|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������G��D�7t�ı��O�����curve25519-sha25…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce_slow
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������G��D�7t�ı��O�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������G��D�7t�ı��O�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������G��D�7t�ı��O�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������G��D�7t�ı��O�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.779409743967483,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "f9a40d3ce61bb8a8d7160514305a1e0c8cd3a4f4",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "861b98f29cc7d74b188de174f2d2e5b2",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdG\ufffd\ufffdD\ufffd7t\ufffd\u0131\ufffd\u000fO\u0016\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdG\ufffd\ufffdD\ufffd7t\ufffd\u0131\ufffd\u000fO\u0016\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdG\ufffd\ufffdD\ufffd7t\ufffd\u0131\ufffd\u000fO\u0016\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdG\ufffd\ufffdD\ufffd7t\ufffd\u0131\ufffd\u000fO\u0016\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdG\ufffd\ufffdD\ufffd7t\ufffd\u0131\ufffd\u000fO\u0016\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5a980b288bef15ed8381857c17746d83c29a91f4",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdG\ufffd\ufffdD\ufffd7t\ufffd\u0131\ufffd\u000fO\u0016\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdG\ufffd\ufffdD\ufffd7t\ufffd\u0131\ufffd\u000fO\u0016\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdG\ufffd\ufffdD\ufffd7t\ufffd\u0131\ufffdO\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdG\ufffd\ufffdD\ufffd7t\ufffd\u0131\ufffd\u000fO\u0016\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdG\ufffd\ufffdD\ufffd7t\ufffd\u0131\ufffd\u000fO\u0016\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdG\ufffd\ufffdD\ufffd7t\ufffd\u0131\ufffdO\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce_slow",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"behavior_alert_count": 1,
"behavior_priority": 84
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������#6�%ׂ�!���S�������curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������#6�%ׂ�!���S�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������#6�%ׂ�!���S�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������#6�%ׂ�!���S�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������#6�%ׂ�!���S�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.7768008554102845,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "67df76761ccdd01a78e86ad9f9b9dd56",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd#6\ufffd%\u05c2\u0014!\u000f\ufffd\u0003S\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd#6\ufffd%\u05c2\u0014!\u000f\ufffd\u0003S\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd#6\ufffd%\u05c2\u0014!\u000f\ufffd\u0003S\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd#6\ufffd%\u05c2\u0014!\u000f\ufffd\u0003S\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd#6\ufffd%\u05c2\u0014!\u000f\ufffd\u0003S\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5c2c7c23d24084902998e8dec7927aa270166339",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd#6\ufffd%\u05c2\u0014!\u000f\ufffd\u0003S\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd#6\ufffd%\u05c2\u0014!\u000f\ufffd\u0003S\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd#6\ufffd%\u05c2!\ufffdS\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd#6\ufffd%\u05c2\u0014!\u000f\ufffd\u0003S\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd#6\ufffd%\u05c2\u0014!\u000f\ufffd\u0003S\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd#6\ufffd%\u05c2!\ufffdS\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
]
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������S���g"~����\��4{����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������S���g"~����\��4{����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������S���g"~����\��4{����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������S���g"~����\��4{����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������S���g"~����\��4{����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 2072,
"payload_entropy": 4.7757259039900894,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0b50008cb40594c5879bc00fd7caff64",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014S\u0017\ufffd\u0018g\"~\ufffd\ufffd\ufffd\u0017\\\ufffd\ufffd4{\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014S\u0017\ufffd\u0018g\"~\ufffd\ufffd\ufffd\u0017\\\ufffd\ufffd4{\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014S\u0017\ufffd\u0018g\"~\ufffd\ufffd\ufffd\u0017\\\ufffd\ufffd4{\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014S\u0017\ufffd\u0018g\"~\ufffd\ufffd\ufffd\u0017\\\ufffd\ufffd4{\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014S\u0017\ufffd\u0018g\"~\ufffd\ufffd\ufffd\u0017\\\ufffd\ufffd4{\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "91fc8994d7c2728369e06289be01ce24abd98724",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014S\u0017\ufffd\u0018g\"~\ufffd\ufffd\ufffd\u0017\\\ufffd\ufffd4{\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014S\u0017\ufffd\u0018g\"~\ufffd\ufffd\ufffd\u0017\\\ufffd\ufffd4{\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdS\ufffdg\"~\ufffd\ufffd\ufffd\\\ufffd\ufffd4{\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014S\u0017\ufffd\u0018g\"~\ufffd\ufffd\ufffd\u0017\\\ufffd\ufffd4{\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014S\u0017\ufffd\u0018g\"~\ufffd\ufffd\ufffd\u0017\\\ufffd\ufffd4{\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdS\ufffdg\"~\ufffd\ufffd\ufffd\\\ufffd\ufffd4{\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������\v����s���-�:3�����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������\v����s���-�:3�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������\v����s���-�:3�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������\v����s���-�:3�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������\v����s���-�:3�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.770151115359258,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "86ec6ea62c474d23741595f46078c82e",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u000e\\v\ufffd\ufffd\ufffd\u001fs\u0007\ufffd\u001c-\ufffd:3\u0002\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u000e\\v\ufffd\ufffd\ufffd\u001fs\u0007\ufffd\u001c-\ufffd:3\u0002\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u000e\\v\ufffd\ufffd\ufffd\u001fs\u0007\ufffd\u001c-\ufffd:3\u0002\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u000e\\v\ufffd\ufffd\ufffd\u001fs\u0007\ufffd\u001c-\ufffd:3\u0002\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u000e\\v\ufffd\ufffd\ufffd\u001fs\u0007\ufffd\u001c-\ufffd:3\u0002\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "27b24b7c2574313c607fda8a5d725194e1bef3b2",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u000e\\v\ufffd\ufffd\ufffd\u001fs\u0007\ufffd\u001c-\ufffd:3\u0002\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u000e\\v\ufffd\ufffd\ufffd\u001fs\u0007\ufffd\u001c-\ufffd:3\u0002\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\\v\ufffd\ufffd\ufffds\ufffd-\ufffd:3\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u000e\\v\ufffd\ufffd\ufffd\u001fs\u0007\ufffd\u001c-\ufffd:3\u0002\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u000e\\v\ufffd\ufffd\ufffd\u001fs\u0007\ufffd\u001c-\ufffd:3\u0002\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\\v\ufffd\ufffd\ufffds\ufffd-\ufffd:3\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 8,
"ssh_auth_burst_rate": 0.61
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������n0�����|{r����KD����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������n0�����|{r����KD����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������n0�����|{r����KD����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������n0�����|{r����KD����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������n0�����|{r����KD����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.773993433017051,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f31065b140b2e6b6a952013c0e6ffde1",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014n0\u0003\ufffd\ufffd\ufffd\ufffd|{r\ufffd\ufffd\ufffd\u0007KD\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014n0\u0003\ufffd\ufffd\ufffd\ufffd|{r\ufffd\ufffd\ufffd\u0007KD\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014n0\u0003\ufffd\ufffd\ufffd\ufffd|{r\ufffd\ufffd\ufffd\u0007KD\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014n0\u0003\ufffd\ufffd\ufffd\ufffd|{r\ufffd\ufffd\ufffd\u0007KD\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014n0\u0003\ufffd\ufffd\ufffd\ufffd|{r\ufffd\ufffd\ufffd\u0007KD\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "00f34f9436824e9b86c28ce9578a839a3f6a60f0",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014n0\u0003\ufffd\ufffd\ufffd\ufffd|{r\ufffd\ufffd\ufffd\u0007KD\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014n0\u0003\ufffd\ufffd\ufffd\ufffd|{r\ufffd\ufffd\ufffd\u0007KD\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdn0\ufffd\ufffd\ufffd\ufffd|{r\ufffd\ufffd\ufffdKD\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014n0\u0003\ufffd\ufffd\ufffd\ufffd|{r\ufffd\ufffd\ufffd\u0007KD\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014n0\u0003\ufffd\ufffd\ufffd\ufffd|{r\ufffd\ufffd\ufffd\u0007KD\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdn0\ufffd\ufffd\ufffd\ufffd|{r\ufffd\ufffd\ufffdKD\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 6,
"ssh_auth_burst_rate": 0.54
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ���������)4���]�����������curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ���������)4���]�����������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ���������)4���]�����������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
���������)4���]�����������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ���������)4���]�����������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.7770444275417745,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ba01c696f6add3016e67bb9cffcef156",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0003\ufffd)4\ufffd\ufffd\ufffd]\u0001\ufffd\ufffd\u0006\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0003\ufffd)4\ufffd\ufffd\ufffd]\u0001\ufffd\ufffd\u0006\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0003\ufffd)4\ufffd\ufffd\ufffd]\u0001\ufffd\ufffd\u0006\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0003\ufffd)4\ufffd\ufffd\ufffd]\u0001\ufffd\ufffd\u0006\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0003\ufffd)4\ufffd\ufffd\ufffd]\u0001\ufffd\ufffd\u0006\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a09f8ebe77f508a5a681483b5b17da06c93af3c9",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0003\ufffd)4\ufffd\ufffd\ufffd]\u0001\ufffd\ufffd\u0006\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0003\ufffd)4\ufffd\ufffd\ufffd]\u0001\ufffd\ufffd\u0006\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd)4\ufffd\ufffd\ufffd]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0003\ufffd)4\ufffd\ufffd\ufffd]\u0001\ufffd\ufffd\u0006\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0003\ufffd)4\ufffd\ufffd\ufffd]\u0001\ufffd\ufffd\u0006\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd)4\ufffd\ufffd\ufffd]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 8,
"ssh_auth_burst_rate": 0.53,
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ����������|lV���́WY������curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ����������|lV���́WY������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ����������|lV���́WY������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
����������|lV���́WY������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ����������|lV���́WY������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.780835074863136,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "aeef0bcb8faa49b53f467a3979da5a23",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd|lV\ufffd\ufffd\ufffd\u0301WY\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd|lV\ufffd\ufffd\ufffd\u0301WY\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd|lV\ufffd\ufffd\ufffd\u0301WY\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd|lV\ufffd\ufffd\ufffd\u0301WY\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd|lV\ufffd\ufffd\ufffd\u0301WY\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1ea0c45524ffd5b7ba67d71352b1e5cb53f78e87",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd|lV\ufffd\ufffd\ufffd\u0301WY\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd|lV\ufffd\ufffd\ufffd\u0301WY\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\ufffd|lV\ufffd\ufffd\ufffd\u0301WY\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd|lV\ufffd\ufffd\ufffd\u0301WY\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd|lV\ufffd\ufffd\ufffd\u0301WY\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\ufffd|lV\ufffd\ufffd\ufffd\u0301WY\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 6,
"ssh_auth_burst_rate": 0.75
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������k�gM�����|ײ�p������curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������k�gM�����|ײ�p������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������k�gM�����|ײ�p������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������k�gM�����|ײ�p������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������k�gM�����|ײ�p������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 2072,
"payload_entropy": 4.776623306202601,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0b16a948f900344f26f02ac8105d66b3",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014k\ufffdgM\ufffd\ufffd\ufffd\u0019\u0012|\u05f2\ufffdp\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014k\ufffdgM\ufffd\ufffd\ufffd\u0019\u0012|\u05f2\ufffdp\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014k\ufffdgM\ufffd\ufffd\ufffd\u0019\u0012|\u05f2\ufffdp\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014k\ufffdgM\ufffd\ufffd\ufffd\u0019\u0012|\u05f2\ufffdp\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014k\ufffdgM\ufffd\ufffd\ufffd\u0019\u0012|\u05f2\ufffdp\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "26de2faf6d2acc6c0554f00b3cb06efa734164b9",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014k\ufffdgM\ufffd\ufffd\ufffd\u0019\u0012|\u05f2\ufffdp\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014k\ufffdgM\ufffd\ufffd\ufffd\u0019\u0012|\u05f2\ufffdp\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdk\ufffdgM\ufffd\ufffd\ufffd|\u05f2\ufffdp\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014k\ufffdgM\ufffd\ufffd\ufffd\u0019\u0012|\u05f2\ufffdp\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014k\ufffdgM\ufffd\ufffd\ufffd\u0019\u0012|\u05f2\ufffdp\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdk\ufffdgM\ufffd\ufffd\ufffd|\u05f2\ufffdp\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 8,
"ssh_auth_burst_rate": 0.61
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������5g'Vb���yɢ&�������curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������5g'Vb���yɢ&�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������5g'Vb���yɢ&�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������5g'Vb���yɢ&�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������5g'Vb���yɢ&�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 2072,
"payload_entropy": 4.7724525757181855,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c90b827bcfdbc55cf962970208282b86",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u00145g'Vb\ufffd\ufffd\ufffdy\u0262&\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u00145g'Vb\ufffd\ufffd\ufffdy\u0262&\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u00145g'Vb\ufffd\ufffd\ufffdy\u0262&\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u00145g'Vb\ufffd\ufffd\ufffdy\u0262&\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u00145g'Vb\ufffd\ufffd\ufffdy\u0262&\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "088a9e727c546a343d391f94ad754181c3b196f9",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u00145g'Vb\ufffd\ufffd\ufffdy\u0262&\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u00145g'Vb\ufffd\ufffd\ufffdy\u0262&\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd5g'Vb\ufffd\ufffd\ufffdy\u0262&\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u00145g'Vb\ufffd\ufffd\ufffdy\u0262&\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u00145g'Vb\ufffd\ufffd\ufffdy\u0262&\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd5g'Vb\ufffd\ufffd\ufffdy\u0262&\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 6,
"ssh_auth_burst_rate": 0.5
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ���������Z�C��$�T"̛w�����curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ���������Z�C��$�T"̛w�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ���������Z�C��$�T"̛w�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
���������Z�C��$�T"̛w�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ���������Z�C��$�T"̛w�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 2072,
"payload_entropy": 4.779692530003771,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "17622bfbba2b983525c970940285c93c",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffdZ\ufffdC\u0001\u0012$\ufffdT\"\u031bw\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffdZ\ufffdC\u0001\u0012$\ufffdT\"\u031bw\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffdZ\ufffdC\u0001\u0012$\ufffdT\"\u031bw\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffdZ\ufffdC\u0001\u0012$\ufffdT\"\u031bw\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffdZ\ufffdC\u0001\u0012$\ufffdT\"\u031bw\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3c7cd14a400accb8516bcf7b487423910d668340",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffdZ\ufffdC\u0001\u0012$\ufffdT\"\u031bw\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffdZ\ufffdC\u0001\u0012$\ufffdT\"\u031bw\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffdZ\ufffdC$\ufffdT\"\u031bw\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffdZ\ufffdC\u0001\u0012$\ufffdT\"\u031bw\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffdZ\ufffdC\u0001\u0012$\ufffdT\"\u031bw\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffdZ\ufffdC$\ufffdT\"\u031bw\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 13,
"ssh_auth_burst_rate": 0.93
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������=��vN=�5�:+��Db�����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������=��vN=�5�:+��Db�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������=��vN=�5�:+��Db�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������=��vN=�5�:+��Db�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������=��vN=�5�:+��Db�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.773304978515217,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "8c0c1cf4218aa24a7e8dc7b47f7d5e6f",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014=\ufffd\ufffdvN=\ufffd5\ufffd:+\ufffd\ufffdDb\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014=\ufffd\ufffdvN=\ufffd5\ufffd:+\ufffd\ufffdDb\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014=\ufffd\ufffdvN=\ufffd5\ufffd:+\ufffd\ufffdDb\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014=\ufffd\ufffdvN=\ufffd5\ufffd:+\ufffd\ufffdDb\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014=\ufffd\ufffdvN=\ufffd5\ufffd:+\ufffd\ufffdDb\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d85338630491cd1f57a933dd8ad21e04db705d9b",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014=\ufffd\ufffdvN=\ufffd5\ufffd:+\ufffd\ufffdDb\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014=\ufffd\ufffdvN=\ufffd5\ufffd:+\ufffd\ufffdDb\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd=\ufffd\ufffdvN=\ufffd5\ufffd:+\ufffd\ufffdDb\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014=\ufffd\ufffdvN=\ufffd5\ufffd:+\ufffd\ufffdDb\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014=\ufffd\ufffdvN=\ufffd5\ufffd:+\ufffd\ufffdDb\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd=\ufffd\ufffdvN=\ufffd5\ufffd:+\ufffd\ufffdDb\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 14,
"ssh_auth_burst_rate": 1
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������������Xn����W������curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������������Xn����W������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������������Xn����W������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������������Xn����W������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������������Xn����W������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.775986677476951,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "e3089986227a96fcb33ddfad2834c56b",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0018\u0002\ufffd\ufffd\ufffd\ufffd\u001aXn\u0018\u000f\ufffd\ufffdW\u0006\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0018\u0002\ufffd\ufffd\ufffd\ufffd\u001aXn\u0018\u000f\ufffd\ufffdW\u0006\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0018\u0002\ufffd\ufffd\ufffd\ufffd\u001aXn\u0018\u000f\ufffd\ufffdW\u0006\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0018\u0002\ufffd\ufffd\ufffd\ufffd\u001aXn\u0018\u000f\ufffd\ufffdW\u0006\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0018\u0002\ufffd\ufffd\ufffd\ufffd\u001aXn\u0018\u000f\ufffd\ufffdW\u0006\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8ff2f0b40ed7ebdef7579fef05f7a095b457eac8",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0018\u0002\ufffd\ufffd\ufffd\ufffd\u001aXn\u0018\u000f\ufffd\ufffdW\u0006\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0018\u0002\ufffd\ufffd\ufffd\ufffd\u001aXn\u0018\u000f\ufffd\ufffdW\u0006\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\ufffdXn\ufffd\ufffdW\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0018\u0002\ufffd\ufffd\ufffd\ufffd\u001aXn\u0018\u000f\ufffd\ufffdW\u0006\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0018\u0002\ufffd\ufffd\ufffd\ufffd\u001aXn\u0018\u000f\ufffd\ufffdW\u0006\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\ufffdXn\ufffd\ufffdW\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 1
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������Zm��ӌg�F��>B>������curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������Zm��ӌg�F��>B>������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������Zm��ӌg�F��>B>������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������Zm��ӌg�F��>B>������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������Zm��ӌg�F��>B>������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 2072,
"payload_entropy": 4.774258882942257,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "32bd97a5938303837da8bf890ffcbbe2",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Zm\ufffd\ufffd\u04ccg\ufffdF\b\ufffd>B>\u000e\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Zm\ufffd\ufffd\u04ccg\ufffdF\b\ufffd>B>\u000e\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Zm\ufffd\ufffd\u04ccg\ufffdF\b\ufffd>B>\u000e\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Zm\ufffd\ufffd\u04ccg\ufffdF\b\ufffd>B>\u000e\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Zm\ufffd\ufffd\u04ccg\ufffdF\b\ufffd>B>\u000e\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "04ede53b8acccc59b1a7f9c5c04c591b12767df4",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Zm\ufffd\ufffd\u04ccg\ufffdF\b\ufffd>B>\u000e\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Zm\ufffd\ufffd\u04ccg\ufffdF\b\ufffd>B>\u000e\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdZm\ufffd\ufffd\u04ccg\ufffdF\ufffd>B>\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Zm\ufffd\ufffd\u04ccg\ufffdF\b\ufffd>B>\u000e\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Zm\ufffd\ufffd\u04ccg\ufffdF\b\ufffd>B>\u000e\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdZm\ufffd\ufffd\u04ccg\ufffdF\ufffd>B>\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 12,
"ssh_auth_burst_rate": 0.8
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������ c+�p:}56 e��>������curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������ c+�p:}56 e��>������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������ c+�p:}56 e��>������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������ c+�p:}56
e��>������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������ c+�p:}56 e��>������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 1422,
"payload_entropy": 4.88119785609998,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c416fb7fddd807296fe0a0e618cf7ef7",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\tc+\ufffdp:}56\ne\ufffd\ufffd>\u0019\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\tc+\ufffdp:}56\ne\ufffd\ufffd>\u0019\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\tc+\ufffdp:}56\ne\ufffd\ufffd>\u0019\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\tc+\ufffdp:}56\ne\ufffd\ufffd>\u0019\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\tc+\ufffdp:}56\ne\ufffd\ufffd>\u0019\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d2c82ddf9290a7cef2dfcb9d1eb7809f43436083",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\tc+\ufffdp:}56\ne\ufffd\ufffd>\u0019\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\tc+\ufffdp:}56\ne\ufffd\ufffd>\u0019\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\tc+\ufffdp:}56\ne\ufffd\ufffd>\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\tc+\ufffdp:}56\ne\ufffd\ufffd>\u0019\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\tc+\ufffdp:}56\ne\ufffd\ufffd>\u0019\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\tc+\ufffdp:}56\ne\ufffd\ufffd>\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 0.77
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ��������,E+�!����9��������curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ��������,E+�!����9��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ��������,E+�!����9��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
��������,E+�!����9��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ��������,E+�!����9��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.7731115842959575,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "e166f2f6cfca72fd69cbd1c921b37246",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0000\ufffd,E+\ufffd!\ufffd\ufffd\ufffd\u001a9\u0010\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0000\ufffd,E+\ufffd!\ufffd\ufffd\ufffd\u001a9\u0010\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0000\ufffd,E+\ufffd!\ufffd\ufffd\ufffd\u001a9\u0010\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0000\ufffd,E+\ufffd!\ufffd\ufffd\ufffd\u001a9\u0010\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0000\ufffd,E+\ufffd!\ufffd\ufffd\ufffd\u001a9\u0010\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "13d8b3fc1d58c68f2fff7a8ba3c8ae211d34d03d",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0000\ufffd,E+\ufffd!\ufffd\ufffd\ufffd\u001a9\u0010\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0000\ufffd,E+\ufffd!\ufffd\ufffd\ufffd\u001a9\u0010\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd,E+\ufffd!\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0000\ufffd,E+\ufffd!\ufffd\ufffd\ufffd\u001a9\u0010\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0000\ufffd,E+\ufffd!\ufffd\ufffd\ufffd\u001a9\u0010\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd,E+\ufffd!\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 8,
"ssh_auth_burst_rate": 0.67
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������2��ɺ������������curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������2��ɺ������������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������2��ɺ������������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������2��ɺ������������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������2��ɺ������������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 2072,
"payload_entropy": 4.776970327900903,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a71acb54616e157ae60a636698383355",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd2\ufffd\ufffd\u027a\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd2\ufffd\ufffd\u027a\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd2\ufffd\ufffd\u027a\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd2\ufffd\ufffd\u027a\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd2\ufffd\ufffd\u027a\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "43dfa95ba0319661439f87af7a039efe4e62180a",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd2\ufffd\ufffd\u027a\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd2\ufffd\ufffd\u027a\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd2\ufffd\ufffd\u027a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd2\ufffd\ufffd\u027a\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd2\ufffd\ufffd\u027a\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd2\ufffd\ufffd\u027a\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 6,
"ssh_auth_burst_rate": 0.67
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������Q�L�����-:R�YN�����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������Q�L�����-:R�YN�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������Q�L�����-:R�YN�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������Q�L�����-:R�YN�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������Q�L�����-:R�YN�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 2072,
"payload_entropy": 4.778420046371636,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "07804d3a60df279f5e29191cd02f532c",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Q\ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd-:R\ufffdYN\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Q\ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd-:R\ufffdYN\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Q\ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd-:R\ufffdYN\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Q\ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd-:R\ufffdYN\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Q\ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd-:R\ufffdYN\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c6fb2090fedea6f2784a2de8db4dfe641051245c",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Q\ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd-:R\ufffdYN\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Q\ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd-:R\ufffdYN\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdQ\ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd-:R\ufffdYN\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Q\ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd-:R\ufffdYN\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Q\ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd-:R\ufffdYN\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdQ\ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd-:R\ufffdYN\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 8,
"ssh_auth_burst_rate": 0.73
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������'�;QŌ�����<d�x����curve25519-sha25…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������'�;QŌ�����<d�x����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������'�;QŌ�����<d�x����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������'�;QŌ�����<d�x����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������'�;QŌ�����<d�x����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.777239528336531,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "28508cf47c864a92f69c0e2c028fd63d",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014'\ufffd;Q\u014c\ufffd\ufffd\u0001\ufffd\ufffd<d\ufffdx\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014'\ufffd;Q\u014c\ufffd\ufffd\u0001\ufffd\ufffd<d\ufffdx\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014'\ufffd;Q\u014c\ufffd\ufffd\u0001\ufffd\ufffd<d\ufffdx\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014'\ufffd;Q\u014c\ufffd\ufffd\u0001\ufffd\ufffd<d\ufffdx\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014'\ufffd;Q\u014c\ufffd\ufffd\u0001\ufffd\ufffd<d\ufffdx\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "eda4d28fe8db00c3797dba94de5c7b50a5f5e65e",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014'\ufffd;Q\u014c\ufffd\ufffd\u0001\ufffd\ufffd<d\ufffdx\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014'\ufffd;Q\u014c\ufffd\ufffd\u0001\ufffd\ufffd<d\ufffdx\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd'\ufffd;Q\u014c\ufffd\ufffd\ufffd\ufffd<d\ufffdx\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014'\ufffd;Q\u014c\ufffd\ufffd\u0001\ufffd\ufffd<d\ufffdx\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014'\ufffd;Q\u014c\ufffd\ufffd\u0001\ufffd\ufffd<d\ufffdx\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd'\ufffd;Q\u014c\ufffd\ufffd\ufffd\ufffd<d\ufffdx\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 8,
"ssh_auth_burst_rate": 0.53
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������Xi��S���`�ѝY�����curve25519-sha25…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������Xi��S���`�ѝY�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������Xi��S���`�ѝY�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������Xi��S���`�ѝY�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������Xi��S���`�ѝY�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 2072,
"payload_entropy": 4.778888945604233,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ea0bd2733f8fcd35dcd76cef3f4a7f7d",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdXi\ufffd\ufffdS\u000f\ufffd\ufffd`\ufffd\u045dY\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdXi\ufffd\ufffdS\u000f\ufffd\ufffd`\ufffd\u045dY\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdXi\ufffd\ufffdS\u000f\ufffd\ufffd`\ufffd\u045dY\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdXi\ufffd\ufffdS\u000f\ufffd\ufffd`\ufffd\u045dY\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdXi\ufffd\ufffdS\u000f\ufffd\ufffd`\ufffd\u045dY\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1d74aa96625159f7f9ffc6c260b9a5622fcae2b7",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdXi\ufffd\ufffdS\u000f\ufffd\ufffd`\ufffd\u045dY\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdXi\ufffd\ufffdS\u000f\ufffd\ufffd`\ufffd\u045dY\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdXi\ufffd\ufffdS\ufffd\ufffd`\ufffd\u045dY\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdXi\ufffd\ufffdS\u000f\ufffd\ufffd`\ufffd\u045dY\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdXi\ufffd\ufffdS\u000f\ufffd\ufffd`\ufffd\u045dY\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdXi\ufffd\ufffdS\ufffd\ufffd`\ufffd\u045dY\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 12,
"ssh_auth_burst_rate": 1
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ��������B�|��BN�0sq�R�����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ��������B�|��BN�0sq�R�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ��������B�|��BN�0sq�R�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
��������B�|��BN�0sq�R�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ��������B�|��BN�0sq�R�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.775570873785762,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "767944fe984b0656f05b11c61b3645ed",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0007\ufffdB\ufffd|\ufffd\ufffdBN\u00120sq\ufffdR\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0007\ufffdB\ufffd|\ufffd\ufffdBN\u00120sq\ufffdR\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0007\ufffdB\ufffd|\ufffd\ufffdBN\u00120sq\ufffdR\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0007\ufffdB\ufffd|\ufffd\ufffdBN\u00120sq\ufffdR\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0007\ufffdB\ufffd|\ufffd\ufffdBN\u00120sq\ufffdR\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c66a237a16c1fdc41ae49a2d3dc48ef20851e76d",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0007\ufffdB\ufffd|\ufffd\ufffdBN\u00120sq\ufffdR\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0007\ufffdB\ufffd|\ufffd\ufffdBN\u00120sq\ufffdR\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdB\ufffd|\ufffd\ufffdBN0sq\ufffdR\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0007\ufffdB\ufffd|\ufffd\ufffdBN\u00120sq\ufffdR\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0007\ufffdB\ufffd|\ufffd\ufffdBN\u00120sq\ufffdR\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdB\ufffd|\ufffd\ufffdBN0sq\ufffdR\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 0.91
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ���������e_��iF�Ȼ��������curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ���������e_��iF�Ȼ��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ���������e_��iF�Ȼ��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
���������e_��iF�Ȼ��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ���������e_��iF�Ȼ��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 1422,
"payload_entropy": 4.894257179533461,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "def0122e49987c13f4a46a1cb934b587",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0010\ufffd\ufffde_\ufffd\u0014iF\u0007\u023b\ufffd\ufffd\ufffd\u0011\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0010\ufffd\ufffde_\ufffd\u0014iF\u0007\u023b\ufffd\ufffd\ufffd\u0011\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0010\ufffd\ufffde_\ufffd\u0014iF\u0007\u023b\ufffd\ufffd\ufffd\u0011\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0010\ufffd\ufffde_\ufffd\u0014iF\u0007\u023b\ufffd\ufffd\ufffd\u0011\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0010\ufffd\ufffde_\ufffd\u0014iF\u0007\u023b\ufffd\ufffd\ufffd\u0011\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ea73e94bf30a06e08d77398c6c61177a813c70c9",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0010\ufffd\ufffde_\ufffd\u0014iF\u0007\u023b\ufffd\ufffd\ufffd\u0011\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0010\ufffd\ufffde_\ufffd\u0014iF\u0007\u023b\ufffd\ufffd\ufffd\u0011\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffde_\ufffdiF\u023b\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0010\ufffd\ufffde_\ufffd\u0014iF\u0007\u023b\ufffd\ufffd\ufffd\u0011\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0010\ufffd\ufffde_\ufffd\u0014iF\u0007\u023b\ufffd\ufffd\ufffd\u0011\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffde_\ufffdiF\u023b\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 12,
"ssh_auth_burst_rate": 1
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������8Ê�w�F����j�E�����curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������8Ê�w�F����j�E�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������8�w�F����j�E�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������8�w�F����j�E�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������8�w�F����j�E�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 2072,
"payload_entropy": 4.777272608787847,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "aeab37b2b0540439bd52ba5a5f34f948",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd8\u00ca\bw\ufffdF\ufffd\ufffd\ufffd\ufffdj\ufffdE\u0016\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd8\u00ca\bw\ufffdF\ufffd\ufffd\ufffd\ufffdj\ufffdE\u0016\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd8\u00ca\bw\ufffdF\ufffd\ufffd\ufffd\ufffdj\ufffdE\u0016\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd8\u00ca\bw\ufffdF\ufffd\ufffd\ufffd\ufffdj\ufffdE\u0016\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd8\u00ca\bw\ufffdF\ufffd\ufffd\ufffd\ufffdj\ufffdE\u0016\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6f82dc681ddc1bb9242a8f1457cb0f39b9747539",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd8\u00ca\bw\ufffdF\ufffd\ufffd\ufffd\ufffdj\ufffdE\u0016\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd8\u00ca\bw\ufffdF\ufffd\ufffd\ufffd\ufffdj\ufffdE\u0016\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd8\u00caw\ufffdF\ufffd\ufffd\ufffd\ufffdj\ufffdE\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd8\u00ca\bw\ufffdF\ufffd\ufffd\ufffd\ufffdj\ufffdE\u0016\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd8\u00ca\bw\ufffdF\ufffd\ufffd\ufffd\ufffdj\ufffdE\u0016\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd8\u00caw\ufffdF\ufffd\ufffd\ufffd\ufffdj\ufffdE\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 0.91
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������Ō�PbM������ ������curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������Ō�PbM������ ������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������Ō�PbM������ ������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������Ō�PbM������
������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������Ō�PbM������ ������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 2072,
"payload_entropy": 4.777087973504798,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c73db119a1616c95673372c530222504",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0005\u014c\ufffdPbM\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\r\u0018\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0005\u014c\ufffdPbM\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\r\u0018\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0005\u014c\ufffdPbM\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\r\u0018\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0005\u014c\ufffdPbM\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\r\u0018\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0005\u014c\ufffdPbM\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\r\u0018\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "47da7d11ab7f22c73c914553fe88da0a737d468c",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0005\u014c\ufffdPbM\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\r\u0018\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0005\u014c\ufffdPbM\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\r\u0018\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\u014c\ufffdPbM\ufffd\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0005\u014c\ufffdPbM\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\r\u0018\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0005\u014c\ufffdPbM\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\r\u0018\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\u014c\ufffdPbM\ufffd\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 8,
"ssh_auth_burst_rate": 0.8
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������<�M�`*� ����!��@����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������<�M�`*� ����!��@����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������<�M�`*� ����!��@����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������<�M�`*�
����!��@����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������<�M�`*� ����!��@����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.777632710264511,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "88bfe70ad6b780fb4653cf9d7bc8b972",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014<\ufffdM\ufffd`*\u001e\r\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd@\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014<\ufffdM\ufffd`*\u001e\r\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd@\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014<\ufffdM\ufffd`*\u001e\r\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd@\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014<\ufffdM\ufffd`*\u001e\r\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd@\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014<\ufffdM\ufffd`*\u001e\r\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd@\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9f16ca1cc0f6fd1982e0678c87299b26c2a5de9a",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014<\ufffdM\ufffd`*\u001e\r\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd@\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014<\ufffdM\ufffd`*\u001e\r\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd@\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd<\ufffdM\ufffd`*\r\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd@\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014<\ufffdM\ufffd`*\u001e\r\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd@\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014<\ufffdM\ufffd`*\u001e\r\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd@\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd<\ufffdM\ufffd`*\r\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd@\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 8,
"ssh_auth_burst_rate": 0.61
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ��������5.�����3�o��w����curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ��������5.�����3�o��w����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ��������5.�����3�o��w����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
��������5.�����3�o��w����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ��������5.�����3�o��w����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 2072,
"payload_entropy": 4.769117112971021,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "7f3bace60702b43e0f162dff52359716",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd5.\ufffd\ufffd\ufffd\ufffd\ufffd3\ufffdo\u0013\u001aw\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd5.\ufffd\ufffd\ufffd\ufffd\ufffd3\ufffdo\u0013\u001aw\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd5.\ufffd\ufffd\ufffd\ufffd\ufffd3\ufffdo\u0013\u001aw\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd5.\ufffd\ufffd\ufffd\ufffd\ufffd3\ufffdo\u0013\u001aw\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd5.\ufffd\ufffd\ufffd\ufffd\ufffd3\ufffdo\u0013\u001aw\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "06fcd7ba2fb9c6e74efe1e243f75513a996af3ea",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd5.\ufffd\ufffd\ufffd\ufffd\ufffd3\ufffdo\u0013\u001aw\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd5.\ufffd\ufffd\ufffd\ufffd\ufffd3\ufffdo\u0013\u001aw\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd5.\ufffd\ufffd\ufffd\ufffd\ufffd3\ufffdow\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd5.\ufffd\ufffd\ufffd\ufffd\ufffd3\ufffdo\u0013\u001aw\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd5.\ufffd\ufffd\ufffd\ufffd\ufffd3\ufffdo\u0013\u001aw\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd5.\ufffd\ufffd\ufffd\ufffd\ufffd3\ufffdow\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 0.67
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ��������{��W��v���i�pm����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ��������{��W��v���i�pm����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ��������{��W��v���i�pm����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
��������{��W��v���i�pm����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ��������{��W��v���i�pm����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.769849645648934,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "54d4f81edf0ec48b602c996745fc1045",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd{\ufffd\ufffdW\ufffd\ufffdv\ufffd\u0014\ufffdi\ufffdpm\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd{\ufffd\ufffdW\ufffd\ufffdv\ufffd\u0014\ufffdi\ufffdpm\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd{\ufffd\ufffdW\ufffd\ufffdv\ufffd\u0014\ufffdi\ufffdpm\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd{\ufffd\ufffdW\ufffd\ufffdv\ufffd\u0014\ufffdi\ufffdpm\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd{\ufffd\ufffdW\ufffd\ufffdv\ufffd\u0014\ufffdi\ufffdpm\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "33fe74d195cb53269deee612477ce59de4f1f5d5",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd{\ufffd\ufffdW\ufffd\ufffdv\ufffd\u0014\ufffdi\ufffdpm\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd{\ufffd\ufffdW\ufffd\ufffdv\ufffd\u0014\ufffdi\ufffdpm\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd{\ufffd\ufffdW\ufffd\ufffdv\ufffd\ufffdi\ufffdpm\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd{\ufffd\ufffdW\ufffd\ufffdv\ufffd\u0014\ufffdi\ufffdpm\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd{\ufffd\ufffdW\ufffd\ufffdv\ufffd\u0014\ufffdi\ufffdpm\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd{\ufffd\ufffdW\ufffd\ufffdv\ufffd\ufffdi\ufffdpm\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 0.67
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������-u]��h�wM����)�z����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������-u]��h�wM����)�z����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������-u]��h�wM����)�z����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������-u]��h�wM����)�z����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������-u]��h�wM����)�z����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.770052752434662,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "fcfaeb8ba3c2d1302446eaad97494dbe",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-u]\ufffd\ufffdh\ufffdwM\ufffd\ufffd\ufffd\ufffd)\ufffdz\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-u]\ufffd\ufffdh\ufffdwM\ufffd\ufffd\ufffd\ufffd)\ufffdz\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-u]\ufffd\ufffdh\ufffdwM\ufffd\ufffd\ufffd\ufffd)\ufffdz\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-u]\ufffd\ufffdh\ufffdwM\ufffd\ufffd\ufffd\ufffd)\ufffdz\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-u]\ufffd\ufffdh\ufffdwM\ufffd\ufffd\ufffd\ufffd)\ufffdz\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "caa4b48991d2a371c944c42cef12ca9a9fdba124",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-u]\ufffd\ufffdh\ufffdwM\ufffd\ufffd\ufffd\ufffd)\ufffdz\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-u]\ufffd\ufffdh\ufffdwM\ufffd\ufffd\ufffd\ufffd)\ufffdz\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd-u]\ufffd\ufffdh\ufffdwM\ufffd\ufffd\ufffd\ufffd)\ufffdz\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-u]\ufffd\ufffdh\ufffdwM\ufffd\ufffd\ufffd\ufffd)\ufffdz\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-u]\ufffd\ufffdh\ufffdwM\ufffd\ufffd\ufffd\ufffd)\ufffdz\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd-u]\ufffd\ufffdh\ufffdwM\ufffd\ufffd\ufffd\ufffd)\ufffdz\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 14,
"ssh_auth_burst_rate": 1.08
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������W`����ߑURf!d<�����curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce_burst
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������W`����ߑURf!d<�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������W`����ߑURf!d<�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������W`����ߑURf!d<�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������W`����ߑURf!d<�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.777543957734733,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "8b55d35021455ff2f1458b0d04ed69bb38e1a8a1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "927051013383afe7711365b28020e289",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdW`\ufffd\ufffd\ufffd\u001e\u07d1URf!d<\u001c\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdW`\ufffd\ufffd\ufffd\u001e\u07d1URf!d<\u001c\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdW`\ufffd\ufffd\ufffd\u001e\u07d1URf!d<\u001c\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdW`\ufffd\ufffd\ufffd\u001e\u07d1URf!d<\u001c\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdW`\ufffd\ufffd\ufffd\u001e\u07d1URf!d<\u001c\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3cb9e51e077fa29f9b6633b5c30fdbc25db3d4c3",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdW`\ufffd\ufffd\ufffd\u001e\u07d1URf!d<\u001c\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdW`\ufffd\ufffd\ufffd\u001e\u07d1URf!d<\u001c\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdW`\ufffd\ufffd\ufffd\u07d1URf!d<\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdW`\ufffd\ufffd\ufffd\u001e\u07d1URf!d<\u001c\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdW`\ufffd\ufffd\ufffd\u001e\u07d1URf!d<\u001c\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdW`\ufffd\ufffd\ufffd\u07d1URf!d<\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 12,
"ssh_auth_burst_rate": 1.5
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������H���$��t��b�t�����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������H���$��t��b�t�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������H���$��t��b�t�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������H���$��t��b�t�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������H���$��t��b�t�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 2072,
"payload_entropy": 4.772106001391102,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ad7e85098834c3e698c81e85cb1d9c31",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdH\u0006\ufffd\u0017$\ufffd\ufffdt\ufffd\ufffdb\ufffdt\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdH\u0006\ufffd\u0017$\ufffd\ufffdt\ufffd\ufffdb\ufffdt\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdH\u0006\ufffd\u0017$\ufffd\ufffdt\ufffd\ufffdb\ufffdt\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdH\u0006\ufffd\u0017$\ufffd\ufffdt\ufffd\ufffdb\ufffdt\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdH\u0006\ufffd\u0017$\ufffd\ufffdt\ufffd\ufffdb\ufffdt\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d433d92f4ae74bd2a734fedc12feef03b02f2c89",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdH\u0006\ufffd\u0017$\ufffd\ufffdt\ufffd\ufffdb\ufffdt\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdH\u0006\ufffd\u0017$\ufffd\ufffdt\ufffd\ufffdb\ufffdt\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdH\ufffd$\ufffd\ufffdt\ufffd\ufffdb\ufffdt\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdH\u0006\ufffd\u0017$\ufffd\ufffdt\ufffd\ufffdb\ufffdt\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdH\u0006\ufffd\u0017$\ufffd\ufffdt\ufffd\ufffdb\ufffdt\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdH\ufffd$\ufffd\ufffdt\ufffd\ufffdb\ufffdt\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 1.66
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������L��_��X�'�P���q����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������L��_��X�'�P���q����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������L��_��X�'�P���q����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������L��_��X�'�P���q����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������L��_��X�'�P���q����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 2072,
"payload_entropy": 4.782764213390163,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "7ef08aad162055d181e8d7fe7f5cfbd2",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdL\ufffd\ufffd_\ufffd\ufffdX\ufffd'\u0005P\ufffd\u0017\ufffdq\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdL\ufffd\ufffd_\ufffd\ufffdX\ufffd'\u0005P\ufffd\u0017\ufffdq\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdL\ufffd\ufffd_\ufffd\ufffdX\ufffd'\u0005P\ufffd\u0017\ufffdq\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdL\ufffd\ufffd_\ufffd\ufffdX\ufffd'\u0005P\ufffd\u0017\ufffdq\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdL\ufffd\ufffd_\ufffd\ufffdX\ufffd'\u0005P\ufffd\u0017\ufffdq\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "eacd360190785e6c13731b1071017c17249d7182",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdL\ufffd\ufffd_\ufffd\ufffdX\ufffd'\u0005P\ufffd\u0017\ufffdq\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdL\ufffd\ufffd_\ufffd\ufffdX\ufffd'\u0005P\ufffd\u0017\ufffdq\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdL\ufffd\ufffd_\ufffd\ufffdX\ufffd'P\ufffd\ufffdq\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdL\ufffd\ufffd_\ufffd\ufffdX\ufffd'\u0005P\ufffd\u0017\ufffdq\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdL\ufffd\ufffd_\ufffd\ufffdX\ufffd'\u0005P\ufffd\u0017\ufffdq\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdL\ufffd\ufffd_\ufffd\ufffdX\ufffd'P\ufffd\ufffdq\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 14,
"ssh_auth_burst_rate": 0.93
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������������_�g���ٓ�����curve25519-sha25…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������������_�g���ٓ�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������������_�g���ٓ�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������������_�g���ٓ�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������������_�g���ٓ�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.779150859962915,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "56a6764b3aed38ecfb19760f4654f13c",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd_\ufffdg\ufffd\ufffd\ufffd\u0653\u0013\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd_\ufffdg\ufffd\ufffd\ufffd\u0653\u0013\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd_\ufffdg\ufffd\ufffd\ufffd\u0653\u0013\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd_\ufffdg\ufffd\ufffd\ufffd\u0653\u0013\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd_\ufffdg\ufffd\ufffd\ufffd\u0653\u0013\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ca5ebfe55a0524b0a2346a43c2d78a3172a86dfc",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd_\ufffdg\ufffd\ufffd\ufffd\u0653\u0013\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd_\ufffdg\ufffd\ufffd\ufffd\u0653\u0013\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd_\ufffdg\ufffd\ufffd\ufffd\u0653\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd_\ufffdg\ufffd\ufffd\ufffd\u0653\u0013\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd_\ufffdg\ufffd\ufffd\ufffd\u0653\u0013\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd_\ufffdg\ufffd\ufffd\ufffd\u0653\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 16,
"ssh_auth_burst_rate": 1.07
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ���������y?Zt�M���v�������curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ���������y?Zt�M���v�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ���������y?Zt�M���v�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
���������y?Zt�M���v�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ���������y?Zt�M���v�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.775446947296886,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "520dd062f899278bc45b1d9f87d9f20c",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffdy?Zt\ufffdM\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffdy?Zt\ufffdM\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffdy?Zt\ufffdM\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffdy?Zt\ufffdM\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffdy?Zt\ufffdM\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d06d7ceb8ac4c99c7dbf47e21c9d373e9edf693b",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffdy?Zt\ufffdM\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffdy?Zt\ufffdM\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffdy?Zt\ufffdM\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffdy?Zt\ufffdM\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffdy?Zt\ufffdM\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffdy?Zt\ufffdM\ufffd\ufffd\ufffdv\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 13,
"ssh_auth_burst_rate": 1
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������NJ>���/��gTF� r�����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������NJ>���/��gTF� r�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������NJ>���/��gTF� r�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������NJ>���/��gTF��r�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������NJ>���/��gTF� r�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.776761641505487,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "e1fc3bd14e27577302a55a6eb7d8c33e",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014NJ>\ufffd\ufffd\ufffd\/\ufffd\ufffdgTF\ufffd\u000br\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014NJ>\ufffd\ufffd\ufffd\/\ufffd\ufffdgTF\ufffd\u000br\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014NJ>\ufffd\ufffd\ufffd\/\ufffd\ufffdgTF\ufffd\u000br\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014NJ>\ufffd\ufffd\ufffd\/\ufffd\ufffdgTF\ufffd\u000br\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014NJ>\ufffd\ufffd\ufffd\/\ufffd\ufffdgTF\ufffd\u000br\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a8af91d82949c8bee5f6ae7f7f4391e5201d65cb",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014NJ>\ufffd\ufffd\ufffd\/\ufffd\ufffdgTF\ufffd\u000br\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014NJ>\ufffd\ufffd\ufffd\/\ufffd\ufffdgTF\ufffd\u000br\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdNJ>\ufffd\ufffd\ufffd\/\ufffd\ufffdgTF\ufffdr\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014NJ>\ufffd\ufffd\ufffd\/\ufffd\ufffdgTF\ufffd\u000br\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014NJ>\ufffd\ufffd\ufffd\/\ufffd\ufffdgTF\ufffd\u000br\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdNJ>\ufffd\ufffd\ufffd\/\ufffd\ufffdgTF\ufffdr\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 14,
"ssh_auth_burst_rate": 1.08
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ��������.���t��m�� 9������curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce_burst
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ��������.���t��m�� 9������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ��������.���t��m�� 9������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
SSH-2.0 banner RFC4253
ET H.323 setup
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
��������.���t��m��
9������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ��������.���t��m�� 9������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.76924301941623,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "8b55d35021455ff2f1458b0d04ed69bb38e1a8a1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0348",
"pat-0391",
"pat-0868",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"SSH-2.0 banner RFC4253",
"ET H.323 setup",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0391",
"pat-0868",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "040e692b5c9aee9ee94cc6c9b55d825e",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd.\ufffd\u0017\ufffdt\ufffd\ufffdm\ufffd\ufffd\n9\ufffd\u0003\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd.\ufffd\u0017\ufffdt\ufffd\ufffdm\ufffd\ufffd\n9\ufffd\u0003\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd.\ufffd\u0017\ufffdt\ufffd\ufffdm\ufffd\ufffd\n9\ufffd\u0003\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd.\ufffd\u0017\ufffdt\ufffd\ufffdm\ufffd\ufffd\n9\ufffd\u0003\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd.\ufffd\u0017\ufffdt\ufffd\ufffdm\ufffd\ufffd\n9\ufffd\u0003\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a38ba6d3fa62681582c35c0b2be622164e4be40d",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd.\ufffd\u0017\ufffdt\ufffd\ufffdm\ufffd\ufffd\n9\ufffd\u0003\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd.\ufffd\u0017\ufffdt\ufffd\ufffdm\ufffd\ufffd\n9\ufffd\u0003\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd.\ufffd\ufffdt\ufffd\ufffdm\ufffd\ufffd\n9\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd.\ufffd\u0017\ufffdt\ufffd\ufffdm\ufffd\ufffd\n9\ufffd\u0003\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd.\ufffd\u0017\ufffdt\ufffd\ufffdm\ufffd\ufffd\n9\ufffd\u0003\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd.\ufffd\ufffdt\ufffd\ufffdm\ufffd\ufffd\n9\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 13,
"ssh_auth_burst_rate": 1.3
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������q��1��1^�� e��f����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce_burst
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������q��1��1^�� e��f����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������q��1��1^�� e��f����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������q��1��1^�� e��f����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������q��1��1^�� e��f����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 2072,
"payload_entropy": 4.768305730979149,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "8b55d35021455ff2f1458b0d04ed69bb38e1a8a1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a4048d3edde4bb4d542690596b2da55a",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdq\ufffd\u00131\u0014\ufffd1^\ufffd\ufffd e\ufffd\ufffdf\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdq\ufffd\u00131\u0014\ufffd1^\ufffd\ufffd e\ufffd\ufffdf\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdq\ufffd\u00131\u0014\ufffd1^\ufffd\ufffd e\ufffd\ufffdf\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdq\ufffd\u00131\u0014\ufffd1^\ufffd\ufffd e\ufffd\ufffdf\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdq\ufffd\u00131\u0014\ufffd1^\ufffd\ufffd e\ufffd\ufffdf\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8e8bad3702aa92b8a2d4a622ea26276560364cc5",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdq\ufffd\u00131\u0014\ufffd1^\ufffd\ufffd e\ufffd\ufffdf\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdq\ufffd\u00131\u0014\ufffd1^\ufffd\ufffd e\ufffd\ufffdf\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdq\ufffd1\ufffd1^\ufffd\ufffd e\ufffd\ufffdf\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdq\ufffd\u00131\u0014\ufffd1^\ufffd\ufffd e\ufffd\ufffdf\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdq\ufffd\u00131\u0014\ufffd1^\ufffd\ufffd e\ufffd\ufffdf\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdq\ufffd1\ufffd1^\ufffd\ufffd e\ufffd\ufffdf\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 14,
"ssh_auth_burst_rate": 1.4
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������f�E $&�D��)�+�����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������f�E $&�D��)�+�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������f�E $&�D��)�+�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������f�E
$&�D��)�+�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������f�E $&�D��)�+�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 2072,
"payload_entropy": 4.778018259850763,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "be677e4bce2347078b9dc9cafee71552",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdf\ufffdE\r$&\ufffdD\u0001\ufffd)\ufffd+\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdf\ufffdE\r$&\ufffdD\u0001\ufffd)\ufffd+\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdf\ufffdE\r$&\ufffdD\u0001\ufffd)\ufffd+\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdf\ufffdE\r$&\ufffdD\u0001\ufffd)\ufffd+\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdf\ufffdE\r$&\ufffdD\u0001\ufffd)\ufffd+\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a6251848c2b9d8451ff1d61c2eb8cc9a4449c806",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdf\ufffdE\r$&\ufffdD\u0001\ufffd)\ufffd+\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdf\ufffdE\r$&\ufffdD\u0001\ufffd)\ufffd+\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdf\ufffdE\r$&\ufffdD\ufffd)\ufffd+\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdf\ufffdE\r$&\ufffdD\u0001\ufffd)\ufffd+\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdf\ufffdE\r$&\ufffdD\u0001\ufffd)\ufffd+\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdf\ufffdE\r$&\ufffdD\ufffd)\ufffd+\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 12,
"ssh_auth_burst_rate": 0.8
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������ƌ,{����\�,��?�~����curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������ƌ,{����\�,��?�~����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������ƌ,{����\�,��?�~����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������ƌ,{����\�,��?�~����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������ƌ,{����\�,��?�~����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.773391952059939,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "4c023d246fd7796fc90014291569a8f9",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u018c,{\ufffd\ufffd\ufffd\u0000\\\ufffd,\ufffd\u0002?\ufffd~\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u018c,{\ufffd\ufffd\ufffd\u0000\\\ufffd,\ufffd\u0002?\ufffd~\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u018c,{\ufffd\ufffd\ufffd\u0000\\\ufffd,\ufffd\u0002?\ufffd~\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u018c,{\ufffd\ufffd\ufffd\u0000\\\ufffd,\ufffd\u0002?\ufffd~\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u018c,{\ufffd\ufffd\ufffd\u0000\\\ufffd,\ufffd\u0002?\ufffd~\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6dfda25a3b777c7109ef17c22407e7ef094c8c06",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u018c,{\ufffd\ufffd\ufffd\u0000\\\ufffd,\ufffd\u0002?\ufffd~\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u018c,{\ufffd\ufffd\ufffd\u0000\\\ufffd,\ufffd\u0002?\ufffd~\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\u018c,{\ufffd\ufffd\ufffd\\\ufffd,\ufffd?\ufffd~\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u018c,{\ufffd\ufffd\ufffd\u0000\\\ufffd,\ufffd\u0002?\ufffd~\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u018c,{\ufffd\ufffd\ufffd\u0000\\\ufffd,\ufffd\u0002?\ufffd~\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\u018c,{\ufffd\ufffd\ufffd\\\ufffd,\ufffd?\ufffd~\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 9,
"ssh_auth_burst_rate": 0.69
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������5�}�=�ږ3C�$d������curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������5�}�=�ږ3C�$d������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������5�}�=�ږ3C�$d������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������5�}�=�ږ3C�$d������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������5�}�=�ږ3C�$d������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 2072,
"payload_entropy": 4.774546675541131,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b3a33d890e270dff76ebe8e622594018",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd5\ufffd}\ufffd=\ufffd\u06963C\ufffd$d\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd5\ufffd}\ufffd=\ufffd\u06963C\ufffd$d\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd5\ufffd}\ufffd=\ufffd\u06963C\ufffd$d\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd5\ufffd}\ufffd=\ufffd\u06963C\ufffd$d\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd5\ufffd}\ufffd=\ufffd\u06963C\ufffd$d\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "85fea4a6f4a22db17bff8b16d10c523773ea7a3f",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd5\ufffd}\ufffd=\ufffd\u06963C\ufffd$d\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd5\ufffd}\ufffd=\ufffd\u06963C\ufffd$d\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd5\ufffd}\ufffd=\ufffd\u06963C\ufffd$d\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd5\ufffd}\ufffd=\ufffd\u06963C\ufffd$d\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd5\ufffd}\ufffd=\ufffd\u06963C\ufffd$d\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd5\ufffd}\ufffd=\ufffd\u06963C\ufffd$d\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 0.83,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������ �FU$i��6J~2�h�����curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������ �FU$i��6J~2�h�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������ �FU$i��6J~2�h�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������
�FU$i��6J~2�h�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������ �FU$i��6J~2�h�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.768432107608405,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "aa9af5a21d367ab47daf739178cee29e",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\n\ufffdFU$i\ufffd\ufffd6J~2\ufffdh\u0019\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\n\ufffdFU$i\ufffd\ufffd6J~2\ufffdh\u0019\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\n\ufffdFU$i\ufffd\ufffd6J~2\ufffdh\u0019\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\n\ufffdFU$i\ufffd\ufffd6J~2\ufffdh\u0019\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\n\ufffdFU$i\ufffd\ufffd6J~2\ufffdh\u0019\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9deb8886ba60ceb0f75ea104042ceaa37b0e2c36",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\n\ufffdFU$i\ufffd\ufffd6J~2\ufffdh\u0019\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\n\ufffdFU$i\ufffd\ufffd6J~2\ufffdh\u0019\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\n\ufffdFU$i\ufffd\ufffd6J~2\ufffdh\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\n\ufffdFU$i\ufffd\ufffd6J~2\ufffdh\u0019\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\n\ufffdFU$i\ufffd\ufffd6J~2\ufffdh\u0019\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\n\ufffdFU$i\ufffd\ufffd6J~2\ufffdh\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 0.67,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ���������A�( 9���b��������curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ���������A�( 9���b��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ���������A�( 9���b��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
���������A�(�9���b��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ���������A�( 9���b��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 2072,
"payload_entropy": 4.776395127943019,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a45aa18fdd852f35917789c85392c7a4",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u001f\ufffdA\ufffd(\f9\ufffd\ufffd\ufffdb\ufffd\u001c\ufffd\u001c\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u001f\ufffdA\ufffd(\f9\ufffd\ufffd\ufffdb\ufffd\u001c\ufffd\u001c\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u001f\ufffdA\ufffd(\f9\ufffd\ufffd\ufffdb\ufffd\u001c\ufffd\u001c\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u001f\ufffdA\ufffd(\f9\ufffd\ufffd\ufffdb\ufffd\u001c\ufffd\u001c\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u001f\ufffdA\ufffd(\f9\ufffd\ufffd\ufffdb\ufffd\u001c\ufffd\u001c\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9306476330fcbacbc5397be926c4d43587097a97",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u001f\ufffdA\ufffd(\f9\ufffd\ufffd\ufffdb\ufffd\u001c\ufffd\u001c\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u001f\ufffdA\ufffd(\f9\ufffd\ufffd\ufffdb\ufffd\u001c\ufffd\u001c\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffdA\ufffd(9\ufffd\ufffd\ufffdb\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u001f\ufffdA\ufffd(\f9\ufffd\ufffd\ufffdb\ufffd\u001c\ufffd\u001c\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u001f\ufffdA\ufffd(\f9\ufffd\ufffd\ufffdb\ufffd\u001c\ufffd\u001c\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffdA\ufffd(9\ufffd\ufffd\ufffdb\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 8,
"ssh_auth_burst_rate": 0.61
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������@����i�hw��r8Q�j����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������@����i�hw��r8Q�j����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������@����i�hw��r8Q�j����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������@����i�hw��r8Q�j����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������@����i�hw��r8Q�j����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.765799248361127,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b74bd2da96fb3cc2b9679420aac9ff24",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014@\ufffd\ufffd\ufffd\ufffdi\ufffdhw\ufffd\ufffdr8Q\ufffdj\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014@\ufffd\ufffd\ufffd\ufffdi\ufffdhw\ufffd\ufffdr8Q\ufffdj\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014@\ufffd\ufffd\ufffd\ufffdi\ufffdhw\ufffd\ufffdr8Q\ufffdj\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014@\ufffd\ufffd\ufffd\ufffdi\ufffdhw\ufffd\ufffdr8Q\ufffdj\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014@\ufffd\ufffd\ufffd\ufffdi\ufffdhw\ufffd\ufffdr8Q\ufffdj\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "90b371c8880274f82ef9371f8d9bbae8ca5ac207",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014@\ufffd\ufffd\ufffd\ufffdi\ufffdhw\ufffd\ufffdr8Q\ufffdj\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014@\ufffd\ufffd\ufffd\ufffdi\ufffdhw\ufffd\ufffdr8Q\ufffdj\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd@\ufffd\ufffd\ufffd\ufffdi\ufffdhw\ufffd\ufffdr8Q\ufffdj\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014@\ufffd\ufffd\ufffd\ufffdi\ufffdhw\ufffd\ufffdr8Q\ufffdj\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014@\ufffd\ufffd\ufffd\ufffdi\ufffdhw\ufffd\ufffdr8Q\ufffdj\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd@\ufffd\ufffd\ufffd\ufffdi\ufffdhw\ufffd\ufffdr8Q\ufffdj\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 12,
"ssh_auth_burst_rate": 0.8
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������jC' E�����!1P�����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������jC' E�����!1P�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������jC' E�����!1P�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������jC'�E�����!1P�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������jC' E�����!1P�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.780031658983479,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a42d106dc1093a27071674eeba7110e7",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdjC'\u000bE\ufffd\ufffd\u0004\ufffd\ufffd!1P\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdjC'\u000bE\ufffd\ufffd\u0004\ufffd\ufffd!1P\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdjC'\u000bE\ufffd\ufffd\u0004\ufffd\ufffd!1P\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdjC'\u000bE\ufffd\ufffd\u0004\ufffd\ufffd!1P\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdjC'\u000bE\ufffd\ufffd\u0004\ufffd\ufffd!1P\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ce6debb6bc167cd51a4b80b621d137524d1d6a30",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdjC'\u000bE\ufffd\ufffd\u0004\ufffd\ufffd!1P\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdjC'\u000bE\ufffd\ufffd\u0004\ufffd\ufffd!1P\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdjC'E\ufffd\ufffd\ufffd\ufffd!1P\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdjC'\u000bE\ufffd\ufffd\u0004\ufffd\ufffd!1P\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdjC'\u000bE\ufffd\ufffd\u0004\ufffd\ufffd!1P\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdjC'E\ufffd\ufffd\ufffd\ufffd!1P\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 0.91
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������̶�f�S���Z���������curve25519-sha25…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������̶�f�S���Z���������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������̶�f�S���Z���������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������̶�f�S���Z���������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������̶�f�S���Z���������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 2072,
"payload_entropy": 4.777241406339932,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "1dcbf01b5e5f22821b39e7a341abe063",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0336\ufffdf\u0003S\ufffd\ufffd\ufffdZ\ufffd\ufffd\ufffd\ufffd\u0001\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0336\ufffdf\u0003S\ufffd\ufffd\ufffdZ\ufffd\ufffd\ufffd\ufffd\u0001\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0336\ufffdf\u0003S\ufffd\ufffd\ufffdZ\ufffd\ufffd\ufffd\ufffd\u0001\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0336\ufffdf\u0003S\ufffd\ufffd\ufffdZ\ufffd\ufffd\ufffd\ufffd\u0001\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0336\ufffdf\u0003S\ufffd\ufffd\ufffdZ\ufffd\ufffd\ufffd\ufffd\u0001\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b1f3acb448da99c35cd75e6b35e19c6610e99269",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0336\ufffdf\u0003S\ufffd\ufffd\ufffdZ\ufffd\ufffd\ufffd\ufffd\u0001\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0336\ufffdf\u0003S\ufffd\ufffd\ufffdZ\ufffd\ufffd\ufffd\ufffd\u0001\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\u0336\ufffdfS\ufffd\ufffd\ufffdZ\ufffd\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0336\ufffdf\u0003S\ufffd\ufffd\ufffdZ\ufffd\ufffd\ufffd\ufffd\u0001\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\u0336\ufffdf\u0003S\ufffd\ufffd\ufffdZ\ufffd\ufffd\ufffd\ufffd\u0001\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\u0336\ufffdfS\ufffd\ufffd\ufffdZ\ufffd\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 0.67
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ��������#� =����qcТ�����curve25519-sha25…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ��������#� =����qcТ�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2…
Payload
SSH-2.0-AsyncSSH_2.1.0 ��������#� =����qc�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
��������#�
=����qc�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ��������#� =����qc�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 2072,
"payload_entropy": 4.775927304824709,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b1b80bdc41dd8602dfa22b7978df8bd1",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd#\ufffd\r=\u0001\u0006\ufffd\ufffdqc\u0422\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd#\ufffd\r=\u0001\u0006\ufffd\ufffdqc\u0422\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd#\ufffd\r=\u0001\u0006\ufffd\ufffdqc\u0422\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd#\ufffd\r=\u0001\u0006\ufffd\ufffdqc\u0422\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd#\ufffd\r=\u0001\u0006\ufffd\ufffdqc\u0422\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "187be3a917138ee5f67128e9defa8a9986e7ca31",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd#\ufffd\r=\u0001\u0006\ufffd\ufffdqc\u0422\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd#\ufffd\r=\u0001\u0006\ufffd\ufffdqc\u0422\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd#\ufffd\r=\ufffd\ufffdqc\u0422\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd#\ufffd\r=\u0001\u0006\ufffd\ufffdqc\u0422\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd#\ufffd\r=\u0001\u0006\ufffd\ufffdqc\u0422\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd#\ufffd\r=\ufffd\ufffdqc\u0422\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 8,
"ssh_auth_burst_rate": 0.67
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������������"�Pۤ��������curve25519-sha25…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������������"�Pۤ��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������������"�Pۤ��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������������"�Pۤ��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������������"�Pۤ��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.78083371145966,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "bf4ad3e2328375782d2e8df23e88721b",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\u0007P\u06e4\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\u0007P\u06e4\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\u0007P\u06e4\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\u0007P\u06e4\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\u0007P\u06e4\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5dee220f122fb1312d436e6356de5f1704467cf7",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\u0007P\u06e4\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\u0007P\u06e4\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"P\u06e4\ufffd\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\u0007P\u06e4\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\u0007P\u06e4\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"P\u06e4\ufffd\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 6,
"ssh_auth_burst_rate": 0.6
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������e,8���C?�T�� !�����curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������e,8���C?�T�� !�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������e,8���C?�T�� !�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������e,8���C?�T�� !�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������e,8���C?�T�� !�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 2072,
"payload_entropy": 4.771264253816556,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "4f0e0be7ca6ac56c44b7eadd439d6296",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014e,8\ufffd\ufffd\ufffdC?\ufffdT\u0001\ufffd !\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014e,8\ufffd\ufffd\ufffdC?\ufffdT\u0001\ufffd !\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014e,8\ufffd\ufffd\ufffdC?\ufffdT\u0001\ufffd !\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014e,8\ufffd\ufffd\ufffdC?\ufffdT\u0001\ufffd !\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014e,8\ufffd\ufffd\ufffdC?\ufffdT\u0001\ufffd !\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f944eac17e877fc0507597fa44e20b290803e7bb",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014e,8\ufffd\ufffd\ufffdC?\ufffdT\u0001\ufffd !\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014e,8\ufffd\ufffd\ufffdC?\ufffdT\u0001\ufffd !\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffde,8\ufffd\ufffd\ufffdC?\ufffdT\ufffd !\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014e,8\ufffd\ufffd\ufffdC?\ufffdT\u0001\ufffd !\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014e,8\ufffd\ufffd\ufffdC?\ufffdT\u0001\ufffd !\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffde,8\ufffd\ufffd\ufffdC?\ufffdT\ufffd !\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
]
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ���������ȶJ�@-]�Lް�*����curve25519-sha25…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ���������ȶJ�@-]�Lް�*����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2…
Payload
SSH-2.0-AsyncSSH_2.1.0 ���������ȶJ�@-]�Lް�*����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
���������ȶJ�@-]�Lް�*����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ���������ȶJ�@-]�Lް�*����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.774253794211235,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "537d1d34f8ed15fc29972a102224ef0c",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0236J\ufffd@-]\ufffdL\u07b0\ufffd*\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0236J\ufffd@-]\ufffdL\u07b0\ufffd*\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0236J\ufffd@-]\ufffdL\u07b0\ufffd*\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0236J\ufffd@-]\ufffdL\u07b0\ufffd*\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0236J\ufffd@-]\ufffdL\u07b0\ufffd*\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9332a254792607846b4b0a54d1c793dd67119584",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0236J\ufffd@-]\ufffdL\u07b0\ufffd*\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0236J\ufffd@-]\ufffdL\u07b0\ufffd*\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\u0236J\ufffd@-]\ufffdL\u07b0\ufffd*\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0236J\ufffd@-]\ufffdL\u07b0\ufffd*\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0236J\ufffd@-]\ufffdL\u07b0\ufffd*\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\u0236J\ufffd@-]\ufffdL\u07b0\ufffd*\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
]
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ���������ڀF�8�������curve25519-sha256,c…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ���������ڀF�8�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-ni…
Payload
SSH-2.0-AsyncSSH_2.1.0 ���������ڀF�8�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
���������ڀF�8�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ���������ڀF�8�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.779931766608469,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b34b16ce64da5d7430db83b8b6f03d6c",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0680F\ufffd\ud8e8\udde28\ufffd\u0004\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0680F\ufffd\ud8e8\udde28\ufffd\u0004\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0680F\ufffd\ud8e8\udde28\ufffd\u0004\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0680F\ufffd\ud8e8\udde28\ufffd\u0004\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0680F\ufffd\ud8e8\udde28\ufffd\u0004\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a5c85478945ea6ec94f9e8613711ff124335e232",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0680F\ufffd\ud8e8\udde28\ufffd\u0004\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0680F\ufffd\ud8e8\udde28\ufffd\u0004\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\u0680F\ufffd\ud8e8\udde28\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0680F\ufffd\ud8e8\udde28\ufffd\u0004\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0680F\ufffd\ud8e8\udde28\ufffd\u0004\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\u0680F\ufffd\ud8e8\udde28\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
]
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������{Ky;о��u�8�w˙�����curve25519-sha25…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������{Ky;о��u�8�w˙�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������{Ky;о��u�8�w˙�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������{Ky;о��u�8�w˙�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������{Ky;о��u�8�w˙�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.774112604095409,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6a1f39c3b8103214ad4d44efd39930b4",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014{Ky;\u043e\u0004\ufffdu\ufffd8\ufffdw\u02d9\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014{Ky;\u043e\u0004\ufffdu\ufffd8\ufffdw\u02d9\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014{Ky;\u043e\u0004\ufffdu\ufffd8\ufffdw\u02d9\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014{Ky;\u043e\u0004\ufffdu\ufffd8\ufffdw\u02d9\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014{Ky;\u043e\u0004\ufffdu\ufffd8\ufffdw\u02d9\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2d05c197a113995f272e4fc26df7921c9e2bbc12",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014{Ky;\u043e\u0004\ufffdu\ufffd8\ufffdw\u02d9\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014{Ky;\u043e\u0004\ufffdu\ufffd8\ufffdw\u02d9\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd{Ky;\u043e\ufffdu\ufffd8\ufffdw\u02d9\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014{Ky;\u043e\u0004\ufffdu\ufffd8\ufffdw\u02d9\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014{Ky;\u043e\u0004\ufffdu\ufffd8\ufffdw\u02d9\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd{Ky;\u043e\ufffdu\ufffd8\ufffdw\u02d9\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 6,
"ssh_auth_burst_rate": 0.5
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������f$���f��ղ��?�ȕ����curve25519-sha25…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������f$���f��ղ��?�ȕ����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������f$���f��ղ��?�ȕ����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������f$���f��ղ��?�ȕ����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������f$���f��ղ��?�ȕ����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.776731642781915,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c2e1b939ee840930f1f887a58f5600db",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014f$\u0011\ufffd\u0005f\ufffd\ufffd\u0572\ufffd\ufffd?\ufffd\u0215\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014f$\u0011\ufffd\u0005f\ufffd\ufffd\u0572\ufffd\ufffd?\ufffd\u0215\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014f$\u0011\ufffd\u0005f\ufffd\ufffd\u0572\ufffd\ufffd?\ufffd\u0215\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014f$\u0011\ufffd\u0005f\ufffd\ufffd\u0572\ufffd\ufffd?\ufffd\u0215\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014f$\u0011\ufffd\u0005f\ufffd\ufffd\u0572\ufffd\ufffd?\ufffd\u0215\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5f49b17c8f56fec9e2394ec81c4c6b924c1bf3cb",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014f$\u0011\ufffd\u0005f\ufffd\ufffd\u0572\ufffd\ufffd?\ufffd\u0215\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014f$\u0011\ufffd\u0005f\ufffd\ufffd\u0572\ufffd\ufffd?\ufffd\u0215\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdf$\ufffdf\ufffd\ufffd\u0572\ufffd\ufffd?\ufffd\u0215\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014f$\u0011\ufffd\u0005f\ufffd\ufffd\u0572\ufffd\ufffd?\ufffd\u0215\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014f$\u0011\ufffd\u0005f\ufffd\ufffd\u0572\ufffd\ufffd?\ufffd\u0215\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdf$\ufffdf\ufffd\ufffd\u0572\ufffd\ufffd?\ufffd\u0215\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 8,
"ssh_auth_burst_rate": 0.53
}
|