|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������������H����� :#����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������������H����� :#����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������������H����� :#����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������������H����� :#����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������������H����� :#����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.782399885445102,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "482ef384edfe88a164b58a02c966882c",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd\ufffd\ufffd\u0004 :#\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd\ufffd\ufffd\u0004 :#\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd\ufffd\ufffd\u0004 :#\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd\ufffd\ufffd\u0004 :#\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd\ufffd\ufffd\u0004 :#\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "90da286e80dc8856b2d454eec651c62c03bc5974",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd\ufffd\ufffd\u0004 :#\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd\ufffd\ufffd\u0004 :#\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd\ufffd\ufffd :#\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd\ufffd\ufffd\u0004 :#\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd\ufffd\ufffd\u0004 :#\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd\ufffd\ufffd :#\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 8,
"ssh_auth_burst_rate": 0.61
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������-��܂o�`C��mg�4����curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������-��܂o�`C��mg�4����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������-��܂o�`C��mg�4����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������-��܂o�`C��mg�4����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������-��܂o�`C��mg�4����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.766321445653257,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "dfa754ec86f7b4f85ea85ae54dfbbdce",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-\ufffd\ufffd\u0702o\ufffd`C\ufffd\ufffdmg\ufffd4\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-\ufffd\ufffd\u0702o\ufffd`C\ufffd\ufffdmg\ufffd4\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-\ufffd\ufffd\u0702o\ufffd`C\ufffd\ufffdmg\ufffd4\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-\ufffd\ufffd\u0702o\ufffd`C\ufffd\ufffdmg\ufffd4\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-\ufffd\ufffd\u0702o\ufffd`C\ufffd\ufffdmg\ufffd4\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "883a7257e6d45bbb4ee57ac888f71298a483d278",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-\ufffd\ufffd\u0702o\ufffd`C\ufffd\ufffdmg\ufffd4\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-\ufffd\ufffd\u0702o\ufffd`C\ufffd\ufffdmg\ufffd4\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd-\ufffd\ufffd\u0702o\ufffd`C\ufffd\ufffdmg\ufffd4\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-\ufffd\ufffd\u0702o\ufffd`C\ufffd\ufffdmg\ufffd4\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-\ufffd\ufffd\u0702o\ufffd`C\ufffd\ufffdmg\ufffd4\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd-\ufffd\ufffd\u0702o\ufffd`C\ufffd\ufffdmg\ufffd4\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 12,
"ssh_auth_burst_rate": 0.8
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������:�u�ؑ�y\7ʣx�1F����curve25519-sha25…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������:�u�ؑ�y\7ʣx�1F����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������:�u�ؑ�y\7ʣx�1F����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������:�u�ؑ�y\7ʣx�1F����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������:�u�ؑ�y\7ʣx�1F����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.771080148499533,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c02a4d7b139cdca3b5708e3c356cc10f",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014:\u001eu\ufffd\u0611\ufffdy\\7\u02a3x\ufffd1F\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014:\u001eu\ufffd\u0611\ufffdy\\7\u02a3x\ufffd1F\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014:\u001eu\ufffd\u0611\ufffdy\\7\u02a3x\ufffd1F\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014:\u001eu\ufffd\u0611\ufffdy\\7\u02a3x\ufffd1F\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014:\u001eu\ufffd\u0611\ufffdy\\7\u02a3x\ufffd1F\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a62c5c5b16aed9993ebeab0fb394d50972ec044f",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014:\u001eu\ufffd\u0611\ufffdy\\7\u02a3x\ufffd1F\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014:\u001eu\ufffd\u0611\ufffdy\\7\u02a3x\ufffd1F\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd:u\ufffd\u0611\ufffdy\\7\u02a3x\ufffd1F\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014:\u001eu\ufffd\u0611\ufffdy\\7\u02a3x\ufffd1F\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014:\u001eu\ufffd\u0611\ufffdy\\7\u02a3x\ufffd1F\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd:u\ufffd\u0611\ufffdy\\7\u02a3x\ufffd1F\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 12,
"ssh_auth_burst_rate": 0.8
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ��������������@ ��{������curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ��������������@ ��{������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ��������������@ ��{������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
��������������@
��{������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ��������������@ ��{������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 2072,
"payload_entropy": 4.775949858767765,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a4a82a71dddc0ac5fc67eb2ee5ab400d",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0000\ufffd\ufffd\u001c\ufffd@\n\ufffd\ufffd{\ufffd\u0014\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0000\ufffd\ufffd\u001c\ufffd@\n\ufffd\ufffd{\ufffd\u0014\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0000\ufffd\ufffd\u001c\ufffd@\n\ufffd\ufffd{\ufffd\u0014\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0000\ufffd\ufffd\u001c\ufffd@\n\ufffd\ufffd{\ufffd\u0014\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0000\ufffd\ufffd\u001c\ufffd@\n\ufffd\ufffd{\ufffd\u0014\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2c556a3c4efce0f41e78bcd39bbd7487ca474736",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0000\ufffd\ufffd\u001c\ufffd@\n\ufffd\ufffd{\ufffd\u0014\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0000\ufffd\ufffd\u001c\ufffd@\n\ufffd\ufffd{\ufffd\u0014\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd@\n\ufffd\ufffd{\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0000\ufffd\ufffd\u001c\ufffd@\n\ufffd\ufffd{\ufffd\u0014\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd\u0000\ufffd\ufffd\u001c\ufffd@\n\ufffd\ufffd{\ufffd\u0014\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd@\n\ufffd\ufffd{\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 0.71
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ����������b���z��%�js�����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ����������b���z��%�js�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ����������b���z��%�js�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
����������b���z��%�js�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ����������b���z��%�js�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 2072,
"payload_entropy": 4.775053570619248,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ab3c490bb7ee2d140985a6d7020cf552",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u0012\ufffdb\u0001\ufffd\u001az\ufffd\ufffd%\ufffdjs\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u0012\ufffdb\u0001\ufffd\u001az\ufffd\ufffd%\ufffdjs\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u0012\ufffdb\u0001\ufffd\u001az\ufffd\ufffd%\ufffdjs\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u0012\ufffdb\u0001\ufffd\u001az\ufffd\ufffd%\ufffdjs\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u0012\ufffdb\u0001\ufffd\u001az\ufffd\ufffd%\ufffdjs\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4368a99e4424223780315598f35590963762e5ba",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u0012\ufffdb\u0001\ufffd\u001az\ufffd\ufffd%\ufffdjs\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u0012\ufffdb\u0001\ufffd\u001az\ufffd\ufffd%\ufffdjs\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffdb\ufffdz\ufffd\ufffd%\ufffdjs\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u0012\ufffdb\u0001\ufffd\u001az\ufffd\ufffd%\ufffdjs\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u0012\ufffdb\u0001\ufffd\u001az\ufffd\ufffd%\ufffdjs\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffdb\ufffdz\ufffd\ufffd%\ufffdjs\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 12,
"ssh_auth_burst_rate": 0.8
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������@qA�����+������^����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������@qA�����+������^����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������@qA�����+������^����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������@qA�����+������^����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������@qA�����+������^����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.775890605788431,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b0d266457f66b652981af3ecd60bb76f",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014@qA\ufffd\ufffd\u0001\ufffd\ufffd+\ufffd\u0013\ufffd\ufffd\ufffd\ufffd^\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014@qA\ufffd\ufffd\u0001\ufffd\ufffd+\ufffd\u0013\ufffd\ufffd\ufffd\ufffd^\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014@qA\ufffd\ufffd\u0001\ufffd\ufffd+\ufffd\u0013\ufffd\ufffd\ufffd\ufffd^\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014@qA\ufffd\ufffd\u0001\ufffd\ufffd+\ufffd\u0013\ufffd\ufffd\ufffd\ufffd^\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014@qA\ufffd\ufffd\u0001\ufffd\ufffd+\ufffd\u0013\ufffd\ufffd\ufffd\ufffd^\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "978f676b9803def91b5dfe3eee2ec486033c6b08",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014@qA\ufffd\ufffd\u0001\ufffd\ufffd+\ufffd\u0013\ufffd\ufffd\ufffd\ufffd^\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014@qA\ufffd\ufffd\u0001\ufffd\ufffd+\ufffd\u0013\ufffd\ufffd\ufffd\ufffd^\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd@qA\ufffd\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014@qA\ufffd\ufffd\u0001\ufffd\ufffd+\ufffd\u0013\ufffd\ufffd\ufffd\ufffd^\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014@qA\ufffd\ufffd\u0001\ufffd\ufffd+\ufffd\u0013\ufffd\ufffd\ufffd\ufffd^\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd@qA\ufffd\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd^\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 0.71
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������-MDЅ�z���7Z#������curve25519-sha25…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������-MDЅ�z���7Z#������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������-MDЅ�z���7Z#������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������-MDЅ�z���7Z#������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������-MDЅ�z���7Z#������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 2072,
"payload_entropy": 4.777090467461324,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "42c78c373e67f8e1e20cef4d053052a2",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-MD\u0405\ufffdz\ufffd\ufffd\ufffd7Z#\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-MD\u0405\ufffdz\ufffd\ufffd\ufffd7Z#\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-MD\u0405\ufffdz\ufffd\ufffd\ufffd7Z#\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-MD\u0405\ufffdz\ufffd\ufffd\ufffd7Z#\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-MD\u0405\ufffdz\ufffd\ufffd\ufffd7Z#\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "976be685a4375a4fcc3876daf0bc482de95952ce",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-MD\u0405\ufffdz\ufffd\ufffd\ufffd7Z#\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-MD\u0405\ufffdz\ufffd\ufffd\ufffd7Z#\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd-MD\u0405\ufffdz\ufffd\ufffd\ufffd7Z#\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-MD\u0405\ufffdz\ufffd\ufffd\ufffd7Z#\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014-MD\u0405\ufffdz\ufffd\ufffd\ufffd7Z#\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd-MD\u0405\ufffdz\ufffd\ufffd\ufffd7Z#\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 16,
"ssh_auth_burst_rate": 1.14
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������EB��ݠCLXK���\`����curve25519-sha25…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce_burst
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������EB��ݠCLXK���\`����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������EB��ݠCLXK���\`����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������EB��ݠCLXK���\`����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������EB��ݠCLXK���\`����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.783729464355414,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "8b55d35021455ff2f1458b0d04ed69bb38e1a8a1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2ae5bf8096da04a68aaedc3fb8d14dfb",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014EB\ufffd\ufffd\u0760CLXK\ufffd\ufffd\u0011\\`\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014EB\ufffd\ufffd\u0760CLXK\ufffd\ufffd\u0011\\`\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014EB\ufffd\ufffd\u0760CLXK\ufffd\ufffd\u0011\\`\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014EB\ufffd\ufffd\u0760CLXK\ufffd\ufffd\u0011\\`\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014EB\ufffd\ufffd\u0760CLXK\ufffd\ufffd\u0011\\`\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "00a4778c9104046a93acc87e43aca3e09f135edc",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014EB\ufffd\ufffd\u0760CLXK\ufffd\ufffd\u0011\\`\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014EB\ufffd\ufffd\u0760CLXK\ufffd\ufffd\u0011\\`\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdEB\ufffd\ufffd\u0760CLXK\ufffd\ufffd\\`\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014EB\ufffd\ufffd\u0760CLXK\ufffd\ufffd\u0011\\`\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014EB\ufffd\ufffd\u0760CLXK\ufffd\ufffd\u0011\\`\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdEB\ufffd\ufffd\u0760CLXK\ufffd\ufffd\\`\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 16,
"ssh_auth_burst_rate": 1.33
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������+���x�����̲O�-����curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce_burst
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������+���x�����̲O�-����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������+���x�����̲O�-����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������+���x�����̲O�-����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������+���x�����̲O�-����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.775888621420942,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "8b55d35021455ff2f1458b0d04ed69bb38e1a8a1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c9849cd9ab3aad36d230c9233c0a0017",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd+\ufffd\ufffd\ufffdx\ufffd\ufffd\b\ufffd\ufffd\u0332O\ufffd-\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd+\ufffd\ufffd\ufffdx\ufffd\ufffd\b\ufffd\ufffd\u0332O\ufffd-\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd+\ufffd\ufffd\ufffdx\ufffd\ufffd\b\ufffd\ufffd\u0332O\ufffd-\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd+\ufffd\ufffd\ufffdx\ufffd\ufffd\b\ufffd\ufffd\u0332O\ufffd-\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd+\ufffd\ufffd\ufffdx\ufffd\ufffd\b\ufffd\ufffd\u0332O\ufffd-\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "96b8d295bb09355ebba94e915a9ee8324984eab3",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd+\ufffd\ufffd\ufffdx\ufffd\ufffd\b\ufffd\ufffd\u0332O\ufffd-\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd+\ufffd\ufffd\ufffdx\ufffd\ufffd\b\ufffd\ufffd\u0332O\ufffd-\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd+\ufffd\ufffd\ufffdx\ufffd\ufffd\ufffd\ufffd\u0332O\ufffd-\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd+\ufffd\ufffd\ufffdx\ufffd\ufffd\b\ufffd\ufffd\u0332O\ufffd-\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd+\ufffd\ufffd\ufffdx\ufffd\ufffd\b\ufffd\ufffd\u0332O\ufffd-\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd+\ufffd\ufffd\ufffdx\ufffd\ufffd\ufffd\ufffd\u0332O\ufffd-\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 14,
"ssh_auth_burst_rate": 1.75
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ���������[�Sp��3�'�������curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce_burst
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ���������[�Sp��3�'�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ���������[�Sp��3�'�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
���������[�Sp��3�'�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ���������[�Sp��3�'�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 2072,
"payload_entropy": 4.773691398746849,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "8b55d35021455ff2f1458b0d04ed69bb38e1a8a1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b0925b81fb3605986eb4e7781ea45f76",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd[\ufffdSp\ufffd\u00023\ufffd'\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd[\ufffdSp\ufffd\u00023\ufffd'\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd[\ufffdSp\ufffd\u00023\ufffd'\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd[\ufffdSp\ufffd\u00023\ufffd'\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd[\ufffdSp\ufffd\u00023\ufffd'\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "092ced76d4bfb208339beb74c30023bbe5f4e291",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd[\ufffdSp\ufffd\u00023\ufffd'\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd[\ufffdSp\ufffd\u00023\ufffd'\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd[\ufffdSp\ufffd3\ufffd'\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd[\ufffdSp\ufffd\u00023\ufffd'\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd[\ufffdSp\ufffd\u00023\ufffd'\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd[\ufffdSp\ufffd3\ufffd'\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 14,
"ssh_auth_burst_rate": 0.93
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������l��� "��a { ��e�����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������l��� "��a { ��e�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������l��� "��a { ��e�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������l����"��a {���e�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������l��� "��a { ��e�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.769995210698184,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c2af653963afe81fe6b4dd1f10379df3",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014l\ufffd\ufffd\ufffd\f\"\ufffd\u001aa {\f\u0001\ufffde\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014l\ufffd\ufffd\ufffd\f\"\ufffd\u001aa {\f\u0001\ufffde\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014l\ufffd\ufffd\ufffd\f\"\ufffd\u001aa {\f\u0001\ufffde\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014l\ufffd\ufffd\ufffd\f\"\ufffd\u001aa {\f\u0001\ufffde\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014l\ufffd\ufffd\ufffd\f\"\ufffd\u001aa {\f\u0001\ufffde\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1f6e4f6cddfbd38a331af6424e013e80784ca950",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014l\ufffd\ufffd\ufffd\f\"\ufffd\u001aa {\f\u0001\ufffde\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014l\ufffd\ufffd\ufffd\f\"\ufffd\u001aa {\f\u0001\ufffde\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdl\ufffd\ufffd\ufffd\"\ufffda {\ufffde\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014l\ufffd\ufffd\ufffd\f\"\ufffd\u001aa {\f\u0001\ufffde\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014l\ufffd\ufffd\ufffd\f\"\ufffd\u001aa {\f\u0001\ufffde\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdl\ufffd\ufffd\ufffd\"\ufffda {\ufffde\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 16,
"ssh_auth_burst_rate": 1.07
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ��������dh�F�b �/�w)�����curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ��������dh�F�b �/�w)�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ��������dh�F�b �/�w)�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
��������dh�F�b
�/�w)�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ��������dh�F�b �/�w)�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.7705688640489115,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "993551cca2276b6e8fad85e77c36355f",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0003dh\ufffdF\ufffdb\r\u0006\/\ufffdw)\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0003dh\ufffdF\ufffdb\r\u0006\/\ufffdw)\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0003dh\ufffdF\ufffdb\r\u0006\/\ufffdw)\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0003dh\ufffdF\ufffdb\r\u0006\/\ufffdw)\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0003dh\ufffdF\ufffdb\r\u0006\/\ufffdw)\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ac2ca512dee5887dc6fbc886ada03ab7252ac49f",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0003dh\ufffdF\ufffdb\r\u0006\/\ufffdw)\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0003dh\ufffdF\ufffdb\r\u0006\/\ufffdw)\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffddh\ufffdF\ufffdb\r\/\ufffdw)\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0003dh\ufffdF\ufffdb\r\u0006\/\ufffdw)\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0003dh\ufffdF\ufffdb\r\u0006\/\ufffdw)\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffddh\ufffdF\ufffdb\r\/\ufffdw)\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 16,
"ssh_auth_burst_rate": 1.07
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������kN�������+�C�%������curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������kN�������+�C�%������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������kN�������+�C�%������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������kN�������+�C�%������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������kN�������+�C�%������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.7804693835146,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "e1f34b4198f2083c5aa181e4d68b7f8d",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014kN\ufffd\u0014\ufffd\ufffd\ufffd\u0019\u0016+\u0018C\ufffd%\ufffd\u0006\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014kN\ufffd\u0014\ufffd\ufffd\ufffd\u0019\u0016+\u0018C\ufffd%\ufffd\u0006\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014kN\ufffd\u0014\ufffd\ufffd\ufffd\u0019\u0016+\u0018C\ufffd%\ufffd\u0006\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014kN\ufffd\u0014\ufffd\ufffd\ufffd\u0019\u0016+\u0018C\ufffd%\ufffd\u0006\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014kN\ufffd\u0014\ufffd\ufffd\ufffd\u0019\u0016+\u0018C\ufffd%\ufffd\u0006\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3e27360761f445640c159ab0fad86bf762cadd7a",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014kN\ufffd\u0014\ufffd\ufffd\ufffd\u0019\u0016+\u0018C\ufffd%\ufffd\u0006\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014kN\ufffd\u0014\ufffd\ufffd\ufffd\u0019\u0016+\u0018C\ufffd%\ufffd\u0006\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdkN\ufffd\ufffd\ufffd\ufffd+C\ufffd%\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014kN\ufffd\u0014\ufffd\ufffd\ufffd\u0019\u0016+\u0018C\ufffd%\ufffd\u0006\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014kN\ufffd\u0014\ufffd\ufffd\ufffd\u0019\u0016+\u0018C\ufffd%\ufffd\u0006\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdkN\ufffd\ufffd\ufffd\ufffd+C\ufffd%\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 14,
"ssh_auth_burst_rate": 1
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������w(ʵ�c�} ��>�x������curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������w(ʵ�c�} ��>�x������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������w(ʵ�c�} ��>�x������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������w(ʵ�c�} ��>�x������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������w(ʵ�c�} ��>�x������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.773808405439785,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "784a1df6570828c8bdf5e3f5318b6926",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014w(\u02b5\ufffdc\ufffd}\t\ufffd\ufffd>\u0014x\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014w(\u02b5\ufffdc\ufffd}\t\ufffd\ufffd>\u0014x\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014w(\u02b5\ufffdc\ufffd}\t\ufffd\ufffd>\u0014x\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014w(\u02b5\ufffdc\ufffd}\t\ufffd\ufffd>\u0014x\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014w(\u02b5\ufffdc\ufffd}\t\ufffd\ufffd>\u0014x\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9b5b5d32f166f544a83d88703f3a58f9550f2f58",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014w(\u02b5\ufffdc\ufffd}\t\ufffd\ufffd>\u0014x\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014w(\u02b5\ufffdc\ufffd}\t\ufffd\ufffd>\u0014x\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdw(\u02b5\ufffdc\ufffd}\t\ufffd\ufffd>x\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014w(\u02b5\ufffdc\ufffd}\t\ufffd\ufffd>\u0014x\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014w(\u02b5\ufffdc\ufffd}\t\ufffd\ufffd>\u0014x\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdw(\u02b5\ufffdc\ufffd}\t\ufffd\ufffd>x\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 12,
"ssh_auth_burst_rate": 0.92
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������|6����ڪ�������U����curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������|6����ڪ�������U����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������|6����ڪ�������U����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������|6����ڪ�������U����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������|6����ڪ�������U����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.780473461816868,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b4b472d9166560f89b9baff62283bd7a",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014|6\ufffd\u0016\ufffd\ufffd\u06aa\ufffd\ufffd\ufffd\ufffd\u001c\ufffd\ufffdU\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014|6\ufffd\u0016\ufffd\ufffd\u06aa\ufffd\ufffd\ufffd\ufffd\u001c\ufffd\ufffdU\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014|6\ufffd\u0016\ufffd\ufffd\u06aa\ufffd\ufffd\ufffd\ufffd\u001c\ufffd\ufffdU\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014|6\ufffd\u0016\ufffd\ufffd\u06aa\ufffd\ufffd\ufffd\ufffd\u001c\ufffd\ufffdU\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014|6\ufffd\u0016\ufffd\ufffd\u06aa\ufffd\ufffd\ufffd\ufffd\u001c\ufffd\ufffdU\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "44eef47cce49b3f2083f4b5de3b35c4b28596d7a",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014|6\ufffd\u0016\ufffd\ufffd\u06aa\ufffd\ufffd\ufffd\ufffd\u001c\ufffd\ufffdU\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014|6\ufffd\u0016\ufffd\ufffd\u06aa\ufffd\ufffd\ufffd\ufffd\u001c\ufffd\ufffdU\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd|6\ufffd\ufffd\ufffd\u06aa\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdU\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014|6\ufffd\u0016\ufffd\ufffd\u06aa\ufffd\ufffd\ufffd\ufffd\u001c\ufffd\ufffdU\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014|6\ufffd\u0016\ufffd\ufffd\u06aa\ufffd\ufffd\ufffd\ufffd\u001c\ufffd\ufffdU\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd|6\ufffd\ufffd\ufffd\u06aa\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdU\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 0.91
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������K VL��n�����}S�����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce_burst
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������K VL��n�����}S�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������K VL��n�����}S�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������K
VL��n�����}S�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������K VL��n�����}S�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.777504653841683,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "8b55d35021455ff2f1458b0d04ed69bb38e1a8a1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "3dda103ef6079b1d77c4a055085c61f3",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdK\rVL\u001e\ufffdn\ufffd\ufffd\u0003\ufffd\ufffd}S\u0011\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdK\rVL\u001e\ufffdn\ufffd\ufffd\u0003\ufffd\ufffd}S\u0011\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdK\rVL\u001e\ufffdn\ufffd\ufffd\u0003\ufffd\ufffd}S\u0011\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdK\rVL\u001e\ufffdn\ufffd\ufffd\u0003\ufffd\ufffd}S\u0011\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdK\rVL\u001e\ufffdn\ufffd\ufffd\u0003\ufffd\ufffd}S\u0011\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2cd7ef8e26f98d03d4805c815b0ccc23d24ca578",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdK\rVL\u001e\ufffdn\ufffd\ufffd\u0003\ufffd\ufffd}S\u0011\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdK\rVL\u001e\ufffdn\ufffd\ufffd\u0003\ufffd\ufffd}S\u0011\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdK\rVL\ufffdn\ufffd\ufffd\ufffd\ufffd}S\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdK\rVL\u001e\ufffdn\ufffd\ufffd\u0003\ufffd\ufffd}S\u0011\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdK\rVL\u001e\ufffdn\ufffd\ufffd\u0003\ufffd\ufffd}S\u0011\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdK\rVL\ufffdn\ufffd\ufffd\ufffd\ufffd}S\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 12,
"ssh_auth_burst_rate": 1.2,
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������Abmkf�t@�ɓ�}�������curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������Abmkf�t@�ɓ�}�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������Abmkf�t@�ɓ�}�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������Abmkf�t@�ɓ�}�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������Abmkf�t@�ɓ�}�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.764743109224135,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "eaf384530d4722ca8fe370cc69a85b05",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Abmkf\ufffdt@\u0002\u0253\ufffd}\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Abmkf\ufffdt@\u0002\u0253\ufffd}\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Abmkf\ufffdt@\u0002\u0253\ufffd}\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Abmkf\ufffdt@\u0002\u0253\ufffd}\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Abmkf\ufffdt@\u0002\u0253\ufffd}\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9068de73c3a572462dd354293679c823c614dd7c",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Abmkf\ufffdt@\u0002\u0253\ufffd}\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Abmkf\ufffdt@\u0002\u0253\ufffd}\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdAbmkf\ufffdt@\u0253\ufffd}\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Abmkf\ufffdt@\u0002\u0253\ufffd}\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Abmkf\ufffdt@\u0002\u0253\ufffd}\ufffd\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdAbmkf\ufffdt@\u0253\ufffd}\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 13,
"ssh_auth_burst_rate": 0.87
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 48
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0
Émulateur
SSH
WAF
—
Recommandation
Surveiller
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0
Payload
SSH-2.0-AsyncSSH_2.1.0
Pourquoi cette classification : Bannière client SSH reçue · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 24,
"payload_entropy": 3.7201755214643453,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 10,
"risk_boost": 0,
"risk_granularity": 5.3,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 10
},
"risk_score": 48,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "4a45e4d33f97e8b4f72cec668436cd7874f21b44",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 83,
"precision_signals": [
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253"
],
"pattern_ids": [
"pat-0391"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 10,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "5a9a153066f82d9d0f12e1a026c6ec51",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 48
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "26cd5e9d9e07e27ed4775b7d343e3aa8f288e53c",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 10,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"pat-0391",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 12,
"ssh_auth_burst_rate": 0.86
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������?���с��h�nz������curve25519-sha25…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������?���с��h�nz������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������?���с��h�nz������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������?���с��h�nz������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������?���с��h�nz������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.775132452908409,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f97bb107a7e2a875bef169eae16c998a",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014?\ufffd\u0011\ufffd\u0441\u07b2\ufffd\ufffdh\ufffdnz\u0011\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014?\ufffd\u0011\ufffd\u0441\u07b2\ufffd\ufffdh\ufffdnz\u0011\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014?\ufffd\u0011\ufffd\u0441\u07b2\ufffd\ufffdh\ufffdnz\u0011\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014?\ufffd\u0011\ufffd\u0441\u07b2\ufffd\ufffdh\ufffdnz\u0011\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014?\ufffd\u0011\ufffd\u0441\u07b2\ufffd\ufffdh\ufffdnz\u0011\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "525a9931b0ca4f4b03a2fcd9b3d87836fcec63b9",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014?\ufffd\u0011\ufffd\u0441\u07b2\ufffd\ufffdh\ufffdnz\u0011\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014?\ufffd\u0011\ufffd\u0441\u07b2\ufffd\ufffdh\ufffdnz\u0011\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd?\ufffd\ufffd\u0441\u07b2\ufffd\ufffdh\ufffdnz\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014?\ufffd\u0011\ufffd\u0441\u07b2\ufffd\ufffdh\ufffdnz\u0011\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014?\ufffd\u0011\ufffd\u0441\u07b2\ufffd\ufffdh\ufffdnz\u0011\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd?\ufffd\ufffd\u0441\u07b2\ufffd\ufffdh\ufffdnz\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 0.71
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ��������L%�g����8A�FF�����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ��������L%�g����8A�FF�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ��������L%�g����8A�FF�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
��������L%�g����8A�FF�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ��������L%�g����8A�FF�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 2072,
"payload_entropy": 4.776318413181222,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "80a56f553b888bd56e8c65fb76f85adf",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdL%\ufffdg\ufffd\ufffd\u0012\ufffd8A\ufffdFF\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdL%\ufffdg\ufffd\ufffd\u0012\ufffd8A\ufffdFF\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdL%\ufffdg\ufffd\ufffd\u0012\ufffd8A\ufffdFF\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdL%\ufffdg\ufffd\ufffd\u0012\ufffd8A\ufffdFF\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdL%\ufffdg\ufffd\ufffd\u0012\ufffd8A\ufffdFF\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "296eeba89520867277e54002a9f8e822a631ed88",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdL%\ufffdg\ufffd\ufffd\u0012\ufffd8A\ufffdFF\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdL%\ufffdg\ufffd\ufffd\u0012\ufffd8A\ufffdFF\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffdL%\ufffdg\ufffd\ufffd\ufffd8A\ufffdFF\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdL%\ufffdg\ufffd\ufffd\u0012\ufffd8A\ufffdFF\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdL%\ufffdg\ufffd\ufffd\u0012\ufffd8A\ufffdFF\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffdL%\ufffdg\ufffd\ufffd\ufffd8A\ufffdFF\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 0.77
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������n�;`�e�T�l�]k(�V����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������n�;`�e�T�l�]k(�V����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������n�;`�e�T�l�]k(�V����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������n�;`�e�T�l�]k(�V����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������n�;`�e�T�l�]k(�V����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 2072,
"payload_entropy": 4.773267881213883,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "91f1f6e97b299a9206f69408d4e3cf7b",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014n\ufffd;`\ufffde\ufffdT\ufffdl\ufffd]k(\ufffdV\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014n\ufffd;`\ufffde\ufffdT\ufffdl\ufffd]k(\ufffdV\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014n\ufffd;`\ufffde\ufffdT\ufffdl\ufffd]k(\ufffdV\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014n\ufffd;`\ufffde\ufffdT\ufffdl\ufffd]k(\ufffdV\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014n\ufffd;`\ufffde\ufffdT\ufffdl\ufffd]k(\ufffdV\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bc9ab3e2e8685486162e6cc681bb7ad3a85b138a",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014n\ufffd;`\ufffde\ufffdT\ufffdl\ufffd]k(\ufffdV\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014n\ufffd;`\ufffde\ufffdT\ufffdl\ufffd]k(\ufffdV\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdn\ufffd;`\ufffde\ufffdT\ufffdl\ufffd]k(\ufffdV\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014n\ufffd;`\ufffde\ufffdT\ufffdl\ufffd]k(\ufffdV\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014n\ufffd;`\ufffde\ufffdT\ufffdl\ufffd]k(\ufffdV\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdn\ufffd;`\ufffde\ufffdT\ufffdl\ufffd]k(\ufffdV\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 12,
"ssh_auth_burst_rate": 0.8
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������>�4֭����� �@P�����curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������>�4֭����� �@P�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������>�4֭����� �@P�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������>�4֭����� �@P�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������>�4֭����� �@P�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.775585530822706,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "3b52552911cbec4661cd744be5a66824",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd>\u00064\u05ad\ufffd\ufffd\ufffd\ufffd\ufffd\t\u0004@P\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd>\u00064\u05ad\ufffd\ufffd\ufffd\ufffd\ufffd\t\u0004@P\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd>\u00064\u05ad\ufffd\ufffd\ufffd\ufffd\ufffd\t\u0004@P\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd>\u00064\u05ad\ufffd\ufffd\ufffd\ufffd\ufffd\t\u0004@P\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd>\u00064\u05ad\ufffd\ufffd\ufffd\ufffd\ufffd\t\u0004@P\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "93e41f47f9730766e7a57a83a0553fa782610dec",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd>\u00064\u05ad\ufffd\ufffd\ufffd\ufffd\ufffd\t\u0004@P\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd>\u00064\u05ad\ufffd\ufffd\ufffd\ufffd\ufffd\t\u0004@P\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd>4\u05ad\ufffd\ufffd\ufffd\ufffd\ufffd\t@P\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd>\u00064\u05ad\ufffd\ufffd\ufffd\ufffd\ufffd\t\u0004@P\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd>\u00064\u05ad\ufffd\ufffd\ufffd\ufffd\ufffd\t\u0004@P\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd>4\u05ad\ufffd\ufffd\ufffd\ufffd\ufffd\t@P\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 1.11
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������I�=�]��Р��֓{}����curve25519-sha25…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������I�=�]��Р��֓{}����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������I�=�]��Р��֓{}����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������I�=�]��Р��֓{}����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������I�=�]��Р��֓{}����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 2072,
"payload_entropy": 4.7817989624249115,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "8dacd70ce0df264ecfd42bbae9aaaade",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdI\ufffd=\ufffd]\u0015\ufffd\u0420\u0012\u0003\u0593{}\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdI\ufffd=\ufffd]\u0015\ufffd\u0420\u0012\u0003\u0593{}\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdI\ufffd=\ufffd]\u0015\ufffd\u0420\u0012\u0003\u0593{}\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdI\ufffd=\ufffd]\u0015\ufffd\u0420\u0012\u0003\u0593{}\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdI\ufffd=\ufffd]\u0015\ufffd\u0420\u0012\u0003\u0593{}\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "923320f33a352c7c5c1e7918b6b2ccb1c97fd1f0",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdI\ufffd=\ufffd]\u0015\ufffd\u0420\u0012\u0003\u0593{}\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdI\ufffd=\ufffd]\u0015\ufffd\u0420\u0012\u0003\u0593{}\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdI\ufffd=\ufffd]\ufffd\u0420\u0593{}\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdI\ufffd=\ufffd]\u0015\ufffd\u0420\u0012\u0003\u0593{}\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdI\ufffd=\ufffd]\u0015\ufffd\u0420\u0012\u0003\u0593{}\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdI\ufffd=\ufffd]\ufffd\u0420\u0593{}\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 9,
"ssh_auth_burst_rate": 1.12
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������D��I��ĥ�6��������curve25519-sha25…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������D��I��ĥ�6��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������D��I��ĥ�6��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������D��I��ĥ�6��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������D��I��ĥ�6��������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.779508210851617,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c0e7e16b9069edcc94f8edbac13bd21d",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdD\u0012\ufffdI\ufffd\ufffd\u0125\ufffd6\ufffd\u001d\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdD\u0012\ufffdI\ufffd\ufffd\u0125\ufffd6\ufffd\u001d\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdD\u0012\ufffdI\ufffd\ufffd\u0125\ufffd6\ufffd\u001d\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdD\u0012\ufffdI\ufffd\ufffd\u0125\ufffd6\ufffd\u001d\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdD\u0012\ufffdI\ufffd\ufffd\u0125\ufffd6\ufffd\u001d\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "987f0eac49a1cf2cb85caecb4a53da040c06dec2",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdD\u0012\ufffdI\ufffd\ufffd\u0125\ufffd6\ufffd\u001d\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdD\u0012\ufffdI\ufffd\ufffd\u0125\ufffd6\ufffd\u001d\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdD\ufffdI\ufffd\ufffd\u0125\ufffd6\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdD\u0012\ufffdI\ufffd\ufffd\u0125\ufffd6\ufffd\u001d\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdD\u0012\ufffdI\ufffd\ufffd\u0125\ufffd6\ufffd\u001d\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdD\ufffdI\ufffd\ufffd\u0125\ufffd6\ufffd\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 12,
"ssh_auth_burst_rate": 0.8
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������z�4���b�D��A4�}O����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������z�4���b�D��A4�}O����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������z�4���b�D��A4�}O����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������z�4���b�D��A4�}O����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������z�4���b�D��A4�}O����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.773857219619972,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "1573865c2a0025c1978fcd3cb6170135",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014z\u00104\ufffd\ufffd\u0014b\ufffdD\ufffd\ufffdA4\ufffd}O\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014z\u00104\ufffd\ufffd\u0014b\ufffdD\ufffd\ufffdA4\ufffd}O\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014z\u00104\ufffd\ufffd\u0014b\ufffdD\ufffd\ufffdA4\ufffd}O\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014z\u00104\ufffd\ufffd\u0014b\ufffdD\ufffd\ufffdA4\ufffd}O\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014z\u00104\ufffd\ufffd\u0014b\ufffdD\ufffd\ufffdA4\ufffd}O\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5d6f7146fcccff432b8fc5f28d60b786484e812c",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014z\u00104\ufffd\ufffd\u0014b\ufffdD\ufffd\ufffdA4\ufffd}O\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014z\u00104\ufffd\ufffd\u0014b\ufffdD\ufffd\ufffdA4\ufffd}O\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdz4\ufffd\ufffdb\ufffdD\ufffd\ufffdA4\ufffd}O\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014z\u00104\ufffd\ufffd\u0014b\ufffdD\ufffd\ufffdA4\ufffd}O\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014z\u00104\ufffd\ufffd\u0014b\ufffdD\ufffd\ufffdA4\ufffd}O\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdz4\ufffd\ufffdb\ufffdD\ufffd\ufffdA4\ufffd}O\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 0.83
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������Q�;N�0��J�W�N������curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������Q�;N�0��J�W�N������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������Q�;N�0��J�W�N������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������Q�;N�0��J�W�N������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������Q�;N�0��J�W�N������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 2072,
"payload_entropy": 4.776286753119628,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6deeac03602bfecf5877dde2724564d9",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdQ\u0000;N\ufffd0\ufffd\ufffdJ\ufffdW\ufffdN\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdQ\u0000;N\ufffd0\ufffd\ufffdJ\ufffdW\ufffdN\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdQ\u0000;N\ufffd0\ufffd\ufffdJ\ufffdW\ufffdN\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdQ\u0000;N\ufffd0\ufffd\ufffdJ\ufffdW\ufffdN\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdQ\u0000;N\ufffd0\ufffd\ufffdJ\ufffdW\ufffdN\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1feb92b4993740912859ac19c23f828c806918df",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdQ\u0000;N\ufffd0\ufffd\ufffdJ\ufffdW\ufffdN\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdQ\u0000;N\ufffd0\ufffd\ufffdJ\ufffdW\ufffdN\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdQ;N\ufffd0\ufffd\ufffdJ\ufffdW\ufffdN\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdQ\u0000;N\ufffd0\ufffd\ufffdJ\ufffdW\ufffdN\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdQ\u0000;N\ufffd0\ufffd\ufffdJ\ufffdW\ufffdN\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdQ;N\ufffd0\ufffd\ufffdJ\ufffdW\ufffdN\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 8,
"ssh_auth_burst_rate": 0.73
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ����������ȟl�Гu�j �����curve25519-sha256…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ����������ȟl�Гu�j �����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-…
Payload
SSH-2.0-AsyncSSH_2.1.0 ����������ȟl�Гu�j �����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
����������ȟl�Гu�j �����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ����������ȟl�Гu�j �����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.7779116652458296,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "371c9d3855b4c000d4a8bfd663850b4c",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u0002\ufffd\u021fl\ufffd\u0413u\ufffdj \ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u0002\ufffd\u021fl\ufffd\u0413u\ufffdj \ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u0002\ufffd\u021fl\ufffd\u0413u\ufffdj \ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u0002\ufffd\u021fl\ufffd\u0413u\ufffdj \ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u0002\ufffd\u021fl\ufffd\u0413u\ufffdj \ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c2bec2d6948c1467361ceb29ee236d4b33b1db41",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u0002\ufffd\u021fl\ufffd\u0413u\ufffdj \ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u0002\ufffd\u021fl\ufffd\u0413u\ufffdj \ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\u021fl\ufffd\u0413u\ufffdj \ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u0002\ufffd\u021fl\ufffd\u0413u\ufffdj \ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u0002\ufffd\u021fl\ufffd\u0413u\ufffdj \ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\u021fl\ufffd\u0413u\ufffdj \ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 12,
"ssh_auth_burst_rate": 0.8,
"behavior_alert_count": 1,
"behavior_priority": 84
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ��������� +�5L���+�� �����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ��������� +�5L���+�� �����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ��������� +�5L���+�� �����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
��������� +�5L���+�� �����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ��������� +�5L���+�� �����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.779271408664597,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "7485b523e53a9bc9648d80a3fb013562",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd +\u001e5L\ufffd\ufffd\ufffd+\ufffd\ufffd\t\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd +\u001e5L\ufffd\ufffd\ufffd+\ufffd\ufffd\t\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd +\u001e5L\ufffd\ufffd\ufffd+\ufffd\ufffd\t\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd +\u001e5L\ufffd\ufffd\ufffd+\ufffd\ufffd\t\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd +\u001e5L\ufffd\ufffd\ufffd+\ufffd\ufffd\t\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ea8a8edd7b3db3f2987ecc48b148bfb8f76373c4",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd +\u001e5L\ufffd\ufffd\ufffd+\ufffd\ufffd\t\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd +\u001e5L\ufffd\ufffd\ufffd+\ufffd\ufffd\t\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd +5L\ufffd\ufffd\ufffd+\ufffd\ufffd\t\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd +\u001e5L\ufffd\ufffd\ufffd+\ufffd\ufffd\t\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\ufffd +\u001e5L\ufffd\ufffd\ufffd+\ufffd\ufffd\t\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd +5L\ufffd\ufffd\ufffd+\ufffd\ufffd\t\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 13,
"ssh_auth_burst_rate": 0.87
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������Фڭ�B��ILMK+������curve25519-sha25…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������Фڭ�B��ILMK+������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������Фڭ�B��ILMK+������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������Фڭ�B��ILMK+������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������Фڭ�B��ILMK+������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.781434634479851,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f7b1804f4e92fd5b2fca48ec5e53dfee",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0424\u06ad\ufffdB\ufffd\ufffdILMK+\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0424\u06ad\ufffdB\ufffd\ufffdILMK+\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0424\u06ad\ufffdB\ufffd\ufffdILMK+\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0424\u06ad\ufffdB\ufffd\ufffdILMK+\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0424\u06ad\ufffdB\ufffd\ufffdILMK+\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9488d6664ab9657e182d11d68aa7d2e2c532c981",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0424\u06ad\ufffdB\ufffd\ufffdILMK+\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0424\u06ad\ufffdB\ufffd\ufffdILMK+\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\u0424\u06ad\ufffdB\ufffd\ufffdILMK+\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0424\u06ad\ufffdB\ufffd\ufffdILMK+\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u0424\u06ad\ufffdB\ufffd\ufffdILMK+\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\u0424\u06ad\ufffdB\ufffd\ufffdILMK+\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 12,
"ssh_auth_burst_rate": 0.8
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ��������d�� ��%97��Z]����curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ��������d�� ��%97��Z]����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ��������d�� ��%97��Z]����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
��������d��
��%97��Z]����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ��������d�� ��%97��Z]����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.774852775919381,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b7bfca1e7aad28e3c6b0a07dd4b4ca46",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdd\ufffd\ufffd\n\ufffd\ufffd%97\ufffd\ufffdZ]\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdd\ufffd\ufffd\n\ufffd\ufffd%97\ufffd\ufffdZ]\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdd\ufffd\ufffd\n\ufffd\ufffd%97\ufffd\ufffdZ]\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdd\ufffd\ufffd\n\ufffd\ufffd%97\ufffd\ufffdZ]\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdd\ufffd\ufffd\n\ufffd\ufffd%97\ufffd\ufffdZ]\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7c4347684ca6ee54ca5b1fc5909f1b388ffa21d9",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdd\ufffd\ufffd\n\ufffd\ufffd%97\ufffd\ufffdZ]\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdd\ufffd\ufffd\n\ufffd\ufffd%97\ufffd\ufffdZ]\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffdd\ufffd\ufffd\n\ufffd\ufffd%97\ufffd\ufffdZ]\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdd\ufffd\ufffd\n\ufffd\ufffd%97\ufffd\ufffdZ]\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdd\ufffd\ufffd\n\ufffd\ufffd%97\ufffd\ufffdZ]\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffdd\ufffd\ufffd\n\ufffd\ufffd%97\ufffd\ufffdZ]\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 1
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������T�b:;�0r��I��/�����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������T�b:;�0r��I��/�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������T�b:;�0r��I��/�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������T�b:;�0r��I��/�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������T�b:;�0r��I��/�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.774906331590476,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "441daa6d45141e9c1cf654d401238c9f",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdT\ufffdb:;\ufffd0r\u001f\ufffdI\ufffd\ufffd\/\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdT\ufffdb:;\ufffd0r\u001f\ufffdI\ufffd\ufffd\/\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdT\ufffdb:;\ufffd0r\u001f\ufffdI\ufffd\ufffd\/\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdT\ufffdb:;\ufffd0r\u001f\ufffdI\ufffd\ufffd\/\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdT\ufffdb:;\ufffd0r\u001f\ufffdI\ufffd\ufffd\/\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9ea787a27a3023c85e7c7930b799a6d3e6df73dd",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdT\ufffdb:;\ufffd0r\u001f\ufffdI\ufffd\ufffd\/\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdT\ufffdb:;\ufffd0r\u001f\ufffdI\ufffd\ufffd\/\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdT\ufffdb:;\ufffd0r\ufffdI\ufffd\ufffd\/\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdT\ufffdb:;\ufffd0r\u001f\ufffdI\ufffd\ufffd\/\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdT\ufffdb:;\ufffd0r\u001f\ufffdI\ufffd\ufffd\/\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdT\ufffdb:;\ufffd0r\ufffdI\ufffd\ufffd\/\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 0.67
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������� &�g,��>{�#������curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������� &�g,��>{�#������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������� &�g,��>{�#������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
���������&�g,��>{�#������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������� &�g,��>{�#������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.777240441189187,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b9647b30f1096f9fc91f1159160c63f0",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u000b&\ufffdg,\ufffd\u0018>{\ufffd#\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u000b&\ufffdg,\ufffd\u0018>{\ufffd#\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u000b&\ufffdg,\ufffd\u0018>{\ufffd#\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u000b&\ufffdg,\ufffd\u0018>{\ufffd#\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u000b&\ufffdg,\ufffd\u0018>{\ufffd#\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dde64aade43704c2eec534d82af8f19c3cff2f68",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u000b&\ufffdg,\ufffd\u0018>{\ufffd#\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u000b&\ufffdg,\ufffd\u0018>{\ufffd#\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd&\ufffdg,\ufffd>{\ufffd#\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u000b&\ufffdg,\ufffd\u0018>{\ufffd#\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffd\u000b&\ufffdg,\ufffd\u0018>{\ufffd#\ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd&\ufffdg,\ufffd>{\ufffd#\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 8,
"ssh_auth_burst_rate": 0.73
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������F���1��-��n+��\����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������F���1��-��n+��\����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������F���1��-��n+��\����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������F���1��-��n+��\����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������F���1��-��n+��\����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 2072,
"payload_entropy": 4.769875207016991,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "bda2125bb0c362d01e2db2d2ce3984d2",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdF\u0014\u0014\ufffd1\ufffd\ufffd-\ufffd\ufffdn+\ufffd\ufffd\\\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdF\u0014\u0014\ufffd1\ufffd\ufffd-\ufffd\ufffdn+\ufffd\ufffd\\\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdF\u0014\u0014\ufffd1\ufffd\ufffd-\ufffd\ufffdn+\ufffd\ufffd\\\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdF\u0014\u0014\ufffd1\ufffd\ufffd-\ufffd\ufffdn+\ufffd\ufffd\\\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdF\u0014\u0014\ufffd1\ufffd\ufffd-\ufffd\ufffdn+\ufffd\ufffd\\\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2a516f33bff71faf778e1b1dc219172d9d162f0d",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdF\u0014\u0014\ufffd1\ufffd\ufffd-\ufffd\ufffdn+\ufffd\ufffd\\\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdF\u0014\u0014\ufffd1\ufffd\ufffd-\ufffd\ufffdn+\ufffd\ufffd\\\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdF\ufffd1\ufffd\ufffd-\ufffd\ufffdn+\ufffd\ufffd\\\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdF\u0014\u0014\ufffd1\ufffd\ufffd-\ufffd\ufffdn+\ufffd\ufffd\\\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdF\u0014\u0014\ufffd1\ufffd\ufffd-\ufffd\ufffdn+\ufffd\ufffd\\\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdF\ufffd1\ufffd\ufffd-\ufffd\ufffdn+\ufffd\ufffd\\\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 6,
"ssh_auth_burst_rate": 0.67
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������p������ʐfK� ������curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������p������ʐfK� ������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������p������ʐfK� ������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������p������ʐfK� ������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������p������ʐfK� ������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 2072,
"payload_entropy": 4.776267559601277,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d99a5d7f9a07797e2767df22ff3b1fbb",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdp\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\u0290fK\ufffd \ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdp\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\u0290fK\ufffd \ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdp\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\u0290fK\ufffd \ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdp\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\u0290fK\ufffd \ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdp\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\u0290fK\ufffd \ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "98fc58ce0939f876de2a277531cbd2fb1438e423",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdp\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\u0290fK\ufffd \ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdp\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\u0290fK\ufffd \ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffd\ufffd\u0290fK\ufffd \ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdp\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\u0290fK\ufffd \ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdp\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\u0290fK\ufffd \ufffd\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffd\ufffd\u0290fK\ufffd \ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 5,
"ssh_auth_burst_rate": 0.62
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������Sb�'���[�l�����m����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������Sb�'���[�l�����m����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������Sb�'���[�l�����m����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������Sb�'���[�l�����m����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������Sb�'���[�l�����m����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.770631185902174,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "8b0423d66ae1b98bf9b02512b1770690",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Sb\ufffd'\ufffd\ufffd\ufffd[\ufffdl\ufffd\ufffd\u0018\ufffd\ufffdm\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Sb\ufffd'\ufffd\ufffd\ufffd[\ufffdl\ufffd\ufffd\u0018\ufffd\ufffdm\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Sb\ufffd'\ufffd\ufffd\ufffd[\ufffdl\ufffd\ufffd\u0018\ufffd\ufffdm\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Sb\ufffd'\ufffd\ufffd\ufffd[\ufffdl\ufffd\ufffd\u0018\ufffd\ufffdm\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Sb\ufffd'\ufffd\ufffd\ufffd[\ufffdl\ufffd\ufffd\u0018\ufffd\ufffdm\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c6bfcc785e4cdd467aea4fff61a488945e292737",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Sb\ufffd'\ufffd\ufffd\ufffd[\ufffdl\ufffd\ufffd\u0018\ufffd\ufffdm\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Sb\ufffd'\ufffd\ufffd\ufffd[\ufffdl\ufffd\ufffd\u0018\ufffd\ufffdm\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdSb\ufffd'\ufffd\ufffd\ufffd[\ufffdl\ufffd\ufffd\ufffd\ufffdm\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Sb\ufffd'\ufffd\ufffd\ufffd[\ufffdl\ufffd\ufffd\u0018\ufffd\ufffdm\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014Sb\ufffd'\ufffd\ufffd\ufffd[\ufffdl\ufffd\ufffd\u0018\ufffd\ufffdm\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdSb\ufffd'\ufffd\ufffd\ufffd[\ufffdl\ufffd\ufffd\ufffd\ufffdm\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 6,
"ssh_auth_burst_rate": 0.86
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������\J|r��U�v�="�p�����curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������\J|r��U�v�="�p�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������\J|r��U�v�="�p�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������\J|r��U�v�="�p�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������\J|r��U�v�="�p�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.774485567522015,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "8f73f18a043839c32319d6d2372e7a11",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\\J|r\u0019\ufffdU\ufffdv\ufffd=\"\ufffdp\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\\J|r\u0019\ufffdU\ufffdv\ufffd=\"\ufffdp\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\\J|r\u0019\ufffdU\ufffdv\ufffd=\"\ufffdp\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\\J|r\u0019\ufffdU\ufffdv\ufffd=\"\ufffdp\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\\J|r\u0019\ufffdU\ufffdv\ufffd=\"\ufffdp\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "36a2e61749ec4fea942fbcb1d1ac321e16263ea0",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\\J|r\u0019\ufffdU\ufffdv\ufffd=\"\ufffdp\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\\J|r\u0019\ufffdU\ufffdv\ufffd=\"\ufffdp\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\\J|r\ufffdU\ufffdv\ufffd=\"\ufffdp\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\\J|r\u0019\ufffdU\ufffdv\ufffd=\"\ufffdp\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\\J|r\u0019\ufffdU\ufffdv\ufffd=\"\ufffdp\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\\J|r\ufffdU\ufffdv\ufffd=\"\ufffdp\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 9,
"ssh_auth_burst_rate": 0.6
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������J�$ �� b��g��"0����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������J�$ �� b��g��"0����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������J�$ �� b��g��"0����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������J�$���
b��g��"0����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������J�$ �� b��g��"0����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.773682196620655,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "945dc76c45ae92c6444b4ad2ddcbe07c",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdJ\u0007$\u000b\u0019\ufffd\rb\u000e\ufffdg\ufffd\ufffd\"0\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdJ\u0007$\u000b\u0019\ufffd\rb\u000e\ufffdg\ufffd\ufffd\"0\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdJ\u0007$\u000b\u0019\ufffd\rb\u000e\ufffdg\ufffd\ufffd\"0\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdJ\u0007$\u000b\u0019\ufffd\rb\u000e\ufffdg\ufffd\ufffd\"0\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdJ\u0007$\u000b\u0019\ufffd\rb\u000e\ufffdg\ufffd\ufffd\"0\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f116c23b8b07e2bef2e654406f83e4deb3f3e86c",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdJ\u0007$\u000b\u0019\ufffd\rb\u000e\ufffdg\ufffd\ufffd\"0\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdJ\u0007$\u000b\u0019\ufffd\rb\u000e\ufffdg\ufffd\ufffd\"0\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdJ$\ufffd\rb\ufffdg\ufffd\ufffd\"0\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdJ\u0007$\u000b\u0019\ufffd\rb\u000e\ufffdg\ufffd\ufffd\"0\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdJ\u0007$\u000b\u0019\ufffd\rb\u000e\ufffdg\ufffd\ufffd\"0\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdJ$\ufffd\rb\ufffdg\ufffd\ufffd\"0\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 10,
"ssh_auth_burst_rate": 0.67
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������p+:7�f��b��ps �����curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce_burst
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������p+:7�f��b��ps �����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������p+:7�f��b��ps �����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������p+:7�f��b��ps �����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������p+:7�f��b��ps �����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.765828531358486,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "8b55d35021455ff2f1458b0d04ed69bb38e1a8a1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "fba203acb808f08c7b9ad5041a875a11",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014p+:7\ufffdf\u0002\ufffdb\ufffd\ufffdps \ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014p+:7\ufffdf\u0002\ufffdb\ufffd\ufffdps \ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014p+:7\ufffdf\u0002\ufffdb\ufffd\ufffdps \ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014p+:7\ufffdf\u0002\ufffdb\ufffd\ufffdps \ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014p+:7\ufffdf\u0002\ufffdb\ufffd\ufffdps \ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "47b48231156d4c793f769e3f68714986b27df058",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014p+:7\ufffdf\u0002\ufffdb\ufffd\ufffdps \ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014p+:7\ufffdf\u0002\ufffdb\ufffd\ufffdps \ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdp+:7\ufffdf\ufffdb\ufffd\ufffdps \ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014p+:7\ufffdf\u0002\ufffdb\ufffd\ufffdps \ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014p+:7\ufffdf\u0002\ufffdb\ufffd\ufffdps \ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdp+:7\ufffdf\ufffdb\ufffd\ufffdps \ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce_burst",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 8,
"ssh_auth_burst_rate": 0.8
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Rafale auth
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������=�bm� \����|����curve25519-sha256…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_bruteforce
net_ssh_probe
redis_rdb_sync
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������=�bm� \����|����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������=�bm� \����|����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������=�bm� �\����|����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������=�bm� \����|����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 1422,
"payload_entropy": 4.897315843074972,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 7,
"anomaly_count": 0,
"campaign_key": "e6a9e8c6dd866ba027a24b6eaeae78f724f91aa1",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "3cf1855a85a776a898054d8b11a44ec6",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014=\ufffdbm\u1a8d\ufffd\t\f\\\ufffd\u0006\ufffd\ufffd|\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014=\ufffdbm\u1a8d\ufffd\t\f\\\ufffd\u0006\ufffd\ufffd|\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014=\ufffdbm\u1a8d\ufffd\t\f\\\ufffd\u0006\ufffd\ufffd|\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014=\ufffdbm\u1a8d\ufffd\t\f\\\ufffd\u0006\ufffd\ufffd|\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014=\ufffdbm\u1a8d\ufffd\t\f\\\ufffd\u0006\ufffd\ufffd|\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9b338a0d8eb25ddf150b5ed7342cfb4ca34f026f",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014=\ufffdbm\u1a8d\ufffd\t\f\\\ufffd\u0006\ufffd\ufffd|\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014=\ufffdbm\u1a8d\ufffd\t\f\\\ufffd\u0006\ufffd\ufffd|\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd=\ufffdbm\u1a8d\ufffd\t\\\ufffd\ufffd\ufffd|\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014=\ufffdbm\u1a8d\ufffd\t\f\\\ufffd\u0006\ufffd\ufffd|\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014=\ufffdbm\u1a8d\ufffd\t\f\\\ufffd\u0006\ufffd\ufffd|\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd=\ufffdbm\u1a8d\ufffd\t\\\ufffd\ufffd\ufffd|\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_bruteforce",
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
],
"ssh_auth_burst": true,
"ssh_auth_burst_count": 6,
"ssh_auth_burst_rate": 0.86,
"behavior_alert_count": 1,
"behavior_priority": 96
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ��������N�0�W?�����賲����curve25519-sha25…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_ssh_probe
redis_rdb_sync
ssh_banner
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ��������N�0�W?�����賲����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2…
Payload
SSH-2.0-AsyncSSH_2.1.0 ��������N�0�W?�����賲����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
��������N�0�W?�����賲����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ��������N�0�W?�����賲����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 2072,
"payload_entropy": 4.780865357512125,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "b79541c18ca7fba693622e6daf5f513567e113dd",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "4a85521d7db90254d75bcd0af0a84446",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdN\ufffd0\ufffdW?\ufffd\ufffd\ufffd\ufffd\u0007\u8cf2\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdN\ufffd0\ufffdW?\ufffd\ufffd\ufffd\ufffd\u0007\u8cf2\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdN\ufffd0\ufffdW?\ufffd\ufffd\ufffd\ufffd\u0007\u8cf2\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdN\ufffd0\ufffdW?\ufffd\ufffd\ufffd\ufffd\u0007\u8cf2\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdN\ufffd0\ufffdW?\ufffd\ufffd\ufffd\ufffd\u0007\u8cf2\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "03057309eaa44096ceef6f213edce8919e1c9e5f",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdN\ufffd0\ufffdW?\ufffd\ufffd\ufffd\ufffd\u0007\u8cf2\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdN\ufffd0\ufffdW?\ufffd\ufffd\ufffd\ufffd\u0007\u8cf2\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffdN\ufffd0\ufffdW?\ufffd\ufffd\ufffd\ufffd\u8cf2\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdN\ufffd0\ufffdW?\ufffd\ufffd\ufffd\ufffd\u0007\u8cf2\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\ufffdN\ufffd0\ufffdW?\ufffd\ufffd\ufffd\ufffd\u0007\u8cf2\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffdN\ufffd0\ufffdW?\ufffd\ufffd\ufffd\ufffd\u8cf2\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
]
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ���������n:�f�l�d�`��P����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_ssh_probe
redis_rdb_sync
ssh_banner
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ���������n:�f�l�d�`��P����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ���������n:�f�l�d�`��P����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
���������n:�f�l�d�`��P����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ���������n:�f�l�d�`��P����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e337031205562756e74752d317562756e7475330d0a",
"emulator_response_len": 39,
"bytes_in": 2072,
"payload_entropy": 4.771132113170058,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "b79541c18ca7fba693622e6daf5f513567e113dd",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c563c0a1899edad9b2957d4e9733e466",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u001b\ufffdn:\ufffdf\ufffdl\ufffdd\ufffd`\ufffd\ufffdP\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u001b\ufffdn:\ufffdf\ufffdl\ufffdd\ufffd`\ufffd\ufffdP\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u001b\ufffdn:\ufffdf\ufffdl\ufffdd\ufffd`\ufffd\ufffdP\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u001b\ufffdn:\ufffdf\ufffdl\ufffdd\ufffd`\ufffd\ufffdP\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u001b\ufffdn:\ufffdf\ufffdl\ufffdd\ufffd`\ufffd\ufffdP\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "320a99f7ab62223444f5efcf3fecb8704372fef8",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u001b\ufffdn:\ufffdf\ufffdl\ufffdd\ufffd`\ufffd\ufffdP\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u001b\ufffdn:\ufffdf\ufffdl\ufffdd\ufffd`\ufffd\ufffdP\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffdn:\ufffdf\ufffdl\ufffdd\ufffd`\ufffd\ufffdP\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u001b\ufffdn:\ufffdf\ufffdl\ufffdd\ufffd`\ufffd\ufffdP\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u001b\ufffdn:\ufffdf\ufffdl\ufffdd\ufffd`\ufffd\ufffdP\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffdn:\ufffdf\ufffdl\ufffdd\ufffd`\ufffd\ufffdP\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
]
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������������������Ô8(����curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_ssh_probe
redis_rdb_sync
ssh_banner
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������������������Ô8(����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������������������Ô8(����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������������������Ô8(����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������������������Ô8(����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f382e3470312044656269616e2d352b646562313175330d0a",
"emulator_response_len": 40,
"bytes_in": 2072,
"payload_entropy": 4.78089701757372,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "b79541c18ca7fba693622e6daf5f513567e113dd",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "72740aaedf0521f2164aaadac8420608",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u000e\u001d\ufffd\ufffd\ufffd\u0003\u0010\ufffd\u0011\u0019\ufffd\u00d48(\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u000e\u001d\ufffd\ufffd\ufffd\u0003\u0010\ufffd\u0011\u0019\ufffd\u00d48(\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u000e\u001d\ufffd\ufffd\ufffd\u0003\u0010\ufffd\u0011\u0019\ufffd\u00d48(\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u000e\u001d\ufffd\ufffd\ufffd\u0003\u0010\ufffd\u0011\u0019\ufffd\u00d48(\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u000e\u001d\ufffd\ufffd\ufffd\u0003\u0010\ufffd\u0011\u0019\ufffd\u00d48(\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "af42f47c9b3411c979db0c15c064d7b11b72bb00",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u000e\u001d\ufffd\ufffd\ufffd\u0003\u0010\ufffd\u0011\u0019\ufffd\u00d48(\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u000e\u001d\ufffd\ufffd\ufffd\u0003\u0010\ufffd\u0011\u0019\ufffd\u00d48(\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00d48(\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u000e\u001d\ufffd\ufffd\ufffd\u0003\u0010\ufffd\u0011\u0019\ufffd\u00d48(\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffd\u000e\u001d\ufffd\ufffd\ufffd\u0003\u0010\ufffd\u0011\u0019\ufffd\u00d48(\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00d48(\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
]
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������I�I���۶Y�|�9�M����curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_ssh_probe
redis_rdb_sync
ssh_banner
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������I�I���۶Y�|�9�M����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������I�I���۶Y�|�9�M����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������I�I���۶Y�|�9�M����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������I�I���۶Y�|�9�M����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.779964935407243,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "b79541c18ca7fba693622e6daf5f513567e113dd",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a84a647cbe77adf891f014faa9f8dcff",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdI\u0005I\ufffd\u0003\ufffd\u06f6Y\ufffd|\u00199\u001eM\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdI\u0005I\ufffd\u0003\ufffd\u06f6Y\ufffd|\u00199\u001eM\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdI\u0005I\ufffd\u0003\ufffd\u06f6Y\ufffd|\u00199\u001eM\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdI\u0005I\ufffd\u0003\ufffd\u06f6Y\ufffd|\u00199\u001eM\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdI\u0005I\ufffd\u0003\ufffd\u06f6Y\ufffd|\u00199\u001eM\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "feb99ff240249aa44dc9e37b130856c1dc00a6b0",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdI\u0005I\ufffd\u0003\ufffd\u06f6Y\ufffd|\u00199\u001eM\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdI\u0005I\ufffd\u0003\ufffd\u06f6Y\ufffd|\u00199\u001eM\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdII\ufffd\ufffd\u06f6Y\ufffd|9M\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdI\u0005I\ufffd\u0003\ufffd\u06f6Y\ufffd|\u00199\u001eM\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdI\u0005I\ufffd\u0003\ufffd\u06f6Y\ufffd|\u00199\u001eM\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdII\ufffd\ufffd\u06f6Y\ufffd|9M\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
]
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 �������N���D�l��sݙ�������curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_ssh_probe
redis_rdb_sync
ssh_banner
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 �������N���D�l��sݙ�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 �������N���D�l��sݙ�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
�������N���D�l��sݙ�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 �������N���D�l��sݙ�������curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.775176263191712,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "b79541c18ca7fba693622e6daf5f513567e113dd",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "a2e5a3a2c65fa79e25b6dd6737afdaf5",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdN\ufffd\ufffd\ufffdD\ufffdl\ufffd\u001cs\u0759\ufffd\ufffd\u0019\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdN\ufffd\ufffd\ufffdD\ufffdl\ufffd\u001cs\u0759\ufffd\ufffd\u0019\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdN\ufffd\ufffd\ufffdD\ufffdl\ufffd\u001cs\u0759\ufffd\ufffd\u0019\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdN\ufffd\ufffd\ufffdD\ufffdl\ufffd\u001cs\u0759\ufffd\ufffd\u0019\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdN\ufffd\ufffd\ufffdD\ufffdl\ufffd\u001cs\u0759\ufffd\ufffd\u0019\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "acb0d4c5bcc5580913dde73f3470ce69943c51d3",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdN\ufffd\ufffd\ufffdD\ufffdl\ufffd\u001cs\u0759\ufffd\ufffd\u0019\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdN\ufffd\ufffd\ufffdD\ufffdl\ufffd\u001cs\u0759\ufffd\ufffd\u0019\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdN\ufffd\ufffd\ufffdD\ufffdl\ufffds\u0759\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdN\ufffd\ufffd\ufffdD\ufffdl\ufffd\u001cs\u0759\ufffd\ufffd\u0019\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014\ufffdN\ufffd\ufffd\ufffdD\ufffdl\ufffd\u001cs\u0759\ufffd\ufffd\u0019\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd\ufffdN\ufffd\ufffd\ufffdD\ufffdl\ufffds\u0759\ufffd\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
]
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������(��KG����,�4ʑ�5����curve25519-sha2…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_ssh_probe
redis_rdb_sync
ssh_banner
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������(��KG����,�4ʑ�5����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������(��KG����,�4ʑ�5����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������(��KG����,�4ʑ�5����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������(��KG����,�4ʑ�5����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f372e367031205562756e74752d347562756e7475302e370d0a",
"emulator_response_len": 41,
"bytes_in": 2072,
"payload_entropy": 4.771817134533119,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "b79541c18ca7fba693622e6daf5f513567e113dd",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "20a9afc7b13bf31d6aa8ad79178158a9",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014(\u0019\ufffdKG\b\ufffd\ufffd\u0004,\ufffd4\u0291\ufffd5\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014(\u0019\ufffdKG\b\ufffd\ufffd\u0004,\ufffd4\u0291\ufffd5\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014(\u0019\ufffdKG\b\ufffd\ufffd\u0004,\ufffd4\u0291\ufffd5\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014(\u0019\ufffdKG\b\ufffd\ufffd\u0004,\ufffd4\u0291\ufffd5\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014(\u0019\ufffdKG\b\ufffd\ufffd\u0004,\ufffd4\u0291\ufffd5\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a2c3b0d1989e521376e36553a021bba4ce480eca",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014(\u0019\ufffdKG\b\ufffd\ufffd\u0004,\ufffd4\u0291\ufffd5\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014(\u0019\ufffdKG\b\ufffd\ufffd\u0004,\ufffd4\u0291\ufffd5\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd(\ufffdKG\ufffd\ufffd,\ufffd4\u0291\ufffd5\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014(\u0019\ufffdKG\b\ufffd\ufffd\u0004,\ufffd4\u0291\ufffd5\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014(\u0019\ufffdKG\b\ufffd\ufffd\u0004,\ufffd4\u0291\ufffd5\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffd(\ufffdKG\ufffd\ufffd,\ufffd4\u0291\ufffd5\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
]
}
|
|
|
TCP |
22 · SSH
|
ssh
|
Sonde SSH
Sonde SSH · via SSH:22 · (sonde / probe)
|
Élevée
|
Moyen · 50
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1046
TA0007
TA0001
Protocole
SSH SSH-2.0-AsyncSSH_2.1.0 ������f��(_� u�����et�����curve25519-sha…
Émulateur
SSH
WAF
—
Recommandation
Investiguer
Tags
net_ssh_probe
redis_rdb_sync
ssh_banner
ssh_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
22
Chemin / cible
—
Service
SSH
Bannière SSH
SSH-2.0-AsyncSSH_2.1.0 ������f��(_� u�����et�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sh…
Payload
SSH-2.0-AsyncSSH_2.1.0 ������f��(_� u�����et�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Pourquoi cette classification : Bannière client SSH reçue · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Protocole émulé
1
Signaux
Client SSH libssh/paramiko (scanner)
pat-0391
Upstream
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
SSH-2.0 banner RFC4253
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
SSH-2.0-AsyncSSH_2.1.0
������f��(_��u�����et�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp
Requête brute (extrait)
SSH-2.0-AsyncSSH_2.1.0 ������f��(_� u�����et�����curve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "5353482d322e302d4f70656e5353485f392e3670312044656269616e2d310d0a",
"emulator_response_len": 32,
"bytes_in": 2072,
"payload_entropy": 4.766536993814248,
"port_category": "well_known",
"org": "Viettel Corporation",
"service": "ssh",
"app_proto": "ssh",
"asn": 24086,
"country": "VN",
"dst_port": 22,
"risk_waf": 8,
"risk_classification": 50,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 36,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25
},
"risk_score": 50,
"tag_count": 6,
"anomaly_count": 0,
"campaign_key": "b79541c18ca7fba693622e6daf5f513567e113dd",
"event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 137,
"precision_signals": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"kb_rule_ids": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"matched_patterns": [
"pat-0391",
"pat-0536"
],
"matched_pattern_names": [
"SSH-2.0 banner RFC4253",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0391",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"named_classification_skipped": false,
"service_name": "ssh",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "VN",
"asn": 24086,
"org": "Viettel Corporation",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6900a41181adb9566099bad98f874090",
"path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
},
"target_context": {
"dst_port": 22,
"service": "ssh",
"service_name": "ssh",
"risk_score": 50
},
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014f\ufffd\ufffd(_\ufffd\fu\ufffd\ufffd\u0006\ufffd\ufffdet\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014f\ufffd\ufffd(_\ufffd\fu\ufffd\ufffd\u0006\ufffd\ufffdet\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014f\ufffd\ufffd(_\ufffd\fu\ufffd\ufffd\u0006\ufffd\ufffdet\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"evidence": {
"request_sample": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014f\ufffd\ufffd(_\ufffd\fu\ufffd\ufffd\u0006\ufffd\ufffdet\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,ecdh-sha2-1.3.132.0.10,diffie-hellman-group-exchange-sha256,diffie-hellman-group-excha",
"payload_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014f\ufffd\ufffd(_\ufffd\fu\ufffd\ufffd\u0006\ufffd\ufffdet\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1046",
"T1595"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f2044e692fbf1c649a695411735dd6fd133f696a",
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014f\ufffd\ufffd(_\ufffd\fu\ufffd\ufffd\u0006\ufffd\ufffdet\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014f\ufffd\ufffd(_\ufffd\fu\ufffd\ufffd\u0006\ufffd\ufffdet\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdf\ufffd\ufffd(_\ufffdu\ufffd\ufffd\ufffd\ufffdet\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SSH",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 50,
"behavior": 0,
"geo": 0,
"protocol": 36,
"novelty": 25,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": "ssh",
"service_label_fr": "SSH",
"dst_port": 22,
"protocol_emulated": true,
"tags_summary": [
"INT-ssh-libssh-ua",
"pat-0391",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Client SSH libssh\/paramiko (scanner)",
"pat-0391",
"Upstream"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"ssh_banner": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014f\ufffd\ufffd(_\ufffd\fu\ufffd\ufffd\u0006\ufffd\ufffdet\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"payload_preview": "SSH-2.0-AsyncSSH_2.1.0\r\n\u0000\u0000\b\ufffd\u0006\u0014f\ufffd\ufffd(_\ufffd\fu\ufffd\ufffd\u0006\ufffd\ufffdet\ufffd\u0000\u0000\u0001\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"port": 22,
"service": "ssh",
"service_label_fr": "SSH"
},
"attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SSH-2.0-AsyncSSH_2.1.0\r\n\ufffdf\ufffd\ufffd(_\ufffdu\ufffd\ufffd\ufffd\ufffdet\ufffd\ufffdcurve25519-sha256,curve25519-sha256@libssh.org,curve448-sha512,ecdh-sha2-nistp",
"target_port_label": "22 \u00b7 SSH",
"emulator_service": "ssh",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ssh",
"service_banner": "OpenSSH_8.9p1 Ubuntu",
"service_os": "linux",
"dst_port": "22"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"tags_list": [
"net_ssh_probe",
"redis_rdb_sync",
"ssh_banner",
"ssh_emulated",
"ssh_kex_probe",
"ssh_libssh"
]
}
|