15/06/2026 15:35:05 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET /config/app.ini HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: python-requests/2.32.3 Accept: text/html,application/xhtml+xml
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 6 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
LFI Double-dot bypass
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /config/app.ini HTTP/1.1
Host: 62.3.50.33:6443
User-Agent: python-requests/2.32.3
Accept: text/html,application/xhtml+xml
Requête brute (extrait)
GET /config/app.ini HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: python-requests/2.32.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: identity Referer: https://www.bing.com/ Co
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75",
"emulator_response_len": 165,
"bytes_in": 275,
"payload_entropy": 5.270704449602365,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 42,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "035bebebeb33b8eabd5c3826c4834dd21e0c44c6",
"event_fingerprint": "5535c85e0f6854b807e5b9ef895f87dbea310cc1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284",
"pat-0103"
],
"matched_pattern_names": [
"CRS 941130",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0284",
"pat-0103"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "9609e8106d6ab1d7e632d47c6ee2bc21",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 42
},
"payload_preview": "GET \/config\/app.ini HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml",
"request_sample": "GET \/config\/app.ini HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/www.bing.com\/\r\nCo",
"payload_snippet": "GET \/config\/app.ini HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml",
"evidence": {
"request_sample": "GET \/config\/app.ini HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/www.bing.com\/\r\nCo",
"payload_snippet": "GET \/config\/app.ini HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "203ace0f4368292fa5593d6131817ad2de28240c",
"protocol_details": {
"payload_preview": "GET \/config\/app.ini HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/config\/app.ini HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"payload_preview": "GET \/config\/app.ini HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/config\/app.ini HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"net_kubernetes_probe",
"redis_config_probe"
]
}
15/06/2026 15:35:05 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 51
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Investiguer
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET /adminer.php HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 51
Confiance : Confiance 100 % — 6 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
ES admin GET
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /adminer.php HTTP/1.1
Host: 62.3.50.33:6443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15
Requête brute (extrait)
GET /adminer.php HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15 Safari/605.1.15 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accep
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75",
"emulator_response_len": 165,
"bytes_in": 333,
"payload_entropy": 5.398185087845876,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 6.3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 51,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "ef86356910d7f7cdd52447d2d53697ca6a0c79fa",
"event_fingerprint": "5535c85e0f6854b807e5b9ef895f87dbea310cc1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284",
"pat-0341"
],
"matched_pattern_names": [
"CRS 941130",
"ES admin GET"
],
"pattern_ids": [
"pat-0284",
"pat-0341"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c1db82bcc09e7dbafe28eae5d1d9fb4d",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 51
},
"payload_preview": "GET \/adminer.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 ",
"request_sample": "GET \/adminer.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccep",
"payload_snippet": "GET \/adminer.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15",
"evidence": {
"request_sample": "GET \/adminer.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccep",
"payload_snippet": "GET \/adminer.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "87d30a3cdc6f250ed90974eb5ba061d2514229c7",
"protocol_details": {
"payload_preview": "GET \/adminer.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/adminer.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 51,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"payload_preview": "GET \/adminer.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/adminer.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"mozi_pattern",
"net_kubernetes_probe"
]
}
15/06/2026 15:35:05 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 51
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Investiguer
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET /.DS_Store HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 51
Confiance : Confiance 100 % — 7 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /.DS_Store HTTP/1.1
Host: 62.3.50.33:6443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126
Requête brute (extrait)
GET /.DS_Store HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: i
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75",
"emulator_response_len": 165,
"bytes_in": 316,
"payload_entropy": 5.453033047689584,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 6.6,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 51,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "2e6e59e999793247b159f232f5a5fd76682722c2",
"event_fingerprint": "5535c85e0f6854b807e5b9ef895f87dbea310cc1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284"
],
"matched_pattern_names": [
"CRS 941130"
],
"pattern_ids": [
"pat-0284"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "5a8ae9d6cd5b7a1e5dc32f3dbc122c99",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 51
},
"payload_preview": "GET \/.DS_Store HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126",
"request_sample": "GET \/.DS_Store HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: i",
"payload_snippet": "GET \/.DS_Store HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126",
"evidence": {
"request_sample": "GET \/.DS_Store HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: i",
"payload_snippet": "GET \/.DS_Store HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5618f546d5962c5547798ab323be520b63244555",
"protocol_details": {
"payload_preview": "GET \/.DS_Store HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/.DS_Store HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 7 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 51,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"payload_preview": "GET \/.DS_Store HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/.DS_Store HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 7 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"mozi_pattern",
"net_kubernetes_probe",
"tor_exit_probe"
]
}
15/06/2026 15:35:05 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 51
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Investiguer
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET /docs/api.html HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.1
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 51
Confiance : Confiance 100 % — 6 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /docs/api.html HTTP/1.1
Host: 62.3.50.33:6443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.1
Requête brute (extrait)
GET /docs/api.html HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15 Safari/605.1.15 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Acc
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75",
"emulator_response_len": 165,
"bytes_in": 331,
"payload_entropy": 5.387386729302599,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 6.3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 51,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "ef86356910d7f7cdd52447d2d53697ca6a0c79fa",
"event_fingerprint": "5535c85e0f6854b807e5b9ef895f87dbea310cc1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284"
],
"matched_pattern_names": [
"CRS 941130"
],
"pattern_ids": [
"pat-0284"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "8a669c0253fc521cf4eae479ca01eea0",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 51
},
"payload_preview": "GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.1",
"request_sample": "GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAcc",
"payload_snippet": "GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.1",
"evidence": {
"request_sample": "GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAcc",
"payload_snippet": "GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bccfc94a6b4775302383df8fc13aec56bc57129e",
"protocol_details": {
"payload_preview": "GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.1",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.1",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 51,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"payload_preview": "GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.1",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.1",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"mozi_pattern",
"net_kubernetes_probe"
]
}
15/06/2026 15:35:04 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET /dump.sql HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: python-requests/2.32.3 Accept: text/html,application/xhtml+xml,appli
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 5 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
LFI Double-dot bypass
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /dump.sql HTTP/1.1
Host: 62.3.50.33:6443
User-Agent: python-requests/2.32.3
Accept: text/html,application/xhtml+xml,appli
Requête brute (extrait)
GET /dump.sql HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: python-requests/2.32.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: identity Referer: https://github.com/ Connection
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75",
"emulator_response_len": 165,
"bytes_in": 267,
"payload_entropy": 5.2764831000105366,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 42,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "779b413768864c7b9c97862a39322b83a3bf76f5",
"event_fingerprint": "5535c85e0f6854b807e5b9ef895f87dbea310cc1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284",
"pat-0103"
],
"matched_pattern_names": [
"CRS 941130",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0284",
"pat-0103"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "43a5a8d0d772d85b60a11dadadec6b14",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 42
},
"payload_preview": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,appli",
"request_sample": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nConnection",
"payload_snippet": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,appli",
"evidence": {
"request_sample": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nConnection",
"payload_snippet": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,appli",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d22e9753b50c3dff71b5bda5ce74371a7cad26f1",
"protocol_details": {
"payload_preview": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,appli",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,appli",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"payload_preview": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,appli",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,appli",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"net_kubernetes_probe"
]
}
15/06/2026 15:35:04 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 51
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Investiguer
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET /status HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 51
Confiance : Confiance 100 % — 6 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /status HTTP/1.1
Host: 62.3.50.33:6443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0
Requête brute (extrait)
GET /status HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: iden
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75",
"emulator_response_len": 165,
"bytes_in": 317,
"payload_entropy": 5.430547952960944,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 6.3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 51,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "ef86356910d7f7cdd52447d2d53697ca6a0c79fa",
"event_fingerprint": "5535c85e0f6854b807e5b9ef895f87dbea310cc1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284"
],
"matched_pattern_names": [
"CRS 941130"
],
"pattern_ids": [
"pat-0284"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "23942034703f561fec33b8f9b0d238a1",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 51
},
"payload_preview": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r",
"request_sample": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: iden",
"payload_snippet": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"evidence": {
"request_sample": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: iden",
"payload_snippet": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "aa0725ca83f602a242891082fc4acb85f53d6d11",
"protocol_details": {
"payload_preview": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 51,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"payload_preview": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"mozi_pattern",
"net_kubernetes_probe"
]
}
15/06/2026 15:35:04 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 51
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Investiguer
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET /web.config HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/12
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 51
Confiance : Confiance 100 % — 7 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /web.config HTTP/1.1
Host: 62.3.50.33:6443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/12
Requête brute (extrait)
GET /web.config HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding:
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75",
"emulator_response_len": 165,
"bytes_in": 321,
"payload_entropy": 5.435384777412616,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 6.6,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 51,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "af2a2b7f09cf253b1d9837e5b38ec9f9711ed2af",
"event_fingerprint": "5535c85e0f6854b807e5b9ef895f87dbea310cc1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284"
],
"matched_pattern_names": [
"CRS 941130"
],
"pattern_ids": [
"pat-0284"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "9fd7af0f581c874b9adbab0d28155d0d",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 51
},
"payload_preview": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12",
"request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: ",
"payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12",
"evidence": {
"request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: ",
"payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bb269d4221760b692dcb51353fd08f9c2027515b",
"protocol_details": {
"payload_preview": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 7 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 51,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"payload_preview": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 7 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"mozi_pattern",
"net_kubernetes_probe",
"redis_config_probe"
]
}
15/06/2026 15:35:04 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 51
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Investiguer
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET /.svn/entries HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 51
Confiance : Confiance 100 % — 6 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /.svn/entries HTTP/1.1
Host: 62.3.50.33:6443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/
Requête brute (extrait)
GET /.svn/entries HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75",
"emulator_response_len": 165,
"bytes_in": 323,
"payload_entropy": 5.417432427291201,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 6.3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 51,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "ef86356910d7f7cdd52447d2d53697ca6a0c79fa",
"event_fingerprint": "5535c85e0f6854b807e5b9ef895f87dbea310cc1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284"
],
"matched_pattern_names": [
"CRS 941130"
],
"pattern_ids": [
"pat-0284"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "1a859093e8f052bb9a0b268660aec47b",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 51
},
"payload_preview": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/",
"request_sample": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding",
"payload_snippet": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/",
"evidence": {
"request_sample": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding",
"payload_snippet": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "724746f9b35d5224e4b21a15fdd7b8d8dd645c89",
"protocol_details": {
"payload_preview": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 51,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"payload_preview": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"mozi_pattern",
"net_kubernetes_probe"
]
}
15/06/2026 15:35:03 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 51
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Investiguer
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET /info.php HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 51
Confiance : Confiance 100 % — 6 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /info.php HTTP/1.1
Host: 62.3.50.33:6443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.
Requête brute (extrait)
GET /info.php HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: id
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75",
"emulator_response_len": 165,
"bytes_in": 317,
"payload_entropy": 5.443370691732385,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 6.3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 51,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "ef86356910d7f7cdd52447d2d53697ca6a0c79fa",
"event_fingerprint": "5535c85e0f6854b807e5b9ef895f87dbea310cc1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284"
],
"matched_pattern_names": [
"CRS 941130"
],
"pattern_ids": [
"pat-0284"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "01351afb7d57e47bbef807beb61822f0",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 51
},
"payload_preview": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.",
"request_sample": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: id",
"payload_snippet": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.",
"evidence": {
"request_sample": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: id",
"payload_snippet": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f68ea6cf1bf49526d2a8017f6db5998339448668",
"protocol_details": {
"payload_preview": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 51,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"payload_preview": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"mozi_pattern",
"net_kubernetes_probe"
]
}
15/06/2026 15:35:03 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 51
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Investiguer
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET /.git/config HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrom
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 51
Confiance : Confiance 100 % — 7 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /.git/config HTTP/1.1
Host: 62.3.50.33:6443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrom
Requête brute (extrait)
GET /.git/config HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75",
"emulator_response_len": 165,
"bytes_in": 343,
"payload_entropy": 5.408586760177861,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 6.6,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 51,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "af2a2b7f09cf253b1d9837e5b38ec9f9711ed2af",
"event_fingerprint": "5535c85e0f6854b807e5b9ef895f87dbea310cc1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284"
],
"matched_pattern_names": [
"CRS 941130"
],
"pattern_ids": [
"pat-0284"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "fdc9e0154e44721cd6ee76e8150b881d",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 51
},
"payload_preview": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom",
"request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=",
"payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom",
"evidence": {
"request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=",
"payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b1459c24caa81038d717d973f3cfc1159d658bcf",
"protocol_details": {
"payload_preview": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 7 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 51,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"payload_preview": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 7 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"mozi_pattern",
"net_kubernetes_probe",
"redis_config_probe"
]
}
15/06/2026 15:35:03 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET /wp-config.php.bak HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: curl/8.5.0 Accept: text/html,application/xhtml+xml,applicat
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 6 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 933111
CRS 941130
LFI Double-dot bypass
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /wp-config.php.bak HTTP/1.1
Host: 62.3.50.33:6443
User-Agent: curl/8.5.0
Accept: text/html,application/xhtml+xml,applicat
Requête brute (extrait)
GET /wp-config.php.bak HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: curl/8.5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: identity Referer: https://github.com/ Connection: c
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75",
"emulator_response_len": 165,
"bytes_in": 264,
"payload_entropy": 5.30277842380619,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 42,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "035bebebeb33b8eabd5c3826c4834dd21e0c44c6",
"event_fingerprint": "5535c85e0f6854b807e5b9ef895f87dbea310cc1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0160",
"pat-0284",
"pat-0103"
],
"matched_pattern_names": [
"CRS 933111",
"CRS 941130",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0160",
"pat-0284",
"pat-0103"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "e4dd252b2df871892781a8a15ba5fad0",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 42
},
"payload_preview": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,applicat",
"request_sample": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nConnection: c",
"payload_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,applicat",
"evidence": {
"request_sample": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nConnection: c",
"payload_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,applicat",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "25f1a950cf0e03c3d231a613351a4950c7ab973a",
"protocol_details": {
"payload_preview": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,applicat",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,applicat",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"payload_preview": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,applicat",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,applicat",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"net_kubernetes_probe",
"redis_config_probe"
]
}
15/06/2026 15:35:03 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 51
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Investiguer
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET /config.php.bak HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Ch
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 51
Confiance : Confiance 100 % — 7 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 933111
CRS 941130
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /config.php.bak HTTP/1.1
Host: 62.3.50.33:6443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Ch
Requête brute (extrait)
GET /config.php.bak HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75",
"emulator_response_len": 165,
"bytes_in": 346,
"payload_entropy": 5.432094518438787,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 6.6,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 51,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "af2a2b7f09cf253b1d9837e5b38ec9f9711ed2af",
"event_fingerprint": "5535c85e0f6854b807e5b9ef895f87dbea310cc1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0160",
"pat-0284"
],
"matched_pattern_names": [
"CRS 933111",
"CRS 941130"
],
"pattern_ids": [
"pat-0160",
"pat-0284"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "9a8703ec9e7f081864b6a623bc8ce11b",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 51
},
"payload_preview": "GET \/config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch",
"request_sample": "GET \/config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en",
"payload_snippet": "GET \/config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch",
"evidence": {
"request_sample": "GET \/config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en",
"payload_snippet": "GET \/config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c69a165346c8178881e9793f6979a0a9fa4a70ed",
"protocol_details": {
"payload_preview": "GET \/config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 7 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 51,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"payload_preview": "GET \/config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 7 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"mozi_pattern",
"net_kubernetes_probe",
"redis_config_probe"
]
}
15/06/2026 15:35:03 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET /backup.zip HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: curl/8.5.0 Accept: text/html,application/xhtml+xml,application/xml
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 5 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
LFI Double-dot bypass
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /backup.zip HTTP/1.1
Host: 62.3.50.33:6443
User-Agent: curl/8.5.0
Accept: text/html,application/xhtml+xml,application/xml
Requête brute (extrait)
GET /backup.zip HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: curl/8.5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: identity Referer: https://github.com/ Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75",
"emulator_response_len": 165,
"bytes_in": 257,
"payload_entropy": 5.303303614388706,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 42,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "779b413768864c7b9c97862a39322b83a3bf76f5",
"event_fingerprint": "5535c85e0f6854b807e5b9ef895f87dbea310cc1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284",
"pat-0103"
],
"matched_pattern_names": [
"CRS 941130",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0284",
"pat-0103"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "999cd521566a6ee8b988cfdce2d68673",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 42
},
"payload_preview": "GET \/backup.zip HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml",
"request_sample": "GET \/backup.zip HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nConnection: close\r\n\r",
"payload_snippet": "GET \/backup.zip HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml",
"evidence": {
"request_sample": "GET \/backup.zip HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nConnection: close\r\n\r",
"payload_snippet": "GET \/backup.zip HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6928e680340d5991d07320f06717868a7022bc96",
"protocol_details": {
"payload_preview": "GET \/backup.zip HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/backup.zip HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"payload_preview": "GET \/backup.zip HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/backup.zip HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +19",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"net_kubernetes_probe"
]
}
15/06/2026 15:35:02 UTC
TCP
8080 · HTTP
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → /config/app.ini
Élevée
Moyen · 61
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /config/app.ini UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Ch…
Émulateur
HTTP
WAF
25
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/config/app.ini
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8080
Chemin / cible
/config/app.ini
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 61
Confiance : Confiance 100 % — 4 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
Ligne de requête
GET /config/app.ini HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0.0.0 Safari/537.36
Règles WAF
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /config/app.ini HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Ch
Requête brute (extrait)
GET /config/app.ini HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "ini",
"http_ua_hash": "61b2fb88348adb0c454f69364a0bf16d1c9d26e5",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "b6d5fdee24cfea7a2c978babc77ece80be9123d9",
"http_referer_hash": "7c774392df25c0990a337dc8b862b783cd881b51",
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 344,
"payload_entropy": 5.410698356252914,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8080,
"risk_waf": 100,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.3,
"risk_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 61,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "2ecea77cc80e22c2333374cdb930c0a2f0b705fb",
"event_fingerprint": "46c328780cd40ab42544782f0d388d36b732a795",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284"
],
"matched_pattern_names": [
"CRS 941130"
],
"pattern_ids": [
"pat-0284"
],
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 61,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "dbab6c4c65f4e975e43617cd246fbb8c",
"payload_hash": "cbdbbbef04363c6c18db662111d3eef8",
"path_pattern_hash": "25fbf2e88fdb756ed2c34b457498f42d"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 61
},
"payload_preview": "GET \/config\/app.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch",
"method": "GET",
"path": "\/config\/app.ini",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/config\/app.ini HTTP\/1.1",
"request_sample": "GET \/config\/app.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en",
"payload_snippet": "GET \/config\/app.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch",
"evidence": {
"method": "GET",
"path": "\/config\/app.ini",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/config\/app.ini HTTP\/1.1",
"request_sample": "GET \/config\/app.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en",
"payload_snippet": "GET \/config\/app.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "933de343f3911fb565b677570efece920c3b0492",
"protocol_details": {
"http_method": "GET",
"http_path": "\/config\/app.ini",
"request_line": "GET \/config\/app.ini HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/config\/app.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/config\/app.ini",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 61,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 61,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/config\/app.ini",
"request_line": "GET \/config\/app.ini HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/config\/app.ini",
"evidence_snippet": "GET \/config\/app.ini HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Ch",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"http_probe_config",
"net_web_probe"
]
}
15/06/2026 15:35:02 UTC
TCP
8080 · HTTP
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → /status
Élevée
Moyen · 55
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
MITRE
TA0043
TA0043
Protocole
GET /status UA python-requests/2.32.3
Émulateur
HTTP
WAF
22
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950470:nosqli-3
scanner-ua
Cible HTTP
GET
/status
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8080
Chemin / cible
/status
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 50%
Confiance classification
69%
Corrélation +19
Risque capteur
Moyen
· 55
Confiance : Confiance 50 % — 4 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Technique MITRE
TA0043
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
LFI Double-dot bypass
Ligne de requête
GET /status HTTP/1.1
User-Agent
python-requests/2.32.3
Règles WAF
rce-0
ssrf-3
nosqli-3
scanner-ua
Payload (extrait)
GET /status HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: python-requests/2.32.3
Accept: text/html,application/xhtml+xml,applica
Requête brute (extrait)
GET /status HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: python-requests/2.32.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: identity Referer: https://github.com/ Connection:
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": "ae09ca118a34f21eadeb922152bc0d66d5b1783f",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "af24ddb2864923603b3fa1d79a557e18e6080953",
"http_referer_hash": "d7b3438d97f335e612a566a731eea5acb8fe83c8",
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 265,
"payload_entropy": 5.243697525643594,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8080,
"risk_waf": 96,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 96,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 55,
"tag_count": 8,
"anomaly_count": 1,
"campaign_key": "ab9fd5b4596e9d3426702fc99c3c20d4fc8cf11b",
"event_fingerprint": "8002dbcdce8d628b0e62a91500fadfc84e28a6ab",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence": 0.69,
"classification_confidence": 0.69,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284",
"pat-0103"
],
"matched_pattern_names": [
"CRS 941130",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0284",
"pat-0103"
],
"confidence_breakdown": {
"waf": 96,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 55,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "bcea973b42c25e2780c70435dae7b4a0",
"payload_hash": "1c6bbbcdd88db6a3859443a97894e131",
"path_pattern_hash": "ae4267a01f1269fbbf4824d26cf3bb22"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,applica",
"method": "GET",
"path": "\/status",
"user_agent": "python-requests\/2.32.3",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"scanner-ua"
],
"request_line": "GET \/status HTTP\/1.1",
"request_sample": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nConnection: ",
"payload_snippet": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,applica",
"evidence": {
"method": "GET",
"path": "\/status",
"user_agent": "python-requests\/2.32.3",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"scanner-ua"
],
"request_line": "GET \/status HTTP\/1.1",
"request_sample": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nConnection: ",
"payload_snippet": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,applica",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre": "TA0043",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d07ee2b8e5a17f27b5986732a94438ccbf41840c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/status",
"request_line": "GET \/status HTTP\/1.1",
"http_user_agent": "python-requests\/2.32.3",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,applica",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/status",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 69 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 69,
"confidence_breakdown": {
"waf": 96,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 55,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0043",
"mitre_technique": "TA0043",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/status",
"request_line": "GET \/status HTTP\/1.1",
"http_user_agent": "python-requests\/2.32.3",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/status",
"evidence_snippet": "GET \/status HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,applica",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 96 \u00b7 Bonus corr\u00e9lation +19 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"anomaly:scanner-ua",
"http_probe_status",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
15/06/2026 15:35:02 UTC
TCP
8080 · HTTP
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → /web.config
Élevée
Moyen · 55
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /web.config UA Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefo…
Émulateur
HTTP
WAF
19
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950470:nosqli-3
http_sensitive_path
Cible HTTP
GET
/web.config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8080
Chemin / cible
/web.config
Pourquoi cette classification : Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 55
Confiance : Confiance 100 % — 3 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
LFI IIS web.config
Ligne de requête
GET /web.config HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0
Règles WAF
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /web.config HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/12
Requête brute (extrait)
GET /web.config HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding:
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "config",
"http_ua_hash": "880d0c120dbf4497314046742f2cb6dbd4be704d",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "fb61e36fe9095535f127e3353d957f1c1310e8e9",
"http_referer_hash": "595c3cce2409a55c13076f1bac5edee529fc2e58",
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 321,
"payload_entropy": 5.422450715104411,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8080,
"risk_waf": 84,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 84,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 55,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "480b9acad89211481263cecadf14486b162a31f1",
"event_fingerprint": "471e4385442f4b960146578510a7bcb25af0e0c2",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284",
"pat-0120"
],
"matched_pattern_names": [
"CRS 941130",
"LFI IIS web.config"
],
"pattern_ids": [
"pat-0284",
"pat-0120"
],
"confidence_breakdown": {
"waf": 84,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 55,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a59685e43b0ef4fb9f3e6765d2231094",
"payload_hash": "a4d954522fa64a4d30c97478a120b51a",
"path_pattern_hash": "0913647d7e838cdd727ceda37a671f37"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12",
"method": "GET",
"path": "\/web.config",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/web.config HTTP\/1.1",
"request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: ",
"payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12",
"evidence": {
"method": "GET",
"path": "\/web.config",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/web.config HTTP\/1.1",
"request_sample": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: ",
"payload_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "28ec0f39a02a489f5019b2c52e40ede8f136bfa5",
"protocol_details": {
"http_method": "GET",
"http_path": "\/web.config",
"request_line": "GET \/web.config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/web.config",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 84,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 55,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/web.config",
"request_line": "GET \/web.config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/web.config",
"evidence_snippet": "GET \/web.config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +19 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"http_sensitive_path",
"net_web_probe"
]
}
15/06/2026 15:35:02 UTC
TCP
8080 · HTTP
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → /config.php.bak
Élevée
Moyen · 62
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /config.php.bak UA curl/8.5.0
Émulateur
HTTP
WAF
30
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950521:leak-8
Cible HTTP
GET
/config.php.bak
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8080
Chemin / cible
/config.php.bak
Pourquoi cette classification : Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 62
Confiance : Confiance 100 % — 5 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 933111
CRS 941130
LFI Double-dot bypass
LFI Generic config.php
Ligne de requête
GET /config.php.bak HTTP/1.1
User-Agent
curl/8.5.0
Règles WAF
rce-0
ssrf-3
nosqli-3
leak-8
scanner-ua
Payload (extrait)
GET /config.php.bak HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: curl/8.5.0
Accept: text/html,application/xhtml+xml,application
Requête brute (extrait)
GET /config.php.bak HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: curl/8.5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: identity Referer: https://www.google.com/ Connection:
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "bak",
"http_ua_hash": "2de5c12e398bc6e09d9f64dfa317a27082e393cf",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "f4e5344862db3f007de9149164d79b088f516034",
"http_referer_hash": "595c3cce2409a55c13076f1bac5edee529fc2e58",
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 265,
"payload_entropy": 5.268599614681096,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8080,
"risk_waf": 100,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 62,
"tag_count": 11,
"anomaly_count": 1,
"campaign_key": "2e57ce9b6ff812a2def72410239e408b42355d7b",
"event_fingerprint": "a51dc13fbf729da578340fa86f2277ac995b989d",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0160",
"pat-0284",
"pat-0103",
"pat-0118"
],
"matched_pattern_names": [
"CRS 933111",
"CRS 941130",
"LFI Double-dot bypass",
"LFI Generic config.php"
],
"pattern_ids": [
"pat-0160",
"pat-0284",
"pat-0103",
"pat-0118"
],
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 62,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "07d1d539047ef01990ffd8266d015775",
"payload_hash": "282fba46d7d623912de0ef9ecf7452c7",
"path_pattern_hash": "456c6182b7d24690c48a4170c38e6d4b"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 62
},
"payload_preview": "GET \/config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application",
"method": "GET",
"path": "\/config.php.bak",
"user_agent": "curl\/8.5.0",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950521:leak-8",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-8",
"scanner-ua"
],
"request_line": "GET \/config.php.bak HTTP\/1.1",
"request_sample": "GET \/config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/www.google.com\/\r\nConnection: ",
"payload_snippet": "GET \/config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application",
"evidence": {
"method": "GET",
"path": "\/config.php.bak",
"user_agent": "curl\/8.5.0",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950521:leak-8",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-8",
"scanner-ua"
],
"request_line": "GET \/config.php.bak HTTP\/1.1",
"request_sample": "GET \/config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/www.google.com\/\r\nConnection: ",
"payload_snippet": "GET \/config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "51c2b1f77111326b3f01964ae6391d8e58ef6b6c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/config.php.bak",
"request_line": "GET \/config.php.bak HTTP\/1.1",
"http_user_agent": "curl\/8.5.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/config.php.bak",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 62,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 62,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/config.php.bak",
"request_line": "GET \/config.php.bak HTTP\/1.1",
"http_user_agent": "curl\/8.5.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/config.php.bak",
"evidence_snippet": "GET \/config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950521:leak-8",
"anomaly:scanner-ua",
"http_backup_file_scan",
"http_backup_path",
"http_sensitive_path",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
15/06/2026 15:35:02 UTC
TCP
8080 · HTTP
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → /docs/api.html
Élevée
Moyen · 61
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /docs/api.html UA curl/8.5.0
Émulateur
HTTP
WAF
28
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/docs/api.html
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8080
Chemin / cible
/docs/api.html
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 61
Confiance : Confiance 100 % — 5 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
LFI Double-dot bypass
Ligne de requête
GET /docs/api.html HTTP/1.1
User-Agent
curl/8.5.0
Règles WAF
rce-0
ssrf-3
nosqli-3
scanner-ua
Payload (extrait)
GET /docs/api.html HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: curl/8.5.0
Accept: text/html,application/xhtml+xml,application/
Requête brute (extrait)
GET /docs/api.html HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: curl/8.5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: identity Referer: https://github.com/ Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "html",
"http_ua_hash": "2de5c12e398bc6e09d9f64dfa317a27082e393cf",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "383380ff23d44e26157e64c10e7b30efe48f3e03",
"http_referer_hash": "d7b3438d97f335e612a566a731eea5acb8fe83c8",
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 260,
"payload_entropy": 5.235070332716683,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8080,
"risk_waf": 100,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 61,
"tag_count": 8,
"anomaly_count": 1,
"campaign_key": "244aeb3457260b8becfb01c5a8288c41144d3bc9",
"event_fingerprint": "8b09c0697b4eb17939968830b5f06bf339843d1b",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284",
"pat-0103"
],
"matched_pattern_names": [
"CRS 941130",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0284",
"pat-0103"
],
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 61,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "07d1d539047ef01990ffd8266d015775",
"payload_hash": "d891f8cef5d338fc9d79e49d65d08480",
"path_pattern_hash": "dff9ab91d824ba80eda0b5e6e8fb168b"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 61
},
"payload_preview": "GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/",
"method": "GET",
"path": "\/docs\/api.html",
"user_agent": "curl\/8.5.0",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"scanner-ua"
],
"request_line": "GET \/docs\/api.html HTTP\/1.1",
"request_sample": "GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nConnection: close",
"payload_snippet": "GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/",
"evidence": {
"method": "GET",
"path": "\/docs\/api.html",
"user_agent": "curl\/8.5.0",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"scanner-ua"
],
"request_line": "GET \/docs\/api.html HTTP\/1.1",
"request_sample": "GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nConnection: close",
"payload_snippet": "GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9771dd7ae851f51da285614f298ab0890136cb8d",
"protocol_details": {
"http_method": "GET",
"http_path": "\/docs\/api.html",
"request_line": "GET \/docs\/api.html HTTP\/1.1",
"http_user_agent": "curl\/8.5.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/docs\/api.html",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 61,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 61,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/docs\/api.html",
"request_line": "GET \/docs\/api.html HTTP\/1.1",
"http_user_agent": "curl\/8.5.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/docs\/api.html",
"evidence_snippet": "GET \/docs\/api.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"anomaly:scanner-ua",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
15/06/2026 15:35:02 UTC
TCP
8080 · HTTP
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → /.svn/entries
Élevée
Moyen · 61
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /.svn/entries UA Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefo…
Émulateur
HTTP
WAF
33
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/.svn/entries
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8080
Chemin / cible
/.svn/entries
Pourquoi cette classification : Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 61
Confiance : Confiance 100 % — 5 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
ET .svn entries
Probe /.svn/entries
Ligne de requête
GET /.svn/entries HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0
Règles WAF
rce-0
ssrf-3
nosqli-3
leak-6
Payload (extrait)
GET /.svn/entries HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/
Requête brute (extrait)
GET /.svn/entries HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "svn\/entries",
"http_ua_hash": "880d0c120dbf4497314046742f2cb6dbd4be704d",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "fec28f2e1aabccf1f7e02d7f5d2dd9dd95703725",
"http_referer_hash": "7c774392df25c0990a337dc8b862b783cd881b51",
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 321,
"payload_entropy": 5.420619350654567,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8080,
"risk_waf": 100,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 61,
"tag_count": 8,
"anomaly_count": 0,
"campaign_key": "2853b1b9e1e6529091a7863991bd0e13419e6e88",
"event_fingerprint": "cd8cd522126d4b77a53b242af565821cf5ffad0c",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284",
"pat-0750",
"pat-0201"
],
"matched_pattern_names": [
"CRS 941130",
"ET .svn entries",
"Probe \/.svn\/entries"
],
"pattern_ids": [
"pat-0284",
"pat-0750",
"pat-0201"
],
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 61,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a59685e43b0ef4fb9f3e6765d2231094",
"payload_hash": "e7b633030a26291179c9b4b1151ed5cc",
"path_pattern_hash": "a8bfcf5717c2407f76d3bb4e6b62379c"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 61
},
"payload_preview": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/",
"method": "GET",
"path": "\/.svn\/entries",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950519:leak-6"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-6"
],
"request_line": "GET \/.svn\/entries HTTP\/1.1",
"request_sample": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding",
"payload_snippet": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/",
"evidence": {
"method": "GET",
"path": "\/.svn\/entries",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950519:leak-6"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-6"
],
"request_line": "GET \/.svn\/entries HTTP\/1.1",
"request_sample": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding",
"payload_snippet": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "919376342aae9b6e9b8bfe6a32965ad9085cbaad",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.svn\/entries",
"request_line": "GET \/.svn\/entries HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.svn\/entries",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 61,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 61,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.svn\/entries",
"request_line": "GET \/.svn\/entries HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.svn\/entries",
"evidence_snippet": "GET \/.svn\/entries HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950519:leak-6",
"http_probe_svn",
"http_sensitive_path",
"net_web_probe"
]
}
15/06/2026 15:35:01 UTC
TCP
8080 · HTTP
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → /info.php
Élevée
Moyen · 60
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /info.php UA python-requests/2.32.3
Émulateur
HTTP
WAF
22
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950470:nosqli-3
scanner-ua
Cible HTTP
GET
/info.php
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8080
Chemin / cible
/info.php
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 60
Confiance : Confiance 100 % — 4 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
LFI Double-dot bypass
Ligne de requête
GET /info.php HTTP/1.1
User-Agent
python-requests/2.32.3
Règles WAF
rce-0
ssrf-3
nosqli-3
scanner-ua
Payload (extrait)
GET /info.php HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: python-requests/2.32.3
Accept: text/html,application/xhtml+xml,appli
Requête brute (extrait)
GET /info.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: python-requests/2.32.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: identity Referer: https://github.com/ Connection
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "php",
"http_ua_hash": "ae09ca118a34f21eadeb922152bc0d66d5b1783f",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "068dbe886744caa8c17ff08053d93aa8001f5bdd",
"http_referer_hash": "d7b3438d97f335e612a566a731eea5acb8fe83c8",
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 267,
"payload_entropy": 5.247732935937935,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8080,
"risk_waf": 96,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.7,
"risk_breakdown": {
"waf": 96,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 60,
"tag_count": 7,
"anomaly_count": 1,
"campaign_key": "973d8923003acbae0aa82479b53e1238c798b4d6",
"event_fingerprint": "801b2067e2b5997b78fd77194cebadea3623620b",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284",
"pat-0103"
],
"matched_pattern_names": [
"CRS 941130",
"LFI Double-dot bypass"
],
"pattern_ids": [
"pat-0284",
"pat-0103"
],
"confidence_breakdown": {
"waf": 96,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 60,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "bcea973b42c25e2780c70435dae7b4a0",
"payload_hash": "462fe63375e2b63ec192a0fda3f64685",
"path_pattern_hash": "f698c64f9b430a098de679bb708946c6"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 60
},
"payload_preview": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,appli",
"method": "GET",
"path": "\/info.php",
"user_agent": "python-requests\/2.32.3",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"scanner-ua"
],
"request_line": "GET \/info.php HTTP\/1.1",
"request_sample": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nConnection",
"payload_snippet": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,appli",
"evidence": {
"method": "GET",
"path": "\/info.php",
"user_agent": "python-requests\/2.32.3",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"scanner-ua"
],
"request_line": "GET \/info.php HTTP\/1.1",
"request_sample": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nConnection",
"payload_snippet": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,appli",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a3bdf38b231931164ebd1fa2474e2ddc823323db",
"protocol_details": {
"http_method": "GET",
"http_path": "\/info.php",
"request_line": "GET \/info.php HTTP\/1.1",
"http_user_agent": "python-requests\/2.32.3",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,appli",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/info.php",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 96,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 60,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 60,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/info.php",
"request_line": "GET \/info.php HTTP\/1.1",
"http_user_agent": "python-requests\/2.32.3",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/info.php",
"evidence_snippet": "GET \/info.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,appli",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 96 \u00b7 Bonus corr\u00e9lation +19 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"anomaly:scanner-ua",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
15/06/2026 15:35:01 UTC
TCP
8080 · HTTP
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → /backup.zip
Élevée
Moyen · 60
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /backup.zip UA python-requests/2.32.3
Émulateur
HTTP
WAF
22
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950470:nosqli-3
scanner-ua
Cible HTTP
GET
/backup.zip
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8080
Chemin / cible
/backup.zip
Pourquoi cette classification : Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 60
Confiance : Confiance 100 % — 4 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
LFI Double-dot bypass
Probe /backup.zip
Ligne de requête
GET /backup.zip HTTP/1.1
User-Agent
python-requests/2.32.3
Règles WAF
rce-0
ssrf-3
nosqli-3
scanner-ua
Payload (extrait)
GET /backup.zip HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: python-requests/2.32.3
Accept: text/html,application/xhtml+xml,app
Requête brute (extrait)
GET /backup.zip HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: python-requests/2.32.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: identity Referer: https://github.com/ Connecti
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "zip",
"http_ua_hash": "ae09ca118a34f21eadeb922152bc0d66d5b1783f",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "120464334a09253351ef1d72ea024ff0a6ce1548",
"http_referer_hash": "d7b3438d97f335e612a566a731eea5acb8fe83c8",
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 269,
"payload_entropy": 5.284299667012065,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8080,
"risk_waf": 96,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 96,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 60,
"tag_count": 10,
"anomaly_count": 1,
"campaign_key": "4eb9335ba3e8b3d6a35396ef13f699feea9903ba",
"event_fingerprint": "2d1f12dc1ef0495e251da588ab79e27ba433b982",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284",
"pat-0103",
"pat-0243"
],
"matched_pattern_names": [
"CRS 941130",
"LFI Double-dot bypass",
"Probe \/backup.zip"
],
"pattern_ids": [
"pat-0284",
"pat-0103",
"pat-0243"
],
"confidence_breakdown": {
"waf": 96,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 60,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "bcea973b42c25e2780c70435dae7b4a0",
"payload_hash": "35723d5758915634484201e0502bd278",
"path_pattern_hash": "971e61c28ff9d3ddfc07b15126d7c0c7"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 60
},
"payload_preview": "GET \/backup.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,app",
"method": "GET",
"path": "\/backup.zip",
"user_agent": "python-requests\/2.32.3",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"scanner-ua"
],
"request_line": "GET \/backup.zip HTTP\/1.1",
"request_sample": "GET \/backup.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nConnecti",
"payload_snippet": "GET \/backup.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,app",
"evidence": {
"method": "GET",
"path": "\/backup.zip",
"user_agent": "python-requests\/2.32.3",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"scanner-ua"
],
"request_line": "GET \/backup.zip HTTP\/1.1",
"request_sample": "GET \/backup.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nConnecti",
"payload_snippet": "GET \/backup.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,app",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bcb68592f522a31af447fb17dfafa73e6576cd9a",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backup.zip",
"request_line": "GET \/backup.zip HTTP\/1.1",
"http_user_agent": "python-requests\/2.32.3",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/backup.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,app",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/backup.zip",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 96,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 60,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 60,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/backup.zip",
"request_line": "GET \/backup.zip HTTP\/1.1",
"http_user_agent": "python-requests\/2.32.3",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/backup.zip",
"evidence_snippet": "GET \/backup.zip HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,app",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 96 \u00b7 Bonus corr\u00e9lation +19 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"anomaly:scanner-ua",
"http_backup_file_scan",
"http_backup_path",
"http_probe_backup",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
15/06/2026 15:35:01 UTC
TCP
8080 · HTTP
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → /wp-config.php.bak
Élevée
Moyen · 62
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /wp-config.php.bak UA python-requests/2.32.3
Émulateur
HTTP
WAF
38
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950518:leak-5
Cible HTTP
GET
/wp-config.php.bak
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8080
Chemin / cible
/wp-config.php.bak
Pourquoi cette classification : Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 62
Confiance : Confiance 100 % — 6 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 933111
CRS 941130
LFI Double-dot bypass
LFI WordPress config backup
Probe /wp-config.php
Ligne de requête
GET /wp-config.php.bak HTTP/1.1
User-Agent
python-requests/2.32.3
Règles WAF
rce-0
ssrf-3
nosqli-3
leak-5
leak-8
scanner-ua
Payload (extrait)
GET /wp-config.php.bak HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: python-requests/2.32.3
Accept: text/html,application/xhtml+
Requête brute (extrait)
GET /wp-config.php.bak HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: python-requests/2.32.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: identity Referer: https://github.com/ C
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "bak",
"http_ua_hash": "ae09ca118a34f21eadeb922152bc0d66d5b1783f",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "0372d7102c333673ea0de9e60c73911cb60bfb5f",
"http_referer_hash": "d7b3438d97f335e612a566a731eea5acb8fe83c8",
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 276,
"payload_entropy": 5.282361887540949,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8080,
"risk_waf": 100,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 62,
"tag_count": 12,
"anomaly_count": 1,
"campaign_key": "53a564063cba85bf67785aeb6f7d8225a00d51d9",
"event_fingerprint": "c4565386bfc702aeff164f07dabda857b1b321ab",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0160",
"pat-0284",
"pat-0103",
"pat-0135",
"pat-0195"
],
"matched_pattern_names": [
"CRS 933111",
"CRS 941130",
"LFI Double-dot bypass",
"LFI WordPress config backup",
"Probe \/wp-config.php"
],
"pattern_ids": [
"pat-0160",
"pat-0284",
"pat-0103",
"pat-0135",
"pat-0195"
],
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 62,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "bcea973b42c25e2780c70435dae7b4a0",
"payload_hash": "5f755c9d88c285e8bfa0d2372fb8cfb9",
"path_pattern_hash": "c879a1d8584c2c545f6c6bb7a9f5a061"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 62
},
"payload_preview": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+",
"method": "GET",
"path": "\/wp-config.php.bak",
"user_agent": "python-requests\/2.32.3",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950518:leak-5",
"950521:leak-8",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-5",
"leak-8",
"scanner-ua"
],
"request_line": "GET \/wp-config.php.bak HTTP\/1.1",
"request_sample": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nC",
"payload_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+",
"evidence": {
"method": "GET",
"path": "\/wp-config.php.bak",
"user_agent": "python-requests\/2.32.3",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950518:leak-5",
"950521:leak-8",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-5",
"leak-8",
"scanner-ua"
],
"request_line": "GET \/wp-config.php.bak HTTP\/1.1",
"request_sample": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nC",
"payload_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "98128df8e8060837a3cc1cb07c9042d2678235cd",
"protocol_details": {
"http_method": "GET",
"http_path": "\/wp-config.php.bak",
"request_line": "GET \/wp-config.php.bak HTTP\/1.1",
"http_user_agent": "python-requests\/2.32.3",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/wp-config.php.bak",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 6 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 62,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 62,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/wp-config.php.bak",
"request_line": "GET \/wp-config.php.bak HTTP\/1.1",
"http_user_agent": "python-requests\/2.32.3",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/wp-config.php.bak",
"evidence_snippet": "GET \/wp-config.php.bak HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 6 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 6 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950518:leak-5",
"950521:leak-8",
"anomaly:scanner-ua",
"http_backup_file_scan",
"http_backup_path",
"http_sensitive_path",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
15/06/2026 15:35:01 UTC
TCP
8080 · HTTP
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → /.git/config
Élevée
Moyen · 61
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /.git/config UA Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefo…
Émulateur
HTTP
WAF
33
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/.git/config
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8080
Chemin / cible
/.git/config
Pourquoi cette classification : Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 61
Confiance : Confiance 100 % — 5 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
Probe /.git/config
Ligne de requête
GET /.git/config HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0
Règles WAF
rce-0
ssrf-3
nosqli-3
leak-0
Payload (extrait)
GET /.git/config HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/1
Requête brute (extrait)
GET /.git/config HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding:
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "git\/config",
"http_ua_hash": "880d0c120dbf4497314046742f2cb6dbd4be704d",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "e2f253eab0d0cf5422d24d22ae2a4954398768df",
"http_referer_hash": "d7b3438d97f335e612a566a731eea5acb8fe83c8",
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 318,
"payload_entropy": 5.403064950713164,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8080,
"risk_waf": 100,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 61,
"tag_count": 10,
"anomaly_count": 0,
"campaign_key": "19db4ae60e75e7e2e3bfa777e6cacb614c6a1d85",
"event_fingerprint": "df5851a413a7a9b921ef143a6764b6ce2d04b977",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284",
"pat-0198"
],
"matched_pattern_names": [
"CRS 941130",
"Probe \/.git\/config"
],
"pattern_ids": [
"pat-0284",
"pat-0198"
],
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 61,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a59685e43b0ef4fb9f3e6765d2231094",
"payload_hash": "4e5df09dfc25ea57397960363df5e5fd",
"path_pattern_hash": "3ec26e4f0817b37785cd5e68fed88892"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 61
},
"payload_preview": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1",
"method": "GET",
"path": "\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/.git\/config HTTP\/1.1",
"request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding:",
"payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1",
"evidence": {
"method": "GET",
"path": "\/.git\/config",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-0"
],
"request_line": "GET \/.git\/config HTTP\/1.1",
"request_sample": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding:",
"payload_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "27790def224b7c3970509cdd65ce66f088e1c364",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.git\/config",
"request_line": "GET \/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/config",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 61,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 61,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.git\/config",
"request_line": "GET \/.git\/config HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/config",
"evidence_snippet": "GET \/.git\/config HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_git",
"http_sensitive_path",
"net_web_probe"
]
}
15/06/2026 15:35:01 UTC
TCP
8080 · HTTP
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → /dump.sql
Élevée
Moyen · 55
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /dump.sql UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Ch…
Émulateur
HTTP
WAF
19
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950470:nosqli-3
http_backup_file_scan
Cible HTTP
GET
/dump.sql
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8080
Chemin / cible
/dump.sql
Pourquoi cette classification : Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 55
Confiance : Confiance 100 % — 3 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
LFI SQL dump file
Ligne de requête
GET /dump.sql HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0.0.0 Safari/537.36
Règles WAF
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /dump.sql HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/1
Requête brute (extrait)
GET /dump.sql HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "sql",
"http_ua_hash": "61b2fb88348adb0c454f69364a0bf16d1c9d26e5",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "1fc830e90e8ffa94d6b83234ae2ec2ba7b5108ba",
"http_referer_hash": "d7b3438d97f335e612a566a731eea5acb8fe83c8",
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 336,
"payload_entropy": 5.436237011355969,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8080,
"risk_waf": 84,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.3,
"risk_breakdown": {
"waf": 84,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 55,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "1bfedd9f5d1a6c3442d67e2e7356369026707b4f",
"event_fingerprint": "4c1f8f86bb76a57605fd33f971bde8d40f0c54b9",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284",
"pat-0132"
],
"matched_pattern_names": [
"CRS 941130",
"LFI SQL dump file"
],
"pattern_ids": [
"pat-0284",
"pat-0132"
],
"confidence_breakdown": {
"waf": 84,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 55,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "dbab6c4c65f4e975e43617cd246fbb8c",
"payload_hash": "0a6036cbaffeed6c001a70634c166261",
"path_pattern_hash": "2debf0ced7dd0a1204edf7447a578b8e"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/1",
"method": "GET",
"path": "\/dump.sql",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/dump.sql HTTP\/1.1",
"request_sample": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5",
"payload_snippet": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/1",
"evidence": {
"method": "GET",
"path": "\/dump.sql",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/dump.sql HTTP\/1.1",
"request_sample": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5",
"payload_snippet": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/1",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8db1f1881699ac8b21e9d2c3dd76e7584f79bdc7",
"protocol_details": {
"http_method": "GET",
"http_path": "\/dump.sql",
"request_line": "GET \/dump.sql HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/1",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/dump.sql",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 84,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 55,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/dump.sql",
"request_line": "GET \/dump.sql HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/dump.sql",
"evidence_snippet": "GET \/dump.sql HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/1",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +19 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"http_backup_file_scan",
"http_backup_path",
"net_web_probe"
]
}
15/06/2026 15:35:01 UTC
TCP
8080 · HTTP
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → /.DS_Store
Élevée
Moyen · 62
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /.DS_Store UA python-requests/2.32.3
Émulateur
HTTP
WAF
30
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950520:leak-7
Cible HTTP
GET
/.DS_Store
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8080
Chemin / cible
/.DS_Store
Pourquoi cette classification : Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 62
Confiance : Confiance 100 % — 5 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
LFI Double-dot bypass
Probe /.DS_Store
Ligne de requête
GET /.DS_Store HTTP/1.1
User-Agent
python-requests/2.32.3
Règles WAF
rce-0
ssrf-3
nosqli-3
leak-7
scanner-ua
Payload (extrait)
GET /.DS_Store HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: python-requests/2.32.3
Accept: text/html,application/xhtml+xml,appl
Requête brute (extrait)
GET /.DS_Store HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: python-requests/2.32.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: identity Referer: https://www.bing.com/ Connect
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "ds_store",
"http_ua_hash": "ae09ca118a34f21eadeb922152bc0d66d5b1783f",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "2eaf811e78c039402383e125deb093600a999e32",
"http_referer_hash": "7c774392df25c0990a337dc8b862b783cd881b51",
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 270,
"payload_entropy": 5.305559752466207,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8080,
"risk_waf": 100,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 62,
"tag_count": 9,
"anomaly_count": 1,
"campaign_key": "f5bcc4f4408c18ddf1e1e57cf0d0f599e9f6bb63",
"event_fingerprint": "86140c3e66c554c9aab3afe4bb767b44e5af8824",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284",
"pat-0103",
"pat-0196"
],
"matched_pattern_names": [
"CRS 941130",
"LFI Double-dot bypass",
"Probe \/.DS_Store"
],
"pattern_ids": [
"pat-0284",
"pat-0103",
"pat-0196"
],
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 62,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "bcea973b42c25e2780c70435dae7b4a0",
"payload_hash": "503f31b07236f57576876a6caadf6f8f",
"path_pattern_hash": "cdaaa22fe9af2e099c05c2fbe6285541"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 62
},
"payload_preview": "GET \/.DS_Store HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,appl",
"method": "GET",
"path": "\/.DS_Store",
"user_agent": "python-requests\/2.32.3",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950520:leak-7",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-7",
"scanner-ua"
],
"request_line": "GET \/.DS_Store HTTP\/1.1",
"request_sample": "GET \/.DS_Store HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/www.bing.com\/\r\nConnect",
"payload_snippet": "GET \/.DS_Store HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,appl",
"evidence": {
"method": "GET",
"path": "\/.DS_Store",
"user_agent": "python-requests\/2.32.3",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950520:leak-7",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-7",
"scanner-ua"
],
"request_line": "GET \/.DS_Store HTTP\/1.1",
"request_sample": "GET \/.DS_Store HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/www.bing.com\/\r\nConnect",
"payload_snippet": "GET \/.DS_Store HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,appl",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0070d97b7465f5d1227346cbf7f528cb8fffdb2d",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.DS_Store",
"request_line": "GET \/.DS_Store HTTP\/1.1",
"http_user_agent": "python-requests\/2.32.3",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.DS_Store HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,appl",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.DS_Store",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 62,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 62,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.DS_Store",
"request_line": "GET \/.DS_Store HTTP\/1.1",
"http_user_agent": "python-requests\/2.32.3",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.DS_Store",
"evidence_snippet": "GET \/.DS_Store HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: python-requests\/2.32.3\r\nAccept: text\/html,application\/xhtml+xml,appl",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950520:leak-7",
"anomaly:scanner-ua",
"http_sensitive_path",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
15/06/2026 15:35:01 UTC
TCP
8080 · HTTP
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → /adminer.php
Élevée
Moyen · 55
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /adminer.php UA Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefo…
Émulateur
HTTP
WAF
19
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950470:nosqli-3
http_probe_adminer
Cible HTTP
GET
/adminer.php
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8080
Chemin / cible
/adminer.php
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 55
Confiance : Confiance 100 % — 3 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
Sigma adminer
ES admin GET
ActiveMQ console
Ligne de requête
GET /adminer.php HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0
Règles WAF
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /adminer.php HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/1
Requête brute (extrait)
GET /adminer.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding:
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "php",
"http_ua_hash": "880d0c120dbf4497314046742f2cb6dbd4be704d",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "4c0ec463418ad15ed168b07340f8c568be1fd3ef",
"http_referer_hash": "7c774392df25c0990a337dc8b862b783cd881b51",
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 320,
"payload_entropy": 5.430985715504859,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8080,
"risk_waf": 84,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 84,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 55,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "e215b4d2ac4e9220e2a64a6b4202e441ba797d24",
"event_fingerprint": "09cdac080a616c4a43f764ad7ae1dfb561967488",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284",
"pat-0748",
"pat-0341",
"pat-0606"
],
"matched_pattern_names": [
"CRS 941130",
"Sigma adminer",
"ES admin GET",
"ActiveMQ console"
],
"pattern_ids": [
"pat-0284",
"pat-0748",
"pat-0341",
"pat-0606"
],
"confidence_breakdown": {
"waf": 84,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 55,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a59685e43b0ef4fb9f3e6765d2231094",
"payload_hash": "024ca74ba19cb0cfeb775f5cdd95d476",
"path_pattern_hash": "7c732b4d744fce86cfbfc82b8c70011c"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/adminer.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1",
"method": "GET",
"path": "\/adminer.php",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/adminer.php HTTP\/1.1",
"request_sample": "GET \/adminer.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding:",
"payload_snippet": "GET \/adminer.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1",
"evidence": {
"method": "GET",
"path": "\/adminer.php",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/adminer.php HTTP\/1.1",
"request_sample": "GET \/adminer.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding:",
"payload_snippet": "GET \/adminer.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5c9a0c8c734c9faa80c60bd8d92493c61f935c00",
"protocol_details": {
"http_method": "GET",
"http_path": "\/adminer.php",
"request_line": "GET \/adminer.php HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/adminer.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/adminer.php",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 84,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 55,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/adminer.php",
"request_line": "GET \/adminer.php HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/adminer.php",
"evidence_snippet": "GET \/adminer.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/1",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +19 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"http_probe_adminer",
"net_web_probe"
]
}
15/06/2026 15:35:00 UTC
TCP
8080 · HTTP
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → /actuator/env
Élevée
Moyen · 62
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /actuator/env UA curl/8.5.0
Émulateur
HTTP
WAF
35
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/actuator/env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8080
Chemin / cible
/actuator/env
Pourquoi cette classification : Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 62
Confiance : Confiance 100 % — 6 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
ET actuator env
LFI Double-dot bypass
Probe /actuator
Probe /actuator/env
Ligne de requête
GET /actuator/env HTTP/1.1
User-Agent
curl/8.5.0
Règles WAF
rce-0
ssrf-3
nosqli-3
spring-actuator
scanner-ua
Payload (extrait)
GET /actuator/env HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: curl/8.5.0
Accept: text/html,application/xhtml+xml,application/x
Requête brute (extrait)
GET /actuator/env HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: curl/8.5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: identity Referer: https://github.com/ Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": null,
"http_ua_hash": "2de5c12e398bc6e09d9f64dfa317a27082e393cf",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "e32661bb9cbe8cb5f3660b341b6704d87fd4cb7c",
"http_referer_hash": "d7b3438d97f335e612a566a731eea5acb8fe83c8",
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 259,
"payload_entropy": 5.2385147829663525,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8080,
"risk_waf": 100,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 62,
"tag_count": 13,
"anomaly_count": 1,
"campaign_key": "8d0b0054a277ec814eced141d1e71e43ffcde084",
"event_fingerprint": "ef38e6702d2d417e3af70a803787f267c898a4f8",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284",
"pat-0751",
"pat-0103",
"pat-0232",
"pat-0233"
],
"matched_pattern_names": [
"CRS 941130",
"ET actuator env",
"LFI Double-dot bypass",
"Probe \/actuator",
"Probe \/actuator\/env"
],
"pattern_ids": [
"pat-0284",
"pat-0751",
"pat-0103",
"pat-0232",
"pat-0233"
],
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 62,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "07d1d539047ef01990ffd8266d015775",
"payload_hash": "8691dbbf581c393fbb744b441b67bfe3",
"path_pattern_hash": "52616ac7327902d5e53f2c0d3ea46564"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 62
},
"payload_preview": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/x",
"method": "GET",
"path": "\/actuator\/env",
"user_agent": "curl\/8.5.0",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950612:spring-actuator",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"spring-actuator",
"scanner-ua"
],
"request_line": "GET \/actuator\/env HTTP\/1.1",
"request_sample": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nConnection: close\r",
"payload_snippet": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/x",
"evidence": {
"method": "GET",
"path": "\/actuator\/env",
"user_agent": "curl\/8.5.0",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950612:spring-actuator",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"spring-actuator",
"scanner-ua"
],
"request_line": "GET \/actuator\/env HTTP\/1.1",
"request_sample": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nConnection: close\r",
"payload_snippet": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/x",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f4bc5ad807a9470cc65e0f93af6765c7c0a64295",
"protocol_details": {
"http_method": "GET",
"http_path": "\/actuator\/env",
"request_line": "GET \/actuator\/env HTTP\/1.1",
"http_user_agent": "curl\/8.5.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/x",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/actuator\/env",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 6 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 62,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 62,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/actuator\/env",
"request_line": "GET \/actuator\/env HTTP\/1.1",
"http_user_agent": "curl\/8.5.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/actuator\/env",
"evidence_snippet": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/x",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 6 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 6 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950612:spring-actuator",
"anomaly:scanner-ua",
"http_actuator_probe",
"http_actuator_spring_probe",
"http_probe_actuator",
"http_sensitive_path",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
15/06/2026 15:35:00 UTC
TCP
8080 · HTTP
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → /phpinfo.php
Élevée
Moyen · 61
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /phpinfo.php UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.…
Émulateur
HTTP
WAF
25
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950614:phpinfo
Cible HTTP
GET
/phpinfo.php
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8080
Chemin / cible
/phpinfo.php
Pourquoi cette classification : Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 61
Confiance : Confiance 100 % — 4 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
Ligne de requête
GET /phpinfo.php HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15 Safari/605.1.15
Règles WAF
rce-0
ssrf-3
nosqli-3
phpinfo
Payload (extrait)
GET /phpinfo.php HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15
Requête brute (extrait)
GET /phpinfo.php HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15 Safari/605.1.15 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accep
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "php",
"http_ua_hash": "6bbf2729b77d83a6b06d37536b29c49acc003ee1",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "1808fe5d8b86eb029606d3db28531c6ec6a82fb5",
"http_referer_hash": "7c774392df25c0990a337dc8b862b783cd881b51",
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 331,
"payload_entropy": 5.397227598357327,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8080,
"risk_waf": 100,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.7,
"risk_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 61,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "f4884dcfa398e40a6f436223e395b7070efa8776",
"event_fingerprint": "f03544bb1918115eef342dba9dc6ee2f62700e16",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284"
],
"matched_pattern_names": [
"CRS 941130"
],
"pattern_ids": [
"pat-0284"
],
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 61,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "270d0df155109110f4b8961ca727937c",
"payload_hash": "8f871656abe480bd73c45d4a6a301f71",
"path_pattern_hash": "a405682e93a85e32d41b3615cc2d6365"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 61
},
"payload_preview": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 ",
"method": "GET",
"path": "\/phpinfo.php",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950614:phpinfo"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"phpinfo"
],
"request_line": "GET \/phpinfo.php HTTP\/1.1",
"request_sample": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccep",
"payload_snippet": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15",
"evidence": {
"method": "GET",
"path": "\/phpinfo.php",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950614:phpinfo"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"phpinfo"
],
"request_line": "GET \/phpinfo.php HTTP\/1.1",
"request_sample": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccep",
"payload_snippet": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f627472d1d1ffae69bf1fce6416c8a0c2c996e4c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/phpinfo.php",
"request_line": "GET \/phpinfo.php HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/phpinfo.php",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 61,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 61,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/phpinfo.php",
"request_line": "GET \/phpinfo.php HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/phpinfo.php",
"evidence_snippet": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950614:phpinfo",
"http_probe_phpinfo",
"http_sensitive_path",
"net_web_probe"
]
}
15/06/2026 15:34:59 UTC
TCP
8080 · HTTP
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → /.env
Élevée
Moyen · 62
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /.env UA curl/8.5.0
Émulateur
HTTP
WAF
30
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950470:nosqli-3
950514:leak-1
Cible HTTP
GET
/.env
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8080
Chemin / cible
/.env
Pourquoi cette classification : Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 62
Confiance : Confiance 100 % — 5 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
LFI Double-dot bypass
Probe /.env
Ligne de requête
GET /.env HTTP/1.1
User-Agent
curl/8.5.0
Règles WAF
rce-0
ssrf-3
nosqli-3
leak-1
scanner-ua
Payload (extrait)
GET /.env HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: curl/8.5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9
Requête brute (extrait)
GET /.env HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: curl/8.5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: identity Referer: https://github.com/ Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "env",
"http_ua_hash": "2de5c12e398bc6e09d9f64dfa317a27082e393cf",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "9ee0d3f55b39072ba6bec6203d26e470be80afdc",
"http_referer_hash": "d7b3438d97f335e612a566a731eea5acb8fe83c8",
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 251,
"payload_entropy": 5.249301690546548,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8080,
"risk_waf": 100,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 62,
"tag_count": 11,
"anomaly_count": 1,
"campaign_key": "d5c3948ec7b6dd317f7d8cc6a111ffee16187a19",
"event_fingerprint": "8a2fe31cf18283ee1184898bdb31081d3839d5a9",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284",
"pat-0103",
"pat-0191"
],
"matched_pattern_names": [
"CRS 941130",
"LFI Double-dot bypass",
"Probe \/.env"
],
"pattern_ids": [
"pat-0284",
"pat-0103",
"pat-0191"
],
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 62,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "07d1d539047ef01990ffd8266d015775",
"payload_hash": "f8486f05fb345849ec8adf706fb839f5",
"path_pattern_hash": "aef81e7735de8f42b73e111497498c8b"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 62
},
"payload_preview": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9",
"method": "GET",
"path": "\/.env",
"user_agent": "curl\/8.5.0",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950514:leak-1",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-1",
"scanner-ua"
],
"request_line": "GET \/.env HTTP\/1.1",
"request_sample": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9",
"evidence": {
"method": "GET",
"path": "\/.env",
"user_agent": "curl\/8.5.0",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950514:leak-1",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-1",
"scanner-ua"
],
"request_line": "GET \/.env HTTP\/1.1",
"request_sample": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/github.com\/\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dba5fe02aa02870686b09e5e8ecde5d042bf8e6c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env",
"request_line": "GET \/.env HTTP\/1.1",
"http_user_agent": "curl\/8.5.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 62,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 62,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.env",
"request_line": "GET \/.env HTTP\/1.1",
"http_user_agent": "curl\/8.5.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.env",
"evidence_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 5 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 5 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"950514:leak-1",
"anomaly:scanner-ua",
"http_backup_file_scan",
"http_probe_env",
"http_sensitive_path",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
15/06/2026 15:34:59 UTC
TCP
8080 · HTTP
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → /robots.txt
Élevée
Moyen · 49
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
MITRE
TA0043
TA0043
Protocole
GET /robots.txt UA Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.…
Émulateur
HTTP
WAF
19
Recommandation
Surveiller
Tags
950326:rce-0
950406:ssrf-3
950470:nosqli-3
net_web_probe
Cible HTTP
GET
/robots.txt
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8080
Chemin / cible
/robots.txt
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 50%
Confiance classification
69%
Corrélation +19
Risque capteur
Moyen
· 49
Confiance : Confiance 50 % — 3 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Technique MITRE
TA0043
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
Ligne de requête
GET /robots.txt HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15 Safari/605.1.15
Règles WAF
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /robots.txt HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15 S
Requête brute (extrait)
GET /robots.txt HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15 Safari/605.1.15 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a436f6e74656e742d4c656e6774683a2032340d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a557365722d6167656e743a202a0a446973616c6c6f77",
"emulator_response_len": 130,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "txt",
"http_ua_hash": "6bbf2729b77d83a6b06d37536b29c49acc003ee1",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d",
"http_referer_hash": "595c3cce2409a55c13076f1bac5edee529fc2e58",
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 332,
"payload_entropy": 5.389588181228561,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8080,
"risk_waf": 84,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 84,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15
},
"risk_score": 49,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "9585a195073a27e014a113facb4d0d764adf6c54",
"event_fingerprint": "cc2111032008d2e949a36a0b84b1737a64811bc7",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence": 0.69,
"classification_confidence": 0.69,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284"
],
"matched_pattern_names": [
"CRS 941130"
],
"pattern_ids": [
"pat-0284"
],
"confidence_breakdown": {
"waf": 84,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15,
"risk_score": 49,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "270d0df155109110f4b8961ca727937c",
"payload_hash": "3f016c506638e56c9271161fe0bcbc7d",
"path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 49
},
"payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 S",
"method": "GET",
"path": "\/robots.txt",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/robots.txt HTTP\/1.1",
"request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept",
"payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 S",
"evidence": {
"method": "GET",
"path": "\/robots.txt",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/robots.txt HTTP\/1.1",
"request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept",
"payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 S",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre": "TA0043",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3546d31fdac342028b259149e29612249b2ae10d",
"protocol_details": {
"http_method": "GET",
"http_path": "\/robots.txt",
"request_line": "GET \/robots.txt HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 S",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/robots.txt",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 69 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 69,
"confidence_breakdown": {
"waf": 84,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 15,
"risk_score": 49,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 49,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0043",
"mitre_technique": "TA0043",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/robots.txt",
"request_line": "GET \/robots.txt HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/robots.txt",
"evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 S",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +19 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"net_web_probe"
]
}
15/06/2026 15:34:59 UTC
TCP
8080 · HTTP
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → /swagger-ui.html
Élevée
Moyen · 50
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
MITRE
TA0043
TA0043
Protocole
GET /swagger-ui.html UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Ch…
Émulateur
HTTP
WAF
19
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950470:nosqli-3
http_swagger_probe
Cible HTTP
GET
/swagger-ui.html
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8080
Chemin / cible
/swagger-ui.html
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 50%
Confiance classification
69%
Corrélation +19
Risque capteur
Moyen
· 50
Confiance : Confiance 50 % — 3 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Technique MITRE
TA0043
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
ET swagger ui
Ligne de requête
GET /swagger-ui.html HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0.0.0 Safari/537.36
Règles WAF
rce-0
ssrf-3
nosqli-3
Payload (extrait)
GET /swagger-ui.html HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 C
Requête brute (extrait)
GET /swagger-ui.html HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,e
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a203130390d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b226f70656e617069223a22332e30",
"emulator_response_len": 222,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": "html",
"http_ua_hash": "61b2fb88348adb0c454f69364a0bf16d1c9d26e5",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "0f5514f1110c12d9d5c0456d07668449b644af86",
"http_referer_hash": "d7b3438d97f335e612a566a731eea5acb8fe83c8",
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 343,
"payload_entropy": 5.434705083022426,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8080,
"risk_waf": 84,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 84,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 50,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "d0865531cc45c49f6541dfbf6b940906750493ec",
"event_fingerprint": "f74f3faa9df699039279bdd97d947bb1c7a887e1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence": 0.69,
"classification_confidence": 0.69,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284",
"pat-0752"
],
"matched_pattern_names": [
"CRS 941130",
"ET swagger ui"
],
"pattern_ids": [
"pat-0284",
"pat-0752"
],
"confidence_breakdown": {
"waf": 84,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 50,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "dbab6c4c65f4e975e43617cd246fbb8c",
"payload_hash": "fdc2a14faff58a532f9c10ccabe1272f",
"path_pattern_hash": "a22855a05d60774e49fb1f0a65374b33"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 50
},
"payload_preview": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C",
"method": "GET",
"path": "\/swagger-ui.html",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/swagger-ui.html HTTP\/1.1",
"request_sample": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,e",
"payload_snippet": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C",
"evidence": {
"method": "GET",
"path": "\/swagger-ui.html",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3"
],
"request_line": "GET \/swagger-ui.html HTTP\/1.1",
"request_sample": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,e",
"payload_snippet": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre": "TA0043",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c8995d9a216a732283d40dd43f3e2332d28669f2",
"protocol_details": {
"http_method": "GET",
"http_path": "\/swagger-ui.html",
"request_line": "GET \/swagger-ui.html HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/swagger-ui.html",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0043 \u2014 confiance 69 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 69,
"confidence_breakdown": {
"waf": 84,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 50,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0043",
"mitre_technique": "TA0043",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/swagger-ui.html",
"request_line": "GET \/swagger-ui.html HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/swagger-ui.html",
"evidence_snippet": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 50 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 69 % \u2014 Score WAF 84 \u00b7 Bonus corr\u00e9lation +19 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950470:nosqli-3",
"http_swagger_probe",
"net_web_probe"
]
}
15/06/2026 15:34:59 UTC
TCP
8080 · HTTP
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → /.git/HEAD
Élevée
Moyen · 62
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /.git/HEAD UA curl/8.5.0
Émulateur
HTTP
WAF
36
Recommandation
Investiguer
Tags
950326:rce-0
950406:ssrf-3
950468:nosqli-3
950470:nosqli-3
Cible HTTP
GET
/.git/HEAD
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8080
Chemin / cible
/.git/HEAD
Pourquoi cette classification : Sonde fichier sensible / config · confiance 100%
Confiance classification
100%
Corrélation +19
Risque capteur
Moyen
· 62
Confiance : Confiance 100 % — 6 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
ET .git HEAD
LFI Double-dot bypass
Probe /.git/HEAD
Ligne de requête
GET /.git/HEAD HTTP/1.1
User-Agent
curl/8.5.0
Règles WAF
rce-0
ssrf-3
nosqli-3
leak-0
scanner-ua
Payload (extrait)
GET /.git/HEAD HTTP/1.1
Host: 62.3.50.33:8080
User-Agent: curl/8.5.0
Accept: text/html,application/xhtml+xml,application/xml;
Requête brute (extrait)
GET /.git/HEAD HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: curl/8.5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: identity Referer: https://www.google.com/ Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "git\/head",
"http_ua_hash": "2de5c12e398bc6e09d9f64dfa317a27082e393cf",
"http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d",
"http_target_hash": "a5bdb37ad3aa5fc1e8e58237e6cb768f00ae6952",
"http_referer_hash": "595c3cce2409a55c13076f1bac5edee529fc2e58",
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 260,
"payload_entropy": 5.262131030836888,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8080,
"risk_waf": 100,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 62,
"tag_count": 13,
"anomaly_count": 1,
"campaign_key": "46d260f9212610a0792848a49aa653bdf7aa196a",
"event_fingerprint": "be061d8c429761f92ac3224a5514c3305981fe0a",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0284",
"pat-0749",
"pat-0103",
"pat-0197"
],
"matched_pattern_names": [
"CRS 941130",
"ET .git HEAD",
"LFI Double-dot bypass",
"Probe \/.git\/HEAD"
],
"pattern_ids": [
"pat-0284",
"pat-0749",
"pat-0103",
"pat-0197"
],
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 62,
"correlation_boost": 19
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "07d1d539047ef01990ffd8266d015775",
"payload_hash": "be8ff0944692955f9ca8f4ce8ea71042",
"path_pattern_hash": "353579f4025217f1143d65b4213aaffa"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 62
},
"payload_preview": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;",
"method": "GET",
"path": "\/.git\/HEAD",
"user_agent": "curl\/8.5.0",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-0",
"scanner-ua"
],
"request_line": "GET \/.git\/HEAD HTTP\/1.1",
"request_sample": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/www.google.com\/\r\nConnection: close",
"payload_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;",
"evidence": {
"method": "GET",
"path": "\/.git\/HEAD",
"user_agent": "curl\/8.5.0",
"waf_tags": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"scanner-ua"
],
"waf_rule_names": [
"rce-0",
"ssrf-3",
"nosqli-3",
"leak-0",
"scanner-ua"
],
"request_line": "GET \/.git\/HEAD HTTP\/1.1",
"request_sample": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: identity\r\nReferer: https:\/\/www.google.com\/\r\nConnection: close",
"payload_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;",
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ecdd241bd8e26d6aadb24e91539d9d377858cc0b",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.git\/HEAD",
"request_line": "GET \/.git\/HEAD HTTP\/1.1",
"http_user_agent": "curl\/8.5.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/HEAD",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 6 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"classification_reason_label_fr": "Sonde fichier sensible \/ config \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 62,
"correlation_boost": 19
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 62,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +19",
"protocol_details": {
"http_method": "GET",
"http_path": "\/.git\/HEAD",
"request_line": "GET \/.git\/HEAD HTTP\/1.1",
"http_user_agent": "curl\/8.5.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 \/.git\/HEAD",
"evidence_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: curl\/8.5.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 6 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +19 \u00b7 6 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 19,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950406:ssrf-3",
"950468:nosqli-3",
"950470:nosqli-3",
"950513:leak-0",
"anomaly:scanner-ua",
"http_backup_file_scan",
"http_git_exposure",
"http_probe_git",
"http_sensitive_path",
"http_ua_suspicious",
"net_web_probe",
"scanner-ua"
]
}
15/06/2026 15:34:52 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 51
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Investiguer
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET /.git/HEAD HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 51
Confiance : Confiance 100 % — 6 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /.git/HEAD HTTP/1.1
Host: 62.3.50.33:6443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/
Requête brute (extrait)
GET /.git/HEAD HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75",
"emulator_response_len": 165,
"bytes_in": 337,
"payload_entropy": 5.442776054317185,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 6.3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 51,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "4a93419bdcb4d88bb916015b5c8a5423889f275f",
"event_fingerprint": "1eeecffdeefbfbad05a3604bc614efa2174b97bf",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0284"
],
"matched_pattern_names": [
"CRS 941130"
],
"pattern_ids": [
"pat-0284"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "84f1fca562cff61c02cf3b9f31c09ae5",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 51
},
"payload_preview": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/",
"request_sample": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.",
"payload_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/",
"evidence": {
"request_sample": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.",
"payload_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "20f394f534a5bb85ce0868b4a907ed0e1930ad36",
"protocol_details": {
"payload_preview": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 51,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/.git\/HEAD HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 16,
"scan_velocity_ports_per_s": 3.33,
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"mozi_pattern",
"net_port_scan_fast"
]
}
15/06/2026 15:34:51 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 51
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Investiguer
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET /actuator/env HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 51
Confiance : Confiance 100 % — 7 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /actuator/env HTTP/1.1
Host: 62.3.50.33:6443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15
Requête brute (extrait)
GET /actuator/env HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit/605.1.15 Safari/605.1.15 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Acce
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75",
"emulator_response_len": 165,
"bytes_in": 334,
"payload_entropy": 5.400552178123538,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 6.6,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 51,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "2f4101ce0bf8475e1a5dd4d5b951811b52e0a1d0",
"event_fingerprint": "1eeecffdeefbfbad05a3604bc614efa2174b97bf",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0284"
],
"matched_pattern_names": [
"CRS 941130"
],
"pattern_ids": [
"pat-0284"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "86c73fcad2162a14f4d25f3003ffc98c",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 51
},
"payload_preview": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15",
"request_sample": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAcce",
"payload_snippet": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15",
"evidence": {
"request_sample": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15 Safari\/605.1.15\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAcce",
"payload_snippet": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7f90871301f8662d72a573b5a152feb7317e7699",
"protocol_details": {
"payload_preview": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 7 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 51,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/actuator\/env HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 14_5) AppleWebKit\/605.1.15",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 7 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 19,
"scan_velocity_ports_per_s": 3.93,
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"mozi_pattern",
"net_port_scan_fast",
"tor_exit_probe"
]
}
15/06/2026 15:34:51 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 51
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Investiguer
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET /swagger-ui.html HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 C
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 51
Confiance : Confiance 100 % — 6 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /swagger-ui.html HTTP/1.1
Host: 62.3.50.33:6443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 C
Requête brute (extrait)
GET /swagger-ui.html HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,e
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a203130390d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b226f70656e617069223a22332e30",
"emulator_response_len": 222,
"bytes_in": 345,
"payload_entropy": 5.437850323046344,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 6.3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 51,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "4a93419bdcb4d88bb916015b5c8a5423889f275f",
"event_fingerprint": "1eeecffdeefbfbad05a3604bc614efa2174b97bf",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0284"
],
"matched_pattern_names": [
"CRS 941130"
],
"pattern_ids": [
"pat-0284"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0c943a31a44f28d29a4dfe7d34d4b1eb",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 51
},
"payload_preview": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C",
"request_sample": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,e",
"payload_snippet": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C",
"evidence": {
"request_sample": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,e",
"payload_snippet": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9b20c2ee22e3a980a77125f2309fdd2168e24fcb",
"protocol_details": {
"payload_preview": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 51,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/swagger-ui.html HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 C",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 19,
"scan_velocity_ports_per_s": 3.92,
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"mozi_pattern",
"net_port_scan_fast"
]
}
15/06/2026 15:34:51 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 51
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Investiguer
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET /phpinfo.php HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrom
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 51
Confiance : Confiance 100 % — 6 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /phpinfo.php HTTP/1.1
Host: 62.3.50.33:6443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrom
Requête brute (extrait)
GET /phpinfo.php HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75",
"emulator_response_len": 165,
"bytes_in": 339,
"payload_entropy": 5.418629300133763,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 6.3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 51,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "4a93419bdcb4d88bb916015b5c8a5423889f275f",
"event_fingerprint": "1eeecffdeefbfbad05a3604bc614efa2174b97bf",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0284"
],
"matched_pattern_names": [
"CRS 941130"
],
"pattern_ids": [
"pat-0284"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0b689c37e2caf2bcfb922b3fd2de2562",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 51
},
"payload_preview": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom",
"request_sample": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=",
"payload_snippet": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom",
"evidence": {
"request_sample": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=",
"payload_snippet": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "933897bc4a3fbfcb614fd307841d5afe2a09c16a",
"protocol_details": {
"payload_preview": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 51,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/phpinfo.php HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrom",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 19,
"scan_velocity_ports_per_s": 3.87,
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"mozi_pattern",
"net_port_scan_fast"
]
}
15/06/2026 15:34:50 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 51
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Investiguer
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET /robots.txt HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/12
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 51
Confiance : Confiance 100 % — 6 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /robots.txt HTTP/1.1
Host: 62.3.50.33:6443
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/12
Requête brute (extrait)
GET /robots.txt HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding:
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a436f6e74656e742d4c656e6774683a2032340d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a557365722d6167656e743a202a0a446973616c6c6f77",
"emulator_response_len": 130,
"bytes_in": 319,
"payload_entropy": 5.438904132240789,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 6.3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 51,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "4a93419bdcb4d88bb916015b5c8a5423889f275f",
"event_fingerprint": "1eeecffdeefbfbad05a3604bc614efa2174b97bf",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0284"
],
"matched_pattern_names": [
"CRS 941130"
],
"pattern_ids": [
"pat-0284"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "669bb47d380e8c7be67f6678b116ef0a",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 51
},
"payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12",
"request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: ",
"payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12",
"evidence": {
"request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/126.0\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: ",
"payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d9f61f475a9142c847ad1b3d1ca927725b29a194",
"protocol_details": {
"payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 51,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:126.0) Gecko\/20100101 Firefox\/12",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 19,
"scan_velocity_ports_per_s": 3.96,
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"mozi_pattern",
"net_port_scan_fast"
]
}
15/06/2026 15:34:50 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 51
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Investiguer
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET /.env HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 51
Confiance : Confiance 100 % — 6 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
CRS 941130
User-Agent
—
Règles WAF
—
Payload (extrait)
GET /.env HTTP/1.1
Host: 62.3.50.33:6443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0
Requête brute (extrait)
GET /.env HTTP/1.1 Host: 62.3.50.33:6443 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/125.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Ac
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75",
"emulator_response_len": 165,
"bytes_in": 336,
"payload_entropy": 5.426377878419762,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 6.3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 51,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "4a93419bdcb4d88bb916015b5c8a5423889f275f",
"event_fingerprint": "1eeecffdeefbfbad05a3604bc614efa2174b97bf",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0284"
],
"matched_pattern_names": [
"CRS 941130"
],
"pattern_ids": [
"pat-0284"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "93db331e822c77d8e8c7da71fe43e690",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 51
},
"payload_preview": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0",
"request_sample": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAc",
"payload_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0",
"evidence": {
"request_sample": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0.0.0 Safari\/537.36\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAc",
"payload_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "54977dd415b6fa1e7c54eebf5eaa3f98a102b7a1",
"protocol_details": {
"payload_preview": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 51\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 51,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 51,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/.env HTTP\/1.1\r\nHost: 62.3.50.33:6443\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 Chrome\/125.0",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 6 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 19,
"scan_velocity_ports_per_s": 3.95,
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_investigate",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"mozi_pattern",
"net_port_scan_fast"
]
}
15/06/2026 15:34:48 UTC
TCP
15672 · HTTP
Scan de ports
port scan syn · via HTTP:15672 · (reconnaissance) · → /api/overview
Élevée
Moyen · 43
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /api/overview
Émulateur
HTTP
WAF
10
Recommandation
Surveiller
Tags
950468:nosqli-3
950600:k8s-api
http_no_ua
http_probe_api
Cible HTTP
GET
/api/overview
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
15672
Chemin / cible
/api/overview
Pourquoi cette classification : Tags WAF: nosqli-3, k8s-api · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 43
Confiance : Confiance 100 % — 2 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET /api/overview HTTP/1.1
User-Agent
—
Règles WAF
nosqli-3
k8s-api
Payload (extrait)
GET /api/overview HTTP/1.1
Host: 62.3.50.33
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349",
"http_target_hash": "1d611ed6b1ee0513f83afa61908355db8590a6fa",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 67,
"payload_entropy": 4.7319984742599495,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 15672,
"risk_waf": 48,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.5,
"risk_breakdown": {
"waf": 48,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25
},
"risk_score": 43,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "02457b60ea4e231bf6dfea74b5769c0df5619c40",
"event_fingerprint": "000124bc4ef1e76abe7a49c220e988254f50bfc9",
"classification_reason": "Tags WAF: nosqli-3, k8s-api \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 48,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 43,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d8000b7777cba58b24f042676846c7bc",
"path_pattern_hash": "f895a1ea84208a736ab1400709f45619"
},
"target_context": {
"dst_port": 15672,
"service": "http",
"service_name": "http",
"risk_score": 43
},
"payload_preview": "GET \/api\/overview HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/api\/overview",
"waf_tags": [
"950468:nosqli-3",
"950600:k8s-api"
],
"waf_rule_names": [
"nosqli-3",
"k8s-api"
],
"request_line": "GET \/api\/overview HTTP\/1.1",
"request_sample": "GET \/api\/overview HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/api\/overview HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/api\/overview",
"waf_tags": [
"950468:nosqli-3",
"950600:k8s-api"
],
"waf_rule_names": [
"nosqli-3",
"k8s-api"
],
"request_line": "GET \/api\/overview HTTP\/1.1",
"request_sample": "GET \/api\/overview HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/api\/overview HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"classification_reason": "Tags WAF: nosqli-3, k8s-api \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1248cde5f051a5665f410ee7f26188688249bb94",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/overview",
"request_line": "GET \/api\/overview HTTP\/1.1",
"port": 15672,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/api\/overview HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"attack_vector": "port scan syn \u00b7 via HTTP:15672 \u00b7 (reconnaissance) \u00b7 \u2192 \/api\/overview",
"target_port_label": "15672 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tags WAF: nosqli-3, k8s-api \u00b7 confiance 100%",
"classification_reason_label_fr": "Tags WAF: nosqli-3, k8s-api \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 48,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 25,
"risk_score": 43,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 43,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 15672,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/api\/overview",
"request_line": "GET \/api\/overview HTTP\/1.1",
"port": 15672,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:15672 \u00b7 (reconnaissance) \u00b7 \u2192 \/api\/overview",
"evidence_snippet": "GET \/api\/overview HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"target_port_label": "15672 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 48 \u00b7 Bonus corr\u00e9lation +23 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "15672"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 20,
"scan_velocity_ports_per_s": 5.95,
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950468:nosqli-3",
"950600:k8s-api",
"http_no_ua",
"http_probe_api",
"net_port_scan_fast"
]
}
15/06/2026 15:34:48 UTC
TCP
5672 · AMQP
Scan de ports
port scan syn · via AMQP:5672 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
AMQP
WAF
—
Recommandation
Surveiller
Tags
amqp_emulated
amqp_handshake
net_port_scan_fast
rabbitmq_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
5672
Chemin / cible
—
Service
AMQP
Payload
AMQP�� �
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
AMQP protocol
AMQP protocol header
User-Agent
—
Règles WAF
—
Payload (extrait)
AMQP�� �
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "414d515000000901010000000000000e000a000b000000000000000000",
"emulator_response_len": 29,
"bytes_in": 8,
"payload_entropy": 2.75,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "amqp",
"app_proto": "amqp",
"asn": 141679,
"country": "CN",
"dst_port": 5672,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "c1aa8bce132164e102c58afac0b2979156bed4b3",
"event_fingerprint": "72ebc770e2cb1f40c3f18b5b4bc5c4fa513f5b29",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0371",
"pat-0537"
],
"matched_pattern_names": [
"AMQP protocol",
"AMQP protocol header"
],
"pattern_ids": [
"pat-0371",
"pat-0537"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "amqp",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "bc2f502576523902588d3c36f36ea5a1",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 5672,
"service": "amqp",
"service_name": "amqp",
"risk_score": 42
},
"payload_preview": "AMQP\u0000\u0000\t\u0001",
"request_sample": "AMQP\u0000\u0000\t\u0001",
"payload_snippet": "AMQP\u0000\u0000\t\u0001",
"evidence": {
"request_sample": "AMQP\u0000\u0000\t\u0001",
"payload_snippet": "AMQP\u0000\u0000\t\u0001",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2a821aea75eb0f582f0d612305103cb4c3a8ea7d",
"protocol_details": {
"payload_preview": "AMQP\u0000\u0000\t\u0001",
"port": 5672,
"service": "amqp",
"service_label_fr": "AMQP"
},
"evidence_snippet": "AMQP",
"attack_vector": "port scan syn \u00b7 via AMQP:5672 \u00b7 (reconnaissance)",
"target_port_label": "5672 \u00b7 AMQP",
"emulator_service": "amqp",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via AMQP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "amqp",
"service_label_fr": "AMQP",
"dst_port": 5672,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-amqp",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "AMQP\u0000\u0000\t\u0001",
"port": 5672,
"service": "amqp",
"service_label_fr": "AMQP"
},
"attack_vector": "port scan syn \u00b7 via AMQP:5672 \u00b7 (reconnaissance)",
"evidence_snippet": "AMQP",
"target_port_label": "5672 \u00b7 AMQP",
"emulator_service": "amqp",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "amqp",
"service_banner": "honeypot-amqp",
"service_os": "linux",
"dst_port": "5672"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 21,
"scan_velocity_ports_per_s": 6.21,
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"amqp_emulated",
"amqp_handshake",
"net_port_scan_fast",
"rabbitmq_probe"
]
}
15/06/2026 15:34:48 UTC
TCP
9042 · CASSANDRA
Scan de ports
port scan syn · via CASSANDRA:9042 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
CASSANDRA
WAF
—
Recommandation
Surveiller
Tags
cassandra_emulated
net_port_scan_fast
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9042
Chemin / cible
—
Service
CASSANDRA
Payload
���������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
Mumble ping
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "840000000200000002",
"emulator_response_len": 9,
"bytes_in": 9,
"payload_entropy": 0.9864267287308424,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "cassandra",
"app_proto": "cassandra",
"asn": 141679,
"country": "CN",
"dst_port": 9042,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "1003280d273727fcc08ab3d788c35acf5b6d718b",
"event_fingerprint": "26d8e48a1f6752aca7f9494557834abf00d18b90",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0768",
"pat-0554"
],
"matched_pattern_names": [
"Mumble ping",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0768",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "cassandra",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "5639e6990322230c72f701566cf7ac4b",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 9042,
"service": "cassandra",
"service_name": "cassandra",
"risk_score": 42
},
"payload_preview": "\u0004\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000",
"request_sample": "\u0004\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0004\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0004\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0004\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5f2880a370b7bd09eb820101cdd3f1e0b5d401c0",
"protocol_details": {
"payload_preview": "\u0004\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000",
"port": 9042,
"service": "cassandra",
"service_label_fr": "CASSANDRA"
},
"attack_vector": "port scan syn \u00b7 via CASSANDRA:9042 \u00b7 (reconnaissance)",
"target_port_label": "9042 \u00b7 CASSANDRA",
"emulator_service": "cassandra",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CASSANDRA \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "cassandra",
"service_label_fr": "CASSANDRA",
"dst_port": 9042,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-cassandra",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0004\u0000\u0000\u0000\u0005\u0000\u0000\u0000\u0000",
"port": 9042,
"service": "cassandra",
"service_label_fr": "CASSANDRA"
},
"attack_vector": "port scan syn \u00b7 via CASSANDRA:9042 \u00b7 (reconnaissance)",
"evidence_snippet": null,
"target_port_label": "9042 \u00b7 CASSANDRA",
"emulator_service": "cassandra",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "cassandra",
"service_banner": "honeypot-cassandra",
"service_os": "linux",
"dst_port": "9042"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 22,
"scan_velocity_ports_per_s": 6.1,
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"cassandra_emulated",
"net_port_scan_fast"
]
}
15/06/2026 15:34:48 UTC
TCP
8888 · HTTP
Scan de ports
port scan syn · via HTTP:8888 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /
Émulateur
HTTP
WAF
3
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
http_no_ua
net_port_scan_fast
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8888
Chemin / cible
/
Pourquoi cette classification : Tags WAF: sap-sapcontrol-path · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 1 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
HTTP alt 8888 probe
Ligne de requête
GET / HTTP/1.1
User-Agent
—
Règles WAF
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 55,
"payload_entropy": 4.5038203952248335,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 8888,
"risk_waf": 20,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 20,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "05c58c5f19ad288de9a49d67ac759a6d356e63bd",
"event_fingerprint": "80f2aa9a52b555c26e5706a111edbf5b4c7d378f",
"classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0599"
],
"matched_pattern_names": [
"HTTP alt 8888 probe"
],
"pattern_ids": [
"pat-0599"
],
"confidence_breakdown": {
"waf": 20,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f0bf494803669a89021e5acd1315d539",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8888,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"waf_tags": [
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"waf_tags": [
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c0e2e654b48ad25a812ff07195dc9c3e3d2b3b94",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"port": 8888,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"attack_vector": "port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance)",
"target_port_label": "8888 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%",
"classification_reason_label_fr": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 20,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8888,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"port": 8888,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8888 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"target_port_label": "8888 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +23 \u00b7 1 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8888"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 23,
"scan_velocity_ports_per_s": 6.37,
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"http_no_ua",
"net_port_scan_fast"
]
}
15/06/2026 15:34:48 UTC
TCP
9000 · HTTP
Scan de ports
port scan syn · via HTTP:9000 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /
Émulateur
HTTP
WAF
3
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
http_no_ua
net_port_scan_fast
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9000
Chemin / cible
/
Pourquoi cette classification : Tags WAF: sap-sapcontrol-path · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 1 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
—
Règles WAF
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 55,
"payload_entropy": 4.5038203952248335,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 9000,
"risk_waf": 20,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.6,
"risk_breakdown": {
"waf": 20,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "79c9e98c4c27e0b950e18ec690d012ad5320bb54",
"event_fingerprint": "23dd8620e82dd7d29b08cc2b43d4905facc7c62e",
"classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"confidence_breakdown": {
"waf": 20,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f0bf494803669a89021e5acd1315d539",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9000,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"waf_tags": [
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"waf_tags": [
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5b9ff06348a58871af057ab6650740f350ee036a",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"port": 9000,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"attack_vector": "port scan syn \u00b7 via HTTP:9000 \u00b7 (reconnaissance)",
"target_port_label": "9000 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%",
"classification_reason_label_fr": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 20,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 9000,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"port": 9000,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:9000 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"target_port_label": "9000 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +23 \u00b7 1 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "9000"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 27,
"scan_velocity_ports_per_s": 7.01,
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"http_no_ua",
"net_port_scan_fast"
]
}
15/06/2026 15:34:47 UTC
TCP
8443 · HTTPS
Scan de ports
port scan syn · via HTTPS:8443 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
HTTPS
WAF
—
Recommandation
Surveiller
Tags
http_alt_port
net_port_scan_fast
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8443
Chemin / cible
—
Service
HTTPS
Payload
�������������Q�'�'���� <8 ��'b�7o������OzӴ �%�qH�u� �!���t!�X�, o�R�92�>���>�������,�0��̨̩̪�+�/���$�(�k�#�'�g� ���9� ���3��
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
Minecraft varint handshake
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������Q�'�'�����<8���'b�7o������OzӴ �%�qH�u���!���t!�X�, o�R�92�>���>�������,�0��̨̩̪�+�/���$�(�k�#�'�g�
���9� ���3��
Requête brute (extrait)
�������������Q�'�'���� <8 ��'b�7o������OzӴ �%�qH�u� �!���t!�X�, o�R�92�>���>�������,�0��̨̩̪�+�/���$�(�k�#�'�g� ���9� ���3�����=�<�5�/�����u� ������� �������������������������#����������� �*�(����������� � � �������������������������+��������-�����3�&
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 517,
"payload_entropy": 3.912838995408163,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "https",
"app_proto": "https",
"asn": 141679,
"country": "CN",
"dst_port": 8443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 33,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 0
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "82e7005f91727a126e0d4c319fff2fcb94ce35d5",
"event_fingerprint": "ebbf50493a5cd01037444d3e811aea60318e67dd",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0554",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"Minecraft varint handshake",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0554",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "https",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "04c9bfccc2e564d09abaf49c5c902120",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 8443,
"service": "https",
"service_name": "https",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u0019Q\u0000'\u0011'\ufffd\ufffd\ufffd\u0005\f<8\u000b\ufffd\ufffd'b\u001a7o\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOz\u04f4 \ufffd%\ufffdqH\ufffdu\ufffd\u000b\ufffd!\ufffd\ufffd\ufffdt!\ufffdX\ufffd, o\ufffdR\ufffd92\ufffd>\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u0019Q\u0000'\u0011'\ufffd\ufffd\ufffd\u0005\f<8\u000b\ufffd\ufffd'b\u001a7o\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOz\u04f4 \ufffd%\ufffdqH\ufffdu\ufffd\u000b\ufffd!\ufffd\ufffd\ufffdt!\ufffdX\ufffd, o\ufffdR\ufffd92\ufffd>\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u0000-\u0000\u0002\u0001\u0001\u00003\u0000&\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u0019Q\u0000'\u0011'\ufffd\ufffd\ufffd\u0005\f<8\u000b\ufffd\ufffd'b\u001a7o\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOz\u04f4 \ufffd%\ufffdqH\ufffdu\ufffd\u000b\ufffd!\ufffd\ufffd\ufffdt!\ufffdX\ufffd, o\ufffdR\ufffd92\ufffd>\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "57a2cbade2edc4fe27751f080c46b238009d4497",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u0019Q\u0000'\u0011'\ufffd\ufffd\ufffd\u0005\f<8\u000b\ufffd\ufffd'b\u001a7o\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOz\u04f4 \ufffd%\ufffdqH\ufffdu\ufffd\u000b\ufffd!\ufffd\ufffd\ufffdt!\ufffdX\ufffd, o\ufffdR\ufffd92\ufffd>\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"port": 8443,
"service": "https",
"service_label_fr": "HTTPS"
},
"evidence_snippet": "\ufffd\ufffdQ''\ufffd\ufffd\ufffd<8\ufffd\ufffd'b7o\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOz\u04f4 \ufffd%\ufffdqH\ufffdu\ufffd\ufffd!\ufffd\ufffd\ufffdt!\ufffdX\ufffd, o\ufffdR\ufffd92\ufffd>\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd",
"attack_vector": "port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)",
"target_port_label": "8443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTPS \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "https",
"service_label_fr": "HTTPS",
"dst_port": 8443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-https",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\u0019Q\u0000'\u0011'\ufffd\ufffd\ufffd\u0005\f<8\u000b\ufffd\ufffd'b\u001a7o\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOz\u04f4 \ufffd%\ufffdqH\ufffdu\ufffd\u000b\ufffd!\ufffd\ufffd\ufffdt!\ufffdX\ufffd, o\ufffdR\ufffd92\ufffd>\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"port": 8443,
"service": "https",
"service_label_fr": "HTTPS"
},
"attack_vector": "port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdQ''\ufffd\ufffd\ufffd<8\ufffd\ufffd'b7o\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdOz\u04f4 \ufffd%\ufffdqH\ufffdu\ufffd\ufffd!\ufffd\ufffd\ufffdt!\ufffdX\ufffd, o\ufffdR\ufffd92\ufffd>\ufffd\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd",
"target_port_label": "8443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "https",
"service_banner": "honeypot-https",
"service_os": "linux",
"dst_port": "8443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 15,
"scan_velocity_ports_per_s": 6.44,
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_alt_port",
"net_port_scan_fast",
"tls_clienthello"
]
}
15/06/2026 15:34:47 UTC
TCP
5000 · HTTP
Scan de ports
port scan syn · via HTTP:5000 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET /
Émulateur
HTTP
WAF
3
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
http_no_ua
net_port_scan_fast
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
5000
Chemin / cible
/
Pourquoi cette classification : Tags WAF: sap-sapcontrol-path · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 1 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
—
Règles WAF
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c",
"emulator_response_len": 158,
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 55,
"payload_entropy": 4.5038203952248335,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "http",
"app_proto": "http",
"asn": 141679,
"country": "CN",
"dst_port": 5000,
"risk_waf": 20,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 20,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "7f211ab7369950d2beac430b060fd944d20c9248",
"event_fingerprint": "89f048096fc4888db8855d6a58ccce9e39debd7f",
"classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"confidence_breakdown": {
"waf": 20,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f0bf494803669a89021e5acd1315d539",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 5000,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n",
"method": "GET",
"path": "\/",
"waf_tags": [
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"evidence": {
"method": "GET",
"path": "\/",
"waf_tags": [
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2f5dda584b1c9f07fd2a887d9f39b417a199d26b",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"port": 5000,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"attack_vector": "port scan syn \u00b7 via HTTP:5000 \u00b7 (reconnaissance)",
"target_port_label": "5000 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%",
"classification_reason_label_fr": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 20,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 5000,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"port": 5000,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:5000 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"target_port_label": "5000 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +23 \u00b7 1 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "5000"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 16,
"scan_velocity_ports_per_s": 6.2,
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"http_no_ua",
"net_port_scan_fast"
]
}
15/06/2026 15:34:47 UTC
TCP
1883 · MQTT
Scan de ports
port scan syn · via MQTT:1883 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Connexion MQTT (CONNECT)
Émulateur
MQTT
WAF
—
Recommandation
Surveiller
Tags
mqtt_connect
mqtt_emulated
mqtt_payload
net_bruteforce
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
1883
Chemin / cible
—
Service
MQTT
MQTT
Connexion MQTT (CONNECT)
Payload
����MQTT���<��hermes-scanner�
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 5 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
MQTT protocol
MQTT alt CONNECT
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
����MQTT���<��hermes-scanner
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "20020000",
"emulator_response_len": 4,
"bytes_in": 29,
"payload_entropy": 4.004364184708143,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "mqtt",
"app_proto": "mqtt",
"asn": 141679,
"country": "CN",
"dst_port": 1883,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 10,
"risk_boost": 0,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 10
},
"risk_score": 42,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "ee45ca4c40aab54ce18a5f5a6bb214132d12fdb3",
"event_fingerprint": "fee8f8e86b21ce5d7cca835e505fd9e20340232a",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0373",
"pat-0615",
"pat-0554"
],
"matched_pattern_names": [
"MQTT protocol",
"MQTT alt CONNECT",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0373",
"pat-0615",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 10,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "mqtt",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "af78af0e1a719a0f3346087d92f8a951",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 1883,
"service": "mqtt",
"service_name": "mqtt",
"risk_score": 42
},
"payload_preview": "\u0010\u001a\u0000\u0004MQTT\u0004\u0002\u0000<\u0000\u0010hermes-scanner\u0000",
"request_sample": "\u0010\u001a\u0000\u0004MQTT\u0004\u0002\u0000<\u0000\u0010hermes-scanner\u0000",
"payload_snippet": "\u0010\u001a\u0000\u0004MQTT\u0004\u0002\u0000<\u0000\u0010hermes-scanner\u0000",
"evidence": {
"request_sample": "\u0010\u001a\u0000\u0004MQTT\u0004\u0002\u0000<\u0000\u0010hermes-scanner\u0000",
"payload_snippet": "\u0010\u001a\u0000\u0004MQTT\u0004\u0002\u0000<\u0000\u0010hermes-scanner\u0000",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a266c89f757c0b890624e25353d34b32155e0685",
"protocol_details": {
"mqtt_connect_fr": "Connexion MQTT (CONNECT)",
"payload_preview": "\u0010\u001a\u0000\u0004MQTT\u0004\u0002\u0000<\u0000\u0010hermes-scanner\u0000",
"port": 1883,
"service": "mqtt",
"service_label_fr": "MQTT"
},
"evidence_snippet": "MQTT<hermes-scanner",
"attack_vector": "port scan syn \u00b7 via MQTT:1883 \u00b7 (reconnaissance)",
"target_port_label": "1883 \u00b7 MQTT",
"emulator_service": "mqtt",
"confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MQTT \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 10,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "mqtt",
"service_label_fr": "MQTT",
"dst_port": 1883,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "MQTT 3.1.1",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"mqtt_connect_fr": "Connexion MQTT (CONNECT)",
"payload_preview": "\u0010\u001a\u0000\u0004MQTT\u0004\u0002\u0000<\u0000\u0010hermes-scanner\u0000",
"port": 1883,
"service": "mqtt",
"service_label_fr": "MQTT"
},
"attack_vector": "port scan syn \u00b7 via MQTT:1883 \u00b7 (reconnaissance)",
"evidence_snippet": "MQTT<hermes-scanner",
"target_port_label": "1883 \u00b7 MQTT",
"emulator_service": "mqtt",
"confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mqtt",
"service_banner": "MQTT 3.1.1",
"service_os": "iot",
"dst_port": "1883"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 17,
"scan_velocity_ports_per_s": 6.04,
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"mqtt_connect",
"mqtt_emulated",
"mqtt_payload",
"net_bruteforce",
"net_port_scan_fast"
]
}
15/06/2026 15:34:47 UTC
TCP
8883 · MQTTS
Scan de ports
port scan syn · via MQTTS:8883 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
MQTTS
WAF
—
Recommandation
Surveiller
Tags
mqtts_emulated
mqtts_payload
net_port_scan_fast
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8883
Chemin / cible
—
Service
MQTTS
Payload
�����������2��+��y]� LT?^@����ߚ( 5�6�����T n�����@���mV������D�W���� ��C�}��>�������,�0��̨̩̪�+�/���$�(�k�#�'�g� ���9� ���3��
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
Minecraft varint handshake
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������2��+��y]� LT?^@����ߚ( 5�6�����T n�����@���mV������D�W����
��C�}��>�������,�0��̨̩̪�+�/���$�(�k�#�'�g�
���9� ���3��
Requête brute (extrait)
�����������2��+��y]� LT?^@����ߚ( 5�6�����T n�����@���mV������D�W���� ��C�}��>�������,�0��̨̩̪�+�/���$�(�k�#�'�g� ���9� ���3�����=�<�5�/�����u� ������� �������������������������#����������� �*�(����������� � � �������������������������+��������-�����3�&
Meta JSON brut
{
"protocol_emulated": true,
"bytes_in": 517,
"payload_entropy": 3.965125725015207,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "mqtts",
"app_proto": "mqtts",
"asn": 141679,
"country": "CN",
"dst_port": 8883,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "c4033ab61ec9697334b22f595c6efd6935f96f2c",
"event_fingerprint": "25dd54199c1aabd249dd54e6daebc9ce369e03f7",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0554",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"Minecraft varint handshake",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0554",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "mqtts",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2ea84618f8cbfed119bb390debeb5ef4",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 8883,
"service": "mqtts",
"service_name": "mqtts",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00032\ufffd\ufffd+\ufffd\u0010y]\ufffd LT?^@\b\ufffd\ufffd\ufffd\u07da(\t5\ufffd6\ufffd\ufffd\u001f\ufffd\ufffdT n\ufffd\u0013\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffdmV\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffdW\ufffd\ufffd\ufffd\u001a\r\ufffd\ufffdC\ufffd}\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00032\ufffd\ufffd+\ufffd\u0010y]\ufffd LT?^@\b\ufffd\ufffd\ufffd\u07da(\t5\ufffd6\ufffd\ufffd\u001f\ufffd\ufffdT n\ufffd\u0013\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffdmV\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffdW\ufffd\ufffd\ufffd\u001a\r\ufffd\ufffdC\ufffd}\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\u0016\u0000\u0014\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0001\u0000\u0001\u0001\u0001\u0002\u0001\u0003\u0001\u0004\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u0000*\u0000(\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0003\u0001\u0003\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u0000-\u0000\u0002\u0001\u0001\u00003\u0000&\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00032\ufffd\ufffd+\ufffd\u0010y]\ufffd LT?^@\b\ufffd\ufffd\ufffd\u07da(\t5\ufffd6\ufffd\ufffd\u001f\ufffd\ufffdT n\ufffd\u0013\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffdmV\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffdW\ufffd\ufffd\ufffd\u001a\r\ufffd\ufffdC\ufffd}\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "882c352666d29985fbfa138369a72e0c90994470",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00032\ufffd\ufffd+\ufffd\u0010y]\ufffd LT?^@\b\ufffd\ufffd\ufffd\u07da(\t5\ufffd6\ufffd\ufffd\u001f\ufffd\ufffdT n\ufffd\u0013\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffdmV\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffdW\ufffd\ufffd\ufffd\u001a\r\ufffd\ufffdC\ufffd}\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"port": 8883,
"service": "mqtts",
"service_label_fr": "MQTTS"
},
"evidence_snippet": "\ufffd2\ufffd\ufffd+\ufffdy]\ufffd LT?^@\ufffd\ufffd\ufffd\u07da(\t5\ufffd6\ufffd\ufffd\ufffd\ufffdT n\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffdmV\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffdW\ufffd\ufffd\ufffd\r\ufffd\ufffdC\ufffd}\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd",
"attack_vector": "port scan syn \u00b7 via MQTTS:8883 \u00b7 (reconnaissance)",
"target_port_label": "8883 \u00b7 MQTTS",
"emulator_service": "mqtts",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MQTTS \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "mqtts",
"service_label_fr": "MQTTS",
"dst_port": 8883,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-mqtts",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00032\ufffd\ufffd+\ufffd\u0010y]\ufffd LT?^@\b\ufffd\ufffd\ufffd\u07da(\t5\ufffd6\ufffd\ufffd\u001f\ufffd\ufffdT n\ufffd\u0013\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffdmV\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffdW\ufffd\ufffd\ufffd\u001a\r\ufffd\ufffdC\ufffd}\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"port": 8883,
"service": "mqtts",
"service_label_fr": "MQTTS"
},
"attack_vector": "port scan syn \u00b7 via MQTTS:8883 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd2\ufffd\ufffd+\ufffdy]\ufffd LT?^@\ufffd\ufffd\ufffd\u07da(\t5\ufffd6\ufffd\ufffd\ufffd\ufffdT n\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd\ufffdmV\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffdW\ufffd\ufffd\ufffd\r\ufffd\ufffdC\ufffd}\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd",
"target_port_label": "8883 \u00b7 MQTTS",
"emulator_service": "mqtts",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mqtts",
"service_banner": "honeypot-mqtts",
"service_os": "linux",
"dst_port": "8883"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 18,
"scan_velocity_ports_per_s": 5.88,
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"mqtts_emulated",
"mqtts_payload",
"net_port_scan_fast",
"tls_clienthello"
]
}
15/06/2026 15:34:46 UTC
TCP
2049 · NFS
Scan de ports
port scan syn · via NFS:2049 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
NFS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
nfs_emulated
nfs_mount
nfs_payload
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
2049
Chemin / cible
—
Service
NFS
Payload
���(������������������������������������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 5 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
RDP TPKT header
ET H.323 setup
NFS RPC mount
Mumble ping
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
(������������������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "800000290000000000000000",
"emulator_response_len": 12,
"bytes_in": 40,
"payload_entropy": 1.1103029464166383,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "nfs",
"app_proto": "nfs",
"asn": 141679,
"country": "CN",
"dst_port": 2049,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 10,
"risk_boost": 0,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 10
},
"risk_score": 42,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "579396ac80141cc356e24764f2908b0158e9edc6",
"event_fingerprint": "406f1fb049fa29b057884fc3ea6c98702c6088ca",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0348",
"pat-0868",
"pat-0532",
"pat-0768",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"ET H.323 setup",
"NFS RPC mount",
"Mumble ping",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0868",
"pat-0532",
"pat-0768",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 10,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "nfs",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ddea4e3d761e9c205132ef111fbc9454",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 2049,
"service": "nfs",
"service_name": "nfs",
"risk_score": 42
},
"payload_preview": "\u0000\u0000\u0000(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"request_sample": "\u0000\u0000\u0000(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0000\u0000\u0000(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0000\u0000\u0000(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0000\u0000\u0000(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d43dffafa2bbf9b57cdb25e5dad2160e3ede6754",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 2049,
"service": "nfs",
"service_label_fr": "NFS"
},
"evidence_snippet": "(\ufffd\ufffd",
"attack_vector": "port scan syn \u00b7 via NFS:2049 \u00b7 (reconnaissance)",
"target_port_label": "2049 \u00b7 NFS",
"emulator_service": "nfs",
"confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via NFS \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 10,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "nfs",
"service_label_fr": "NFS",
"dst_port": 2049,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-nfs",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000(\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0003\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"port": 2049,
"service": "nfs",
"service_label_fr": "NFS"
},
"attack_vector": "port scan syn \u00b7 via NFS:2049 \u00b7 (reconnaissance)",
"evidence_snippet": "(\ufffd\ufffd",
"target_port_label": "2049 \u00b7 NFS",
"emulator_service": "nfs",
"confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "nfs",
"service_banner": "honeypot-nfs",
"service_os": "linux",
"dst_port": "2049"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 12,
"scan_velocity_ports_per_s": 2.99,
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"nfs_emulated",
"nfs_mount",
"nfs_payload",
"nfs_probe"
]
}
15/06/2026 15:34:46 UTC
TCP
6443 · K8S API
Scan de ports
port scan syn · via K8S API:6443 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
K8S-API
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
k8s_api_emulated
k8s_api_payload
kubernetes_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6443
Chemin / cible
—
Service
K8S API
Payload
GET / HTTP/1.1 Host: 62.3.50.33 Connection: close
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 5 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33
Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e312034303320466f7262696464656e0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2038370d0a0d0a7b226b696e64223a22537461747573222c2261706956657273696f6e223a227631222c22737461747573223a224661696c75",
"emulator_response_len": 165,
"bytes_in": 55,
"payload_entropy": 4.5038203952248335,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "k8s-api",
"app_proto": "k8s-api",
"asn": 141679,
"country": "CN",
"dst_port": 6443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25
},
"risk_score": 42,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "e257991cb5200ff10524b3c9f7213057ba0d3047",
"event_fingerprint": "1eeecffdeefbfbad05a3604bc614efa2174b97bf",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "k8s-api",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f0bf494803669a89021e5acd1315d539",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6443,
"service": "k8s-api",
"service_name": "k8s-api",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8ed30e11df9aecf5c7c267f21c7cae8dba574315",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via K8S API \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 40,
"novelty": 25,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "k8s-api",
"service_label_fr": "K8S API",
"dst_port": 6443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-k8s-api",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"port": 6443,
"service": "k8s-api",
"service_label_fr": "K8S API"
},
"attack_vector": "port scan syn \u00b7 via K8S API:6443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33\r\nConnection: close",
"target_port_label": "6443 \u00b7 K8S API",
"emulator_service": "k8s-api",
"confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "k8s_api",
"service_banner": "honeypot-k8s-api",
"service_os": "linux",
"dst_port": "6443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 13,
"scan_velocity_ports_per_s": 2.85,
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"k8s_api_emulated",
"k8s_api_payload",
"kubernetes_probe",
"net_port_scan_fast"
]
}
15/06/2026 15:34:46 UTC
TCP
6379 · REDIS
Scan de ports
port scan syn · via REDIS:6379 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Sonde protocole Redis
Émulateur
REDIS
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce
net_port_scan_fast
redis_emulated
redis_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
6379
Chemin / cible
—
Service
REDIS
Redis
Sonde protocole Redis
Payload
PING INFO server
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
User-Agent
—
Règles WAF
—
Payload (extrait)
PING
INFO server
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "2b504f4e470d0a",
"emulator_response_len": 7,
"bytes_in": 19,
"payload_entropy": 3.6163485660751635,
"port_category": "registered",
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"service": "redis",
"app_proto": "redis",
"asn": 141679,
"country": "CN",
"dst_port": 6379,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 0
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "d3afe11e681d11798c2acbad3a9ecf85e35db28c",
"event_fingerprint": "ad893b67498ef5007c1d8733f7eb11e5e6fc39df",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "redis",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 141679,
"org": "China Telecom Beijing Tianjin Hebei Big Data Industry Park Branch",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "67a876fb8d199d3484763c3ff81a5c27",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 6379,
"service": "redis",
"service_name": "redis",
"risk_score": 42
},
"payload_preview": "PING\r\nINFO server\r\n",
"request_sample": "PING\r\nINFO server\r\n",
"payload_snippet": "PING\r\nINFO server",
"evidence": {
"request_sample": "PING\r\nINFO server\r\n",
"payload_snippet": "PING\r\nINFO server",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "51e9067759ee6cb1eaa94e57829e7fba8f8c7cfb",
"protocol_details": {
"redis_command_fr": "Sonde protocole Redis",
"payload_preview": "PING\r\nINFO server",
"port": 6379,
"service": "redis",
"service_label_fr": "REDIS"
},
"evidence_snippet": "PING\r\nINFO server",
"attack_vector": "port scan syn \u00b7 via REDIS:6379 \u00b7 (reconnaissance)",
"target_port_label": "6379 \u00b7 REDIS",
"emulator_service": "redis",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via REDIS \u2014 multi-protocole (26 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 0,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "redis",
"service_label_fr": "REDIS",
"dst_port": 6379,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "Redis 7.0",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"redis_command_fr": "Sonde protocole Redis",
"payload_preview": "PING\r\nINFO server",
"port": 6379,
"service": "redis",
"service_label_fr": "REDIS"
},
"attack_vector": "port scan syn \u00b7 via REDIS:6379 \u00b7 (reconnaissance)",
"evidence_snippet": "PING\r\nINFO server",
"target_port_label": "6379 \u00b7 REDIS",
"emulator_service": "redis",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "redis",
"service_banner": "Redis 7.0",
"service_os": "linux",
"dst_port": "6379"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 28,
"port_scan_ports_sample": [
21,
22,
23,
873,
1433,
1883,
2049,
2375,
2376,
3306,
3389,
5000,
5432,
5672,
5901,
6379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 13,
"scan_velocity_ports_per_s": 2.85,
"multi_category_scan": true,
"scan_category_diversity": [
"cloud",
"iot",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 26,
"multi_protocol_sample": [
"amqp",
"cassandra",
"docker",
"docker-tls",
"elasticsearch",
"flask-http",
"ftp",
"http"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce",
"net_port_scan_fast",
"redis_emulated",
"redis_probe"
]
}