminclient-5������QIpaHM
Pourquoi cette classification : Type « port_53_tcp » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Moyen
· 40
Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Signaux
pat-0348
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
ET H.323 setup
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
#�����3��
adminclient-5������QIpaHM
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "0023800300000000f481000d61646d696e636c69656e742d3500000001000651497061484d",
"emulator_response_len": 37,
"bytes_in": 39,
"payload_entropy": 4.155818941810702,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 10,
"risk_boost": 0,
"risk_granularity": 5.3,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 10
},
"risk_score": 40,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "41bf145ff35d88b3fa20d5f42614d666cab2dfc2",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab port_53_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0348"
],
"kb_rule_ids": [
"pat-0348"
],
"matched_patterns": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"ET H.323 setup",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 10,
"risk_score": 40
},
"named_classification_skipped": true,
"named_candidate": "rdp_probe",
"service_name": "dns",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f4bd0f230dae03f5eb05799e4b695716",
"path_pattern_hash": "def7ea02376a5f19fdea0149e60f0047"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 40
},
"payload_preview": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006QIpaHM",
"request_sample": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006QIpaHM",
"payload_snippet": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006QIpaHM",
"evidence": {
"request_sample": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006QIpaHM",
"payload_snippet": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006QIpaHM",
"classification_reason": "Type \u00ab port_53_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "097f2000bd042471dbe6ad97cffc7418facefcd8",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006QIpaHM",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "#3\ufffd\radminclient-5QIpaHM",
"attack_vector": "port 53 tcp \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_53_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab port_53_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 10,
"risk_score": 40
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 40,
"risk_label": "Moyen",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": [
"pat-0348"
],
"tags_summary_labels_fr": [
"pat-0348"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000#\u0000\u0003\u0000\u0000\u001e3\ufffd\u0000\radminclient-5\u0000\u0000\u0000\u0001\u0000\u0006QIpaHM",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "port 53 tcp \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "#3\ufffd\radminclient-5QIpaHM",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"net_dns_probe",
"postgres_startup",
"postgresql_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
dns probe
dns probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Pourquoi cette classification : Type « dns_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 33
Confiance : Confiance 0 % — 2 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "000081830000000000000000",
"emulator_response_len": 12,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 33,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "136c5209db2645e97756c194727dfc874630a793",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "1ff272bdca0ffa92c866625cbd3295f6"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 33
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "09cc2185acee4f4ad5805c1af1b8969057feadc4",
"protocol_details": {
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
Protocole TDS MSSQL
mssql tds · via DNS:53 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
mssql_tds
net_mssql_tds
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
���X�����������%����&����'����+����,�$�� ��������������\�k��٪<�K�{��\2!$���7�b9JF,�����
Pourquoi cette classification : Type « mssql_tds » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Risque capteur
Faible
· 35
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0519
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
MSSQL TDS prelogin
Mumble ping
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
���X�����������%����&����'����+����,�$�� ��������������\�k��٪<�K�{��\2!$���7�b9JF,�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "120180530000000000001f000601002500010200260001030027000404002b000105002c0024ff11090001000000000000000000f9b8cb5c946b891fd9aa3c134bd07b88035c322124a2818637cf62394a462cc600000000",
"emulator_response_len": 88,
"bytes_in": 88,
"payload_entropy": 4.354527413223707,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 56,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 35,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "131c44bef06b3eec0426a95f42dac240f023b776",
"event_fingerprint": "c9ffff3266d29ecccc315ba8ec89e74dda9d8388",
"classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 83,
"precision_signals": [
"pat-0519",
"INT-upstream"
],
"kb_rule_ids": [
"pat-0519",
"INT-upstream"
],
"matched_patterns": [
"pat-0519",
"pat-0768",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"MSSQL TDS prelogin",
"Mumble ping",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0519",
"pat-0768",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0efe38694fbb4cc2af819186b5e9ae9e",
"path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 35
},
"payload_preview": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"request_sample": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"database_scan"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5dee0a68ef518fc8e787ab637745decd87c5ded2",
"protocol_details": {
"payload_preview": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "X%&'+,$\ufffd\t\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u066a<K\ufffd{\ufffd\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd",
"attack_vector": "mssql tds \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"classification_reason_label_fr": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": [
"pat-0519",
"INT-upstream"
],
"tags_summary_labels_fr": [
"pat-0519",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0012\u0001\u0000X\u0000\u0000\u0001\u0000\u0000\u0000\u001f\u0000\u0006\u0001\u0000%\u0000\u0001\u0002\u0000&\u0000\u0001\u0003\u0000'\u0000\u0004\u0004\u0000+\u0000\u0001\u0005\u0000,\u0000$\ufffd\u0011\t\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u001f\u066a<\u0013K\ufffd{\ufffd\u0003\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd\u0000\u0000\u0000\u0000",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "mssql tds \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "X%&'+,$\ufffd\t\ufffd\ufffd\ufffd\\\ufffdk\ufffd\u066a<K\ufffd{\ufffd\\2!$\ufffd\ufffd\ufffd7\ufffdb9JF,\ufffd",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"mssql_tds",
"net_mssql_tds"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
dns probe
dns probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
0:��U�]�`2�����cn=fgaaocxnorwpmajnfivh��fgaaocxnorwpmajnfivh
Pourquoi cette classification : Type « dns_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 33
Confiance : Confiance 0 % — 3 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
0:��U�]�`2�����cn=fgaaocxnorwpmajnfivh��fgaaocxnorwpmajnfivh
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "303a80035506000060320201030417636e3d666761616f63786e6f7277706d616a6e666976688014666761616f63786e6f7277706d616a6e66697668",
"emulator_response_len": 60,
"bytes_in": 60,
"payload_entropy": 4.708985545926398,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 33,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b8c4aaf6dc0dcca2d5434fbaf863fbcc49abe4fe",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "727321ea7d5587f5815b164c9e53b704",
"path_pattern_hash": "1ff272bdca0ffa92c866625cbd3295f6"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 33
},
"payload_preview": "0:\u0002\u0004U\u0006]\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=fgaaocxnorwpmajnfivh\ufffd\u0014fgaaocxnorwpmajnfivh",
"request_sample": "0:\u0002\u0004U\u0006]\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=fgaaocxnorwpmajnfivh\ufffd\u0014fgaaocxnorwpmajnfivh",
"payload_snippet": "0:\u0002\u0004U\u0006]\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=fgaaocxnorwpmajnfivh\ufffd\u0014fgaaocxnorwpmajnfivh",
"evidence": {
"request_sample": "0:\u0002\u0004U\u0006]\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=fgaaocxnorwpmajnfivh\ufffd\u0014fgaaocxnorwpmajnfivh",
"payload_snippet": "0:\u0002\u0004U\u0006]\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=fgaaocxnorwpmajnfivh\ufffd\u0014fgaaocxnorwpmajnfivh",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "54d4811ebb59697dfaa855a67269c3e0cbda2d89",
"protocol_details": {
"payload_preview": "0:\u0002\u0004U\u0006]\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=fgaaocxnorwpmajnfivh\ufffd\u0014fgaaocxnorwpmajnfivh",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "0:U]\ufffd`2cn=fgaaocxnorwpmajnfivh\ufffdfgaaocxnorwpmajnfivh",
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "0:\u0002\u0004U\u0006]\ufffd`2\u0002\u0001\u0003\u0004\u0017cn=fgaaocxnorwpmajnfivh\ufffd\u0014fgaaocxnorwpmajnfivh",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "0:U]\ufffd`2cn=fgaaocxnorwpmajnfivh\ufffdfgaaocxnorwpmajnfivh",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
dns probe
dns probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Pourquoi cette classification : Type « dns_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 33
Confiance : Confiance 0 % — 2 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "000081830000000000000000",
"emulator_response_len": 12,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 33,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "136c5209db2645e97756c194727dfc874630a793",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "1ff272bdca0ffa92c866625cbd3295f6"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 33
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "09cc2185acee4f4ad5805c1af1b8969057feadc4",
"protocol_details": {
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
Sonde port 53/TCP
port 53 tcp · via DNS:53 · (sonde / probe)
|
Élevée
|
Moyen · 40
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Preuve honeypot — Sonde port 53/TCP
Connexion détectée sur le port 53 (TCP) du capteur simulé.
Service
DNS
Payload
��������������� ���
Pourquoi cette classification : Type « port_53_tcp » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Moyen
· 40
Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1
Signaux
pat-0348
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
ET H.323 setup
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "030080130ee00000000000010008000b000000",
"emulator_response_len": 19,
"bytes_in": 19,
"payload_entropy": 1.983740670882855,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 40,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b8c4aaf6dc0dcca2d5434fbaf863fbcc49abe4fe",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab port_53_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0348"
],
"kb_rule_ids": [
"pat-0348"
],
"matched_patterns": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"ET H.323 setup",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 40
},
"named_classification_skipped": true,
"named_candidate": "rdp_probe",
"service_name": "dns",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0003c8efa0acdc0c6540f4bdb920f6bc",
"path_pattern_hash": "def7ea02376a5f19fdea0149e60f0047"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 40
},
"payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"payload_snippet": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_53_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a665f55ef7d528bbf8ffd8f38759e7656fcec00a",
"protocol_details": {
"payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "\ufffd",
"attack_vector": "port 53 tcp \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_53_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab port_53_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 40
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 40,
"risk_label": "Moyen",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": [
"pat-0348"
],
"tags_summary_labels_fr": [
"pat-0348"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0003\u0000\u0000\u0013\u000e\ufffd\u0000\u0000\u0000\u0000\u0000\u0001\u0000\b\u0000\u000b\u0000\u0000\u0000",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "port 53 tcp \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
dns probe
dns probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
��u������������version�bind�����
Pourquoi cette classification : Type « dns_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0771
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�u������������version�bind�����
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "001e7508800300010000000000000776657273696f6e0462696e640000100003",
"emulator_response_len": 32,
"bytes_in": 32,
"payload_entropy": 3.4681390622295662,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 44,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b8c4aaf6dc0dcca2d5434fbaf863fbcc49abe4fe",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0771"
],
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 44
},
"service_name": "dns",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "3f61228eb3d6db1bb8e435e33a43bf2d",
"path_pattern_hash": "1ff272bdca0ffa92c866625cbd3295f6"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 44
},
"payload_preview": "\u0000\u001eu\b\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"request_sample": "\u0000\u001eu\b\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"payload_snippet": "\u0000\u001eu\b\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"evidence": {
"request_sample": "\u0000\u001eu\b\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"payload_snippet": "\u0000\u001eu\b\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1106eafe0a223f456d86abe65d0290b0b0e5827a",
"protocol_details": {
"payload_preview": "\u0000\u001eu\b\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "uversionbind",
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": [
"pat-0771"
],
"tags_summary_labels_fr": [
"pat-0771"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0000\u001eu\b\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "uversionbind",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
dns probe
dns probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Pourquoi cette classification : Type « dns_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 33
Confiance : Confiance 0 % — 2 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "000081830000000000000000",
"emulator_response_len": 12,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 33,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "136c5209db2645e97756c194727dfc874630a793",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "1ff272bdca0ffa92c866625cbd3295f6"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 33
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "09cc2185acee4f4ad5805c1af1b8969057feadc4",
"protocol_details": {
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
dns probe
dns probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Pourquoi cette classification : Type « dns_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 33
Confiance : Confiance 0 % — 2 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "000081830000000000000000",
"emulator_response_len": 12,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 33,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "136c5209db2645e97756c194727dfc874630a793",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "1ff272bdca0ffa92c866625cbd3295f6"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 33
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "09cc2185acee4f4ad5805c1af1b8969057feadc4",
"protocol_details": {
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
dns probe
dns probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
���=�����������version�bind�����
Pourquoi cette classification : Type « dns_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0771
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
��=�����������version�bind�����
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "001ee53d800300010000000000000776657273696f6e0462696e640000100003",
"emulator_response_len": 32,
"bytes_in": 32,
"payload_entropy": 3.4681390622295662,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 44,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b8c4aaf6dc0dcca2d5434fbaf863fbcc49abe4fe",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0771"
],
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 44
},
"service_name": "dns",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "44cdd95b53000ae7469a2ce6e5200da0",
"path_pattern_hash": "1ff272bdca0ffa92c866625cbd3295f6"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 44
},
"payload_preview": "\u0000\u001e\ufffd=\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"request_sample": "\u0000\u001e\ufffd=\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"payload_snippet": "\u0000\u001e\ufffd=\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"evidence": {
"request_sample": "\u0000\u001e\ufffd=\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"payload_snippet": "\u0000\u001e\ufffd=\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3c5ea0a053864579857a3e8547a4a45761a24256",
"protocol_details": {
"payload_preview": "\u0000\u001e\ufffd=\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "\ufffd=versionbind",
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": [
"pat-0771"
],
"tags_summary_labels_fr": [
"pat-0771"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0000\u001e\ufffd=\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd=versionbind",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
Sonde PostgreSQL
postgres probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
net_dns_probe
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
������������~M$̜���b�ǚ�oK[�[���?u� n)v$o K����Y���2���� �����$�A�m��͊ca��2�+�/�,�0̨̩� ��� �������/�5��� �#�'�<������������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������~M$̜���b�ǚ�oK[�[���?u��n)v$o K����Y���2����
�����$�A�m��͊ca��2�+�/�,�0̨̩� ���
�������/�5���
�#�'�<������������
Requête brute (extrait)
������������~M$̜���b�ǚ�oK[�[���?u� n)v$o K����Y���2���� �����$�A�m��͊ca��2�+�/�,�0̨̩� ��� �������/�5��� �#�'�<���������������E� ��������������������������� � � ����������� �����������������������������+� ����������3��������ݩAm{d��S����'�����!v�r�E�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "16038003c4010000c00303d87e4d24cc9cd801936212c79aa86f4b5be95b117fade33f75cd0c6e2976246f204bb6b2b890598b1213320fb0a5fb0a98d5d3f9d02492419b6d1986cd8a6361cc0032c02bc02fc02cc030cca9cca8c009c013c00ac014009c009d002f0035c012000ac023c027003cc007c0110005130113021303",
"emulator_response_len": 1481,
"bytes_in": 1481,
"payload_entropy": 7.717984303620743,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 35,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "99ca9d090780dd2d2524bc6eeb1fe5cba81a3a64",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d534381ef6c246adddcb61ddc04c8408",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd~M$\u031c\ufffd\u0001\ufffdb\u0012\u01da\ufffdoK[\ufffd[\u0011\ufffd\ufffd?u\ufffd\fn)v$o K\ufffd\ufffd\ufffd\ufffdY\ufffd\u0012\u00132\u000f\ufffd\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffdA\ufffdm\u0019\ufffd\u034aca\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd~M$\u031c\ufffd\u0001\ufffdb\u0012\u01da\ufffdoK[\ufffd[\u0011\ufffd\ufffd?u\ufffd\fn)v$o K\ufffd\ufffd\ufffd\ufffdY\ufffd\u0012\u00132\u000f\ufffd\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffdA\ufffdm\u0019\ufffd\u034aca\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\u0769Am{d\ufffd\ufffdS\u0017\ufffd\u0007\ufffd'\ufffd\u0003\u0013\ufffd\u0014!v\ufffdr\ufffdE\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd~M$\u031c\ufffd\u0001\ufffdb\u0012\u01da\ufffdoK[\ufffd[\u0011\ufffd\ufffd?u\ufffd\fn)v$o K\ufffd\ufffd\ufffd\ufffdY\ufffd\u0012\u00132\u000f\ufffd\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffdA\ufffdm\u0019\ufffd\u034aca\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6b466a69013da273f07737c5b927ba8835d4d305",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd~M$\u031c\ufffd\u0001\ufffdb\u0012\u01da\ufffdoK[\ufffd[\u0011\ufffd\ufffd?u\ufffd\fn)v$o K\ufffd\ufffd\ufffd\ufffdY\ufffd\u0012\u00132\u000f\ufffd\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffdA\ufffdm\u0019\ufffd\u034aca\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd~M$\u031c\ufffd\ufffdb\u01da\ufffdoK[\ufffd[\ufffd\ufffd?u\ufffdn)v$o K\ufffd\ufffd\ufffd\ufffdY\ufffd2\ufffd\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffdA\ufffdm\ufffd\u034aca\ufffd2\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd#\ufffd'<\ufffd\ufffd",
"attack_vector": "postgres probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 35
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd~M$\u031c\ufffd\u0001\ufffdb\u0012\u01da\ufffdoK[\ufffd[\u0011\ufffd\ufffd?u\ufffd\fn)v$o K\ufffd\ufffd\ufffd\ufffdY\ufffd\u0012\u00132\u000f\ufffd\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffdA\ufffdm\u0019\ufffd\u034aca\ufffd\u00002\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\ufffd#\ufffd'\u0000<\ufffd\u0007\ufffd\u0011\u0000\u0005\u0013\u0001\u0013\u0002\u0013\u0003",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "postgres probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd~M$\u031c\ufffd\ufffdb\u01da\ufffdoK[\ufffd[\ufffd\ufffd?u\ufffdn)v$o K\ufffd\ufffd\ufffd\ufffdY\ufffd2\ufffd\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffd\ufffd$\ufffdA\ufffdm\ufffd\u034aca\ufffd2\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd#\ufffd'<\ufffd\ufffd",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"net_dns_probe",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
dns probe
dns probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Moyen · 45
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
mongodb_hello_probe
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
;�������������������admin.$cmd��������������hello��������?�
Pourquoi cette classification : Type « dns_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 45
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0771
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
;�������������������admin.$cmd��������������hello��������?
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "3b0080030100000000000000d40700000000000061646d696e2e24636d640000000000ffffffff140000000168656c6c6f00000000000000f03f00",
"emulator_response_len": 59,
"bytes_in": 59,
"payload_entropy": 2.8995922019042135,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 45,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "cce61760c11cffcbbdc897cc0b660cbe3029f8e6",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0771"
],
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 45
},
"service_name": "dns",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "099fa502112a655c584d7b590ce9db78",
"path_pattern_hash": "1ff272bdca0ffa92c866625cbd3295f6"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 45
},
"payload_preview": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000",
"request_sample": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000",
"payload_snippet": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000",
"evidence": {
"request_sample": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000",
"payload_snippet": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ecb0565a954deefe7f84db2eb5135d55ba88662d",
"protocol_details": {
"payload_preview": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": ";\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdhello\ufffd?",
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": [
"pat-0771"
],
"tags_summary_labels_fr": [
"pat-0771"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": ";\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u0014\u0000\u0000\u0000\u0001hello\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": ";\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffdhello\ufffd?",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"mongodb_hello_probe",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
dns probe
dns probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Faible · 34
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
http_get_probe
mozi_pattern
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
GET / HTTP/1.1 Host: 62.3.50.33:53 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko
Pourquoi cette classification : Type « dns_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 34
Confiance : Confiance 0 % — 5 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:53
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:53 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "4745d0232f20000054502f312e310d0a486f73743a2036322e332e35302e33333a35330d0a557365722d4167656e743a204d6f7a696c6c612f352e30202857696e646f7773204e542031302e303b2057696e36343b2078363429204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f",
"emulator_response_len": 187,
"bytes_in": 187,
"payload_entropy": 5.373516250625625,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 5.3,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25
},
"risk_score": 34,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "1eb0a2c3c16d154ff1eba5c1588a67575a8dae83",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 34
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a52ae78ba1f0319b50f64af9124c903b",
"path_pattern_hash": "1ff272bdca0ffa92c866625cbd3295f6"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 34
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:53\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:53\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/127.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:53\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:53\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/127.0.0.0 Safari\/537.36\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:53\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "398651456e8bcc8d4b69f853640c66a73f3bac24",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:53\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:53\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 34\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 34
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 34,
"risk_label": "Faible",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:53\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:53\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"http_get_probe",
"mozi_pattern",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
dns probe
dns probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
dns_payload
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Service
DNS
Payload
�â���:雡#^p�R?8�l�q�.Эf�����և�*Ϥޜ����%!Nx��ǃ����Y�ۺ`j
Pourquoi cette classification : Type « dns_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 33
Confiance : Confiance 0 % — 3 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�â���:雡#^p�R?8�l�q�.Эf�����և�*Ϥޜ����%!Nx��ǃ����Y�ۺ`j
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "a0c3a023d7c00000b9e99ba1235e70af523f38086cbd71e92ed0ad66ad1389f9afd687de2acfa4de9c019b9e9e25214e78a503c7838c00f0f0b759e1dbba606a",
"emulator_response_len": 64,
"bytes_in": 64,
"payload_entropy": 5.71875,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 33,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b8c4aaf6dc0dcca2d5434fbaf863fbcc49abe4fe",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "eabcaf589e05d946fa7d229cee976c0b",
"path_pattern_hash": "1ff272bdca0ffa92c866625cbd3295f6"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 33
},
"payload_preview": "\ufffd\u00e2\ufffd\ufffd\ufffd:\u05f9\u96e1#^p\ufffdR?8\bl\ufffdq\ufffd.\u042df\ufffd\u0013\ufffd\ufffd\ufffd\u0587\ufffd*\u03e4\u079c\u0001\ufffd\ufffd\ufffd%!Nx\ufffd\u0003\u01c3\ufffd\u0000\ufffd\ufffdY\ufffd\u06fa`j",
"request_sample": "\ufffd\u00e2\ufffd\ufffd\ufffd:\u05f9\u96e1#^p\ufffdR?8\bl\ufffdq\ufffd.\u042df\ufffd\u0013\ufffd\ufffd\ufffd\u0587\ufffd*\u03e4\u079c\u0001\ufffd\ufffd\ufffd%!Nx\ufffd\u0003\u01c3\ufffd\u0000\ufffd\ufffdY\ufffd\u06fa`j",
"payload_snippet": "\ufffd\u00e2\ufffd\ufffd\ufffd:\u05f9\u96e1#^p\ufffdR?8\bl\ufffdq\ufffd.\u042df\ufffd\u0013\ufffd\ufffd\ufffd\u0587\ufffd*\u03e4\u079c\u0001\ufffd\ufffd\ufffd%!Nx\ufffd\u0003\u01c3\ufffd\u0000\ufffd\ufffdY\ufffd\u06fa`j",
"evidence": {
"request_sample": "\ufffd\u00e2\ufffd\ufffd\ufffd:\u05f9\u96e1#^p\ufffdR?8\bl\ufffdq\ufffd.\u042df\ufffd\u0013\ufffd\ufffd\ufffd\u0587\ufffd*\u03e4\u079c\u0001\ufffd\ufffd\ufffd%!Nx\ufffd\u0003\u01c3\ufffd\u0000\ufffd\ufffdY\ufffd\u06fa`j",
"payload_snippet": "\ufffd\u00e2\ufffd\ufffd\ufffd:\u05f9\u96e1#^p\ufffdR?8\bl\ufffdq\ufffd.\u042df\ufffd\u0013\ufffd\ufffd\ufffd\u0587\ufffd*\u03e4\u079c\u0001\ufffd\ufffd\ufffd%!Nx\ufffd\u0003\u01c3\ufffd\u0000\ufffd\ufffdY\ufffd\u06fa`j",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4d8eaa905a173b27e74989f68a9b00736bfd777c",
"protocol_details": {
"payload_preview": "\ufffd\u00e2\ufffd\ufffd\ufffd:\u05f9\u96e1#^p\ufffdR?8\bl\ufffdq\ufffd.\u042df\ufffd\u0013\ufffd\ufffd\ufffd\u0587\ufffd*\u03e4\u079c\u0001\ufffd\ufffd\ufffd%!Nx\ufffd\u0003\u01c3\ufffd\u0000\ufffd\ufffdY\ufffd\u06fa`j",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"evidence_snippet": "\ufffd\u00e2\ufffd\ufffd\ufffd:\u05f9\u96e1#^p\ufffdR?8l\ufffdq\ufffd.\u042df\ufffd\ufffd\ufffd\ufffd\u0587\ufffd*\u03e4\u079c\ufffd\ufffd\ufffd%!Nx\ufffd\u01c3\ufffd\ufffd\ufffdY\ufffd\u06fa`j",
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\ufffd\u00e2\ufffd\ufffd\ufffd:\u05f9\u96e1#^p\ufffdR?8\bl\ufffdq\ufffd.\u042df\ufffd\u0013\ufffd\ufffd\ufffd\u0587\ufffd*\u03e4\u079c\u0001\ufffd\ufffd\ufffd%!Nx\ufffd\u0003\u01c3\ufffd\u0000\ufffd\ufffdY\ufffd\u06fa`j",
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\u00e2\ufffd\ufffd\ufffd:\u05f9\u96e1#^p\ufffdR?8l\ufffdq\ufffd.\u042df\ufffd\ufffd\ufffd\ufffd\u0587\ufffd*\u03e4\u079c\ufffd\ufffd\ufffd%!Nx\ufffd\u01c3\ufffd\ufffd\ufffdY\ufffd\u06fa`j",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"dns_payload",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
53 · DNS
|
dns
|
dns probe
dns probe · via DNS:53 · (sonde / probe)
|
Élevée
|
Faible · 33
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
DNS
WAF
—
Recommandation
Surveiller
Tags
dns_emulated
net_dns_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
53
Chemin / cible
—
Pourquoi cette classification : Type « dns_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 33
Confiance : Confiance 0 % — 2 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "000081830000000000000000",
"emulator_response_len": 12,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "dns",
"app_proto": "dns",
"asn": 396982,
"country": "BE",
"dst_port": 53,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0
},
"risk_score": 33,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "136c5209db2645e97756c194727dfc874630a793",
"event_fingerprint": "a8ecfe27665a94483df3963a81bc8aaa2d3740ad",
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"named_classification_skipped": false,
"service_name": "dns",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "BE",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "1ff272bdca0ffa92c866625cbd3295f6"
},
"target_context": {
"dst_port": 53,
"service": "dns",
"service_name": "dns",
"risk_score": 33
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "09cc2185acee4f4ad5805c1af1b8969057feadc4",
"protocol_details": {
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab dns_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 33\/100",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 0,
"risk_score": 33
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 33,
"risk_label": "Faible",
"service_name": "dns",
"service_label_fr": "DNS",
"dst_port": 53,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-dns",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 53,
"service": "dns",
"service_label_fr": "DNS"
},
"attack_vector": "dns probe \u00b7 via DNS:53 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "53 \u00b7 DNS",
"emulator_service": "dns",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "dns",
"service_banner": "honeypot-dns",
"service_os": "linux",
"dst_port": "53"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"dns_emulated",
"net_dns_probe"
],
"asn_dc_heuristic": true
}
|