{"ip":"118.194.251.75","exported_at":"2026-06-20T09:54:47+00:00","period_days":30,"metrics":{"events7d":93,"distinct_ports":6,"distinct_classifications":30,"max_severity":8,"last_sensor_id":"paris-1","max_waf_score":6,"max_risk_score":87,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["unknown"],"recommended_action":"monitor","confidence":0.5,"risk_breakdown":{"waf":8,"classification":0,"behavior":0,"geo":0,"protocol":22,"novelty":0},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"TA0007","top_mitre_technique":"TA0007","top_mitre_count":94,"executive_one_liner_fr":"Activit\u00e9 suspecte","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":0,"behavior":0,"geo":0,"protocol":22,"novelty":0,"risk_score":5},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":50,"confidence_hint_fr":"Confiance mod\u00e9r\u00e9e \u2014 signal unique","sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0554"],"tags_summary":["pat-0554"],"attack_vector":"gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)","protocol_details":{"payload_preview":"CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000","port":70,"service":"gopher","service_label_fr":"GOPHER"},"protocol_summary_fr":"Payload CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost:: \u00b7 GOPHER:70","evidence_snippet":"CNXN2\ufffd\ufffd\ufffd\ufffdhost::","target_port_label":"70 \u00b7 GOPHER","emulator_service":"gopher","confidence_reason":"Confiance 50 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%","classification_reason_label_fr":"Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%","confidence_factors_fr":"Confiance 50 % \u2014 Score WAF 8","payload_preview":"CNXN2\ufffd\ufffd\ufffd\ufffdhost::"},"events":[{"id":9718436,"ip":"118.194.251.75","ts":"2026-06-20 04:42:06.000000","proto":"tcp","src_port":29578,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 31, \u0022payload_entropy\u0022: 3.3729205036561045, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222ab0510cc4156c41c24112bc2a720db2\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022CNXN\\u0000\\u0000\\u0000\\u0001\\u0000\\u0010\\u0000\\u0000\\u0007\\u0000\\u0000\\u00002\\u0002\\u0000\\u0000\ufffd\ufffd\ufffd\ufffdhost::\\u0000\u0022, \u0022request_sample\u0022: \u0022CNXN\\u0000\\u0000\\u0000\\u0001\\u0000\\u0010\\u0000\\u0000\\u0007\\u0000\\u0000\\u00002\\u0002\\u0000\\u0000\ufffd\ufffd\ufffd\ufffdhost::\\u0000\u0022, \u0022payload_snippet\u0022: \u0022CNXN\\u0000\\u0000\\u0000\\u0001\\u0000\\u0010\\u0000\\u0000\\u0007\\u0000\\u0000\\u00002\\u0002\\u0000\\u0000\ufffd\ufffd\ufffd\ufffdhost::\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CNXN\\u0000\\u0000\\u0000\\u0001\\u0000\\u0010\\u0000\\u0000\\u0007\\u0000\\u0000\\u00002\\u0002\\u0000\\u0000\ufffd\ufffd\ufffd\ufffdhost::\\u0000\u0022, \u0022payload_snippet\u0022: \u0022CNXN\\u0000\\u0000\\u0000\\u0001\\u0000\\u0010\\u0000\\u0000\\u0007\\u0000\\u0000\\u00002\\u0002\\u0000\\u0000\ufffd\ufffd\ufffd\ufffdhost::\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022189efda2a4223b245f6c057add7ea90ba1430271\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CNXN\\u0000\\u0000\\u0000\\u0001\\u0000\\u0010\\u0000\\u0000\\u0007\\u0000\\u0000\\u00002\\u0002\\u0000\\u0000\ufffd\ufffd\ufffd\ufffdhost::\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022CNXN2\ufffd\ufffd\ufffd\ufffdhost::\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CNXN\\u0000\\u0000\\u0000\\u0001\\u0000\\u0010\\u0000\\u0000\\u0007\\u0000\\u0000\\u00002\\u0002\\u0000\\u0000\ufffd\ufffd\ufffd\ufffdhost::\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022CNXN2\ufffd\ufffd\ufffd\ufffdhost::\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":31},{"id":9718432,"ip":"118.194.251.75","ts":"2026-06-20 04:42:03.000000","proto":"tcp","src_port":28922,"dst_port":70,"service":"gopher","classification":"mqtt_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 18, \u0022payload_entropy\u0022: 3.4193819456463714, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224aef1e73c412613f5a204b9247117398bb69b31a\u0022, \u0022event_fingerprint\u0022: \u0022c72ac8af17827088fd23537e0debb16d7ccf7905\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 135, \u0022precision_signals\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0373\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022MQTT protocol\u0022, \u0022UA nmap\u0022, \u0022Sigma nmap UA\u0022, \u0022MQTT alt CONNECT\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0373\u0022, \u0022pat-0448\u0022, \u0022pat-0543\u0022, \u0022pat-0615\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad60b419f2f0103bea99389955f5bdf8\u0022, \u0022path_pattern_hash\u0022: \u00224449b927317468afa12a2f935a413459\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0010\\u0010\\u0000\\u0004MQTT\\u0004\\u0002\\u0000\\u001e\\u0000\\u0004nmap\u0022, \u0022request_sample\u0022: \u0022\\u0010\\u0010\\u0000\\u0004MQTT\\u0004\\u0002\\u0000\\u001e\\u0000\\u0004nmap\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0010\\u0000\\u0004MQTT\\u0004\\u0002\\u0000\\u001e\\u0000\\u0004nmap\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0010\\u0010\\u0000\\u0004MQTT\\u0004\\u0002\\u0000\\u001e\\u0000\\u0004nmap\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0010\\u0000\\u0004MQTT\\u0004\\u0002\\u0000\\u001e\\u0000\\u0004nmap\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225cc85a16d9fb1e03755c18ea2f36cef76d265790\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0010\\u0010\\u0000\\u0004MQTT\\u0004\\u0002\\u0000\\u001e\\u0000\\u0004nmap\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022MQTTnmap\u0022, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via GOPHER\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0373\u0022, \u0022pat-0615\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0010\\u0010\\u0000\\u0004MQTT\\u0004\\u0002\\u0000\\u001e\\u0000\\u0004nmap\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022mqtt probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022MQTTnmap\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022mqtt_connect\u0022, \u0022net_mqtt_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mqtt_connect\u0022, \u0022net_mqtt_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":18},{"id":9718426,"ip":"118.194.251.75","ts":"2026-06-20 04:42:00.000000","proto":"tcp","src_port":28484,"dst_port":70,"service":"gopher","classification":"websphere_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 48, \u0022payload_entropy\u0022: 2.5723387961875535, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab websphere_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022confidence\u0022: 0.47, \u0022classification_confidence\u0022: 0.47, \u0022precision_score\u0022: 56, \u0022precision_signals\u0022: [\u0022pat-0605\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0605\u0022], \u0022matched_patterns\u0022: [\u0022pat-0605\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022GIOP WebSphere IIOP\u0022, \u0022Mumble ping\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0605\u0022, \u0022pat-0768\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 47.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a2295e3d24182f08220a2dae2c40ff1c\u0022, \u0022path_pattern_hash\u0022: \u0022a8ef247ba3612b90c1c670387b185e85\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022GIOP\\u0001\\u0000\\u0001\\u0000$\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u0000abcdef\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000get\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022GIOP\\u0001\\u0000\\u0001\\u0000$\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u0000abcdef\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000get\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022GIOP\\u0001\\u0000\\u0001\\u0000$\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u0000abcdef\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000get\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GIOP\\u0001\\u0000\\u0001\\u0000$\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u0000abcdef\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000get\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022GIOP\\u0001\\u0000\\u0001\\u0000$\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u0000abcdef\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000get\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab websphere_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022enterprise_scan\u0022, \u0022enterprise_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ce0fb77f846793cf380ca001c2f67a7a1110aa23\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GIOP\\u0001\\u0000\\u0001\\u0000$\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u0000abcdef\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000get\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022GIOP$abcdefget\u0022, \u0022attack_vector\u0022: \u0022websphere probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab websphere_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab websphere_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 47, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0605\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0605\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GIOP\\u0001\\u0000\\u0001\\u0000$\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u0000abcdef\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000get\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022websphere probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GIOP$abcdefget\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 47 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":48},{"id":9718422,"ip":"118.194.251.75","ts":"2026-06-20 04:41:57.000000","proto":"tcp","src_port":28048,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 2, \u0022payload_entropy\u0022: 1.0, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224b24f4cca7e61459da3fb7bee3042b66\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 0}, \u0022payload_preview\u0022: \u0022\ufffd\\u0001\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fada0127fc243aaa185450cfbf33541baa3c35f6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0001\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0001\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":2},{"id":9718420,"ip":"118.194.251.75","ts":"2026-06-20 04:41:54.000000","proto":"tcp","src_port":27576,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 14, \u0022payload_entropy\u0022: 3.128085278891395, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022matched_patterns\u0022: [\u0022pat-0411\u0022], \u0022matched_pattern_names\u0022: [\u0022Redis INFO\u0022], \u0022pattern_ids\u0022: [\u0022pat-0411\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224f9ff4b8ec8624803229b3cea88426af\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 0}, \u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\ninfo\\r\\n\u0022, \u0022request_sample\u0022: \u0022*1\\r\\n$4\\r\\ninfo\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022*1\\r\\n$4\\r\\ninfo\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022*1\\r\\n$4\\r\\ninfo\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022*1\\r\\n$4\\r\\ninfo\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f795454cbd4fc2de9991263c41661085b0a070d9\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\ninfo\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022*1\\r\\n$4\\r\\ninfo\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\ninfo\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022*1\\r\\n$4\\r\\ninfo\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":14},{"id":9718419,"ip":"118.194.251.75","ts":"2026-06-20 04:41:51.000000","proto":"tcp","src_port":27054,"dst_port":70,"service":"gopher","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 65, \u0022payload_entropy\u0022: 3.3778795428324466, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bf7469d78bb1798d5188209f4494c1a3\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022A\\u0000\\u0000\\u0000:0\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000test.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u001b\\u0000\\u0000\\u0000\\u0001serverStatus\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u0022, \u0022request_sample\u0022: \u0022A\\u0000\\u0000\\u0000:0\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000test.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u001b\\u0000\\u0000\\u0000\\u0001serverStatus\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u0022, \u0022payload_snippet\u0022: \u0022A\\u0000\\u0000\\u0000:0\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000test.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u001b\\u0000\\u0000\\u0000\\u0001serverStatus\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022A\\u0000\\u0000\\u0000:0\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000test.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u001b\\u0000\\u0000\\u0000\\u0001serverStatus\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u0022, \u0022payload_snippet\u0022: \u0022A\\u0000\\u0000\\u0000:0\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000test.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u001b\\u0000\\u0000\\u0000\\u0001serverStatus\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022766196cba12628910ac4501ad4e9d7f1b0d10610\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022A\\u0000\\u0000\\u0000:0\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000test.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u001b\\u0000\\u0000\\u0000\\u0001serverStatus\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022A:0\ufffd\ufffd\ufffd\ufffd\ufffdtest.$cmd\ufffd\ufffd\ufffd\ufffdserverStatus\ufffd?\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022A\\u0000\\u0000\\u0000:0\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0007\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000test.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\\u001b\\u0000\\u0000\\u0000\\u0001serverStatus\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd?\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022A:0\ufffd\ufffd\ufffd\ufffd\ufffdtest.$cmd\ufffd\ufffd\ufffd\ufffdserverStatus\ufffd?\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":65},{"id":9718416,"ip":"118.194.251.75","ts":"2026-06-20 04:41:48.000000","proto":"tcp","src_port":26690,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 18, \u0022payload_entropy\u0022: 1.2086489509530647, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0532\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022817773a4a3987fc7642ff30928d792fc\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b001815eea3d201c57bf54eb23ef50df004f0821\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0532\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0532\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000\\u0000\\u0000\\u000f\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":18},{"id":9718414,"ip":"118.194.251.75","ts":"2026-06-20 04:41:45.000000","proto":"tcp","src_port":26158,"dst_port":70,"service":"gopher","classification":"port_70_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 450, \u0022payload_entropy\u0022: 1.82286057779224, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 41, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022adfc3607250269605d5fb4d4c90c59499431b394\u0022, \u0022event_fingerprint\u0022: \u002269087a4e633af34b8e25cf18b3b8ff5c1a3b052f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_70_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0577\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022RADIUS Access-Request\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0577\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 41}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022eceedace3cdd6b7c3a4b6f3b21c20f1b\u0022, \u0022path_pattern_hash\u0022: \u0022f45b79e4d5c744e21dd185c497b2c5d2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 41}, \u0022payload_snippet\u0022: \u0022\\u0001\ufffd\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\ufffd\\u0001\\u0000\\u0000SQLDB2RA\\u0000\\u0001\\u0000\\u0000\\u0004\\u0001\\u0001\\u0000\\u0005\\u0000\\u001d\\u0000\ufffd\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0001\\t\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\t\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\b\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000@\\u0000\\u0000\\u0000@\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0001\ufffd\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\ufffd\\u0001\\u0000\\u0000SQLDB2RA\\u0000\\u0001\\u0000\\u0000\\u0004\\u0001\\u0001\\u0000\\u0005\\u0000\\u001d\\u0000\ufffd\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0001\\t\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\t\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\b\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000@\\u0000\\u0000\\u0000@\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0001\\b\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0010\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0001\\u0010\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\\u0001\ufffd\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\ufffd\\u0001\\u0000\\u0000SQLDB2RA\\u0000\\u0001\\u0000\\u0000\\u0004\\u0001\\u0001\\u0000\\u0005\\u0000\\u001d\\u0000\ufffd\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0001\\t\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\t\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\b\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000@\\u0000\\u0000\\u0000@\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_70_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fee2a6a1bcbf0bef11b1db58ead2c2c2b78a6298\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0001\ufffd\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\ufffd\\u0001\\u0000\\u0000SQLDB2RA\\u0000\\u0001\\u0000\\u0000\\u0004\\u0001\\u0001\\u0000\\u0005\\u0000\\u001d\\u0000\ufffd\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0001\\t\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\t\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\b\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000@\\u0000\\u0000\\u0000@\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdSQLDB2RA\ufffd\ufffd\\t@\\t@@@@@@@\u0022, \u0022attack_vector\u0022: \u0022port 70 tcp \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_70_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_70_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 41\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 41}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 41, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0001\ufffd\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\ufffd\\u0001\\u0000\\u0000SQLDB2RA\\u0000\\u0001\\u0000\\u0000\\u0004\\u0001\\u0001\\u0000\\u0005\\u0000\\u001d\\u0000\ufffd\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0001\\t\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\t\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\b\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000@\\u0000\\u0000\\u0000@\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000@\\u0000\\u0000\\u0000\\u0001\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022port 70 tcp \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdSQLDB2RA\ufffd\ufffd\\t@\\t@@@@@@@\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022meta_truncated\u0022: true, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022db2_probe\u0022, \u0022net_db2_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022db2_probe\u0022, \u0022net_db2_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":450},{"id":9718412,"ip":"118.194.251.75","ts":"2026-06-20 04:41:42.000000","proto":"tcp","src_port":25746,"dst_port":70,"service":"gopher","classification":"memcached_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 7, \u0022payload_entropy\u0022: 2.2359263506290326, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab memcached_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 164, \u0022precision_signals\u0022: [\u0022pat-0374\u0022, \u0022pat-0533\u0022, \u0022pat-0865\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0374\u0022, \u0022pat-0533\u0022, \u0022pat-0865\u0022], \u0022matched_patterns\u0022: [\u0022pat-0374\u0022, \u0022pat-0533\u0022, \u0022pat-0865\u0022], \u0022matched_pattern_names\u0022: [\u0022Memcached stats\u0022, \u0022Memcached stats\u0022, \u0022ET Memcached UDP\u0022], \u0022pattern_ids\u0022: [\u0022pat-0374\u0022, \u0022pat-0533\u0022, \u0022pat-0865\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002211e629574907d3a9ced402e26f4a98df\u0022, \u0022path_pattern_hash\u0022: \u0022549d36783f9e3c43618e715d78a40b3b\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022stats\\r\\n\u0022, \u0022request_sample\u0022: \u0022stats\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022stats\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022stats\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022stats\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab memcached_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222ed7003dfa2c5dc6efd632bda55f90b7ebba5fdd\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022stats\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022stats\u0022, \u0022attack_vector\u0022: \u0022memcached probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab memcached_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab memcached_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 via GOPHER\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0374\u0022, \u0022pat-0533\u0022, \u0022pat-0865\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0374\u0022, \u0022pat-0533\u0022, \u0022pat-0865\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022stats\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022memcached probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022stats\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":7},{"id":9718408,"ip":"118.194.251.75","ts":"2026-06-20 04:41:39.000000","proto":"tcp","src_port":25288,"dst_port":70,"service":"gopher","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 52, \u0022payload_entropy\u0022: 3.604409845438833, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222d5f2b87dd037e1bb1c1f8b9f3a815f8eb575594\u0022, \u0022event_fingerprint\u0022: \u0022411efea85805d4ba674cf50bff68f395707c3e5f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 83, \u0022precision_signals\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0519\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0519\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002223edc99bdfe5fe902f5ff28aa98ef130\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u00004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\f\\u0003\\u0000(\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000MSSQLServer\\u0000H\\u000f\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0012\\u0001\\u00004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\f\\u0003\\u0000(\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000MSSQLServer\\u0000H\\u000f\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u00004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\f\\u0003\\u0000(\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000MSSQLServer\\u0000H\\u000f\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0012\\u0001\\u00004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\f\\u0003\\u0000(\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000MSSQLServer\\u0000H\\u000f\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0001\\u00004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\f\\u0003\\u0000(\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000MSSQLServer\\u0000H\\u000f\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022643923c77faa43e13f70b32d5f4af3a04c2fe9b1\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u00004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\f\\u0003\\u0000(\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000MSSQLServer\\u0000H\\u000f\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u00224(\ufffdUMSSQLServerH\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0519\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0519\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0012\\u0001\\u00004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0015\\u0000\\u0006\\u0001\\u0000\\u001b\\u0000\\u0001\\u0002\\u0000\\u001c\\u0000\\f\\u0003\\u0000(\\u0000\\u0004\ufffd\\b\\u0000\\u0001U\\u0000\\u0000\\u0000MSSQLServer\\u0000H\\u000f\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u00224(\ufffdUMSSQLServerH\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]","anomalies":"[]","severity":5,"bytes_in":52},{"id":9718403,"ip":"118.194.251.75","ts":"2026-06-20 04:41:36.000000","proto":"tcp","src_port":24660,"dst_port":70,"service":"gopher","classification":"proxy_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 13, \u0022payload_entropy\u0022: 2.7773627950641693, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228c17eaa3f7e8077de925aaf6996a2139c65509d0\u0022, \u0022event_fingerprint\u0022: \u002202d5dcbfc1f262e02eb390fd5b263c0deae087fe\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab proxy_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222167ce4c1a0201b2283cc57c40a74bac\u0022, \u0022path_pattern_hash\u0022: \u0022b6d4fb956dc4d23d1c2c3eccd7f8e7e3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0000\\u0016\\u0000\\u0000\\u0001root\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0000\\u0016\\u0000\\u0000\\u0001root\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0000\\u0016\\u0000\\u0000\\u0001root\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0001\\u0000\\u0016\\u0000\\u0000\\u0001root\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0001\\u0000\\u0016\\u0000\\u0000\\u0001root\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab proxy_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226a1eddd6ca4cac1fdbc5bef63861279f555fd373\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0000\\u0016\\u0000\\u0000\\u0001root\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022root\u0022, \u0022attack_vector\u0022: \u0022proxy probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab proxy_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab proxy_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0001\\u0000\\u0016\\u0000\\u0000\\u0001root\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022proxy probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022root\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_proxy_probe\u0022, \u0022socks4_greeting\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_proxy_probe\u0022, \u0022socks4_greeting\u0022]","anomalies":"[]","severity":4,"bytes_in":13},{"id":9718397,"ip":"118.194.251.75","ts":"2026-06-20 04:41:31.000000","proto":"tcp","src_port":24242,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 41, \u0022payload_entropy\u0022: 4.503416638553355, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0567\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d345b721f5d98a2b04db9dadef49f152\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022\\u0005\\u0004\\u0000\\u0001\\u0002\ufffd\\u0005\\u0001\\u0000\\u0003\\ngoogle.com\\u0000PGET \/ HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022\\u0005\\u0004\\u0000\\u0001\\u0002\ufffd\\u0005\\u0001\\u0000\\u0003\\ngoogle.com\\u0000PGET \/ HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0004\\u0000\\u0001\\u0002\ufffd\\u0005\\u0001\\u0000\\u0003\\ngoogle.com\\u0000PGET \/ HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0005\\u0004\\u0000\\u0001\\u0002\ufffd\\u0005\\u0001\\u0000\\u0003\\ngoogle.com\\u0000PGET \/ HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022\\u0005\\u0004\\u0000\\u0001\\u0002\ufffd\\u0005\\u0001\\u0000\\u0003\\ngoogle.com\\u0000PGET \/ HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bbae72f7c66cd33cbe2f28be43c91fa171613bf6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0004\\u0000\\u0001\\u0002\ufffd\\u0005\\u0001\\u0000\\u0003\\ngoogle.com\\u0000PGET \/ HTTP\/1.0\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\\ngoogle.comPGET \/ HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0567\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0567\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0005\\u0004\\u0000\\u0001\\u0002\ufffd\\u0005\\u0001\\u0000\\u0003\\ngoogle.com\\u0000PGET \/ HTTP\/1.0\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\\ngoogle.comPGET \/ HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":41},{"id":9718392,"ip":"118.194.251.75","ts":"2026-06-20 04:41:28.000000","proto":"tcp","src_port":23656,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 90, \u0022payload_entropy\u0022: 3.5636982611044665, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ee3f9a4a2b04c32e4d515a179936da49\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022\\u0000Z\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u00016\\u0001,\\u0000\\u0000\\b\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000 \\u0000:\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u00004\ufffd\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(CONNECT_DATA=(COMMAND=version))\u0022, \u0022request_sample\u0022: \u0022\\u0000Z\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u00016\\u0001,\\u0000\\u0000\\b\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000 \\u0000:\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u00004\ufffd\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(CONNECT_DATA=(COMMAND=version))\u0022, \u0022payload_snippet\u0022: \u0022\\u0000Z\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u00016\\u0001,\\u0000\\u0000\\b\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000 \\u0000:\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u00004\ufffd\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(CONNECT_DATA=(COMMAND=version))\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000Z\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u00016\\u0001,\\u0000\\u0000\\b\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000 \\u0000:\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u00004\ufffd\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(CONNECT_DATA=(COMMAND=version))\u0022, \u0022payload_snippet\u0022: \u0022\\u0000Z\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u00016\\u0001,\\u0000\\u0000\\b\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000 \\u0000:\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u00004\ufffd\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(CONNECT_DATA=(COMMAND=version))\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f23900fdb2436418abe68d6e5a35ba0e69e69e1a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000Z\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u00016\\u0001,\\u0000\\u0000\\b\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000 \\u0000:\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u00004\ufffd\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(CONNECT_DATA=(COMMAND=version))\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022Z6,\ufffd :4\ufffd(CONNECT_DATA=(COMMAND=version))\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000Z\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u00016\\u0001,\\u0000\\u0000\\b\\u0000\ufffd\\b\\u0000\\u0000\\u0000\\u0001\\u0000 \\u0000:\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u00004\ufffd\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000(CONNECT_DATA=(COMMAND=version))\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022Z6,\ufffd :4\ufffd(CONNECT_DATA=(COMMAND=version))\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":90},{"id":9718387,"ip":"118.194.251.75","ts":"2026-06-20 04:41:25.000000","proto":"tcp","src_port":23172,"dst_port":70,"service":"gopher","classification":"kafka_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 175, \u0022payload_entropy\u0022: 3.1019691748828695, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022confidence\u0022: 0.47, \u0022classification_confidence\u0022: 0.47, \u0022precision_score\u0022: 56, \u0022precision_signals\u0022: [\u0022pat-0556\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0556\u0022], \u0022matched_patterns\u0022: [\u0022pat-0556\u0022, \u0022pat-0577\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022, \u0022pat-0623\u0022], \u0022matched_pattern_names\u0022: [\u0022Kafka ApiVersions key\u0022, \u0022RADIUS Access-Request\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022, \u0022WireGuard handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0556\u0022, \u0022pat-0577\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022, \u0022pat-0623\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 47.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f884620dcffbd325c528857bf10be8ac\u0022, \u0022path_pattern_hash\u0022: \u0022369bfdf011acc5969bcb68a7ffd2ca13\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 32}, \u0022payload_snippet\u0022: \u0022\\u0001\\u0000\\u0000\ufffd\ufffd\ufffd\\u000b\ufffd\ufffd\\u0000\\u0000\\u0000MMS\\u0014\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0001\\u0000\\u0003\\u0000\ufffd\ufffd\ufffd\ufffd\\u000b\\u0000\\u0004\\u0000\\u001c\\u0000\\u0003\\u0000N\\u0000S\\u0000P\\u0000l\\u0000a\\u0000y\\u0000e\\u0000r\\u0000\/\\u00009\\u0000.\\u00000\\u0000.\\u00000\\u0000.\\u00002\\u00009\\u00008\\u00000\\u0000;\\u0000 \\u0000{\\u00000\\u00000\\u00000\\u00000\\u0000A\\u0000A\\u00000\\u00000\\u0000-\\u00000\\u0000A\\u00000\\u00000\\u0000-\\u00000\\u00000\\u0000a\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0001\\u0000\\u0000\ufffd\ufffd\ufffd\\u000b\ufffd\ufffd\\u0000\\u0000\\u0000MMS\\u0014\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0001\\u0000\\u0003\\u0000\ufffd\ufffd\ufffd\ufffd\\u000b\\u0000\\u0004\\u0000\\u001c\\u0000\\u0003\\u0000N\\u0000S\\u0000P\\u0000l\\u0000a\\u0000y\\u0000e\\u0000r\\u0000\/\\u00009\\u0000.\\u00000\\u0000.\\u00000\\u0000.\\u00002\\u00009\\u00008\\u00000\\u0000;\\u0000 \\u0000{\\u00000\\u00000\\u00000\\u00000\\u0000A\\u0000A\\u00000\\u00000\\u0000-\\u00000\\u0000A\\u00000\\u00000\\u0000-\\u00000\\u00000\\u0000a\\u00000\\u0000-\\u0000A\\u0000A\\u00000\\u0000A\\u0000-\\u00000\\u00000\\u00000\\u00000\\u0000A\\u00000\\u0000A\\u0000A\\u00000\\u0000A\\u0000A\\u00000\\u0000}\\u0000\\u0000\\u0000\ufffdm\ufffd_\u0022, \u0022payload_snippet\u0022: \u0022\\u0001\\u0000\\u0000\ufffd\ufffd\ufffd\\u000b\ufffd\ufffd\\u0000\\u0000\\u0000MMS\\u0014\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0001\\u0000\\u0003\\u0000\ufffd\ufffd\ufffd\ufffd\\u000b\\u0000\\u0004\\u0000\\u001c\\u0000\\u0003\\u0000N\\u0000S\\u0000P\\u0000l\\u0000a\\u0000y\\u0000e\\u0000r\\u0000\/\\u00009\\u0000.\\u00000\\u0000.\\u00000\\u0000.\\u00002\\u00009\\u00008\\u00000\\u0000;\\u0000 \\u0000{\\u00000\\u00000\\u00000\\u00000\\u0000A\\u0000A\\u00000\\u00000\\u0000-\\u00000\\u0000A\\u00000\\u00000\\u0000-\\u00000\\u00000\\u0000a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022enterprise_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222d57ae05e5844be0624824edd92ca40a109da70a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0001\\u0000\\u0000\ufffd\ufffd\ufffd\\u000b\ufffd\ufffd\\u0000\\u0000\\u0000MMS\\u0014\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0001\\u0000\\u0003\\u0000\ufffd\ufffd\ufffd\ufffd\\u000b\\u0000\\u0004\\u0000\\u001c\\u0000\\u0003\\u0000N\\u0000S\\u0000P\\u0000l\\u0000a\\u0000y\\u0000e\\u0000r\\u0000\/\\u00009\\u0000.\\u00000\\u0000.\\u00000\\u0000.\\u00002\\u00009\\u00008\\u00000\\u0000;\\u0000 \\u0000{\\u00000\\u00000\\u00000\\u00000\\u0000A\\u0000A\\u00000\\u00000\\u0000-\\u00000\\u0000A\\u00000\\u00000\\u0000-\\u00000\\u00000\\u0000a\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffdMMS\ufffd\ufffd\ufffd\ufffdNSPlayer\/9.0.0.2980; {0000AA00-0A00-00a\u0022, \u0022attack_vector\u0022: \u0022kafka probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 47, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0556\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0556\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0001\\u0000\\u0000\ufffd\ufffd\ufffd\\u000b\ufffd\ufffd\\u0000\\u0000\\u0000MMS\\u0014\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0012\\u0000\\u0000\\u0000\\u0001\\u0000\\u0003\\u0000\ufffd\ufffd\ufffd\ufffd\\u000b\\u0000\\u0004\\u0000\\u001c\\u0000\\u0003\\u0000N\\u0000S\\u0000P\\u0000l\\u0000a\\u0000y\\u0000e\\u0000r\\u0000\/\\u00009\\u0000.\\u00000\\u0000.\\u00000\\u0000.\\u00002\\u00009\\u00008\\u00000\\u0000;\\u0000 \\u0000{\\u00000\\u00000\\u00000\\u00000\\u0000A\\u0000A\\u00000\\u00000\\u0000-\\u00000\\u0000A\\u00000\\u00000\\u0000-\\u00000\\u00000\\u0000a\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022kafka probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\ufffdMMS\ufffd\ufffd\ufffd\ufffdNSPlayer\/9.0.0.2980; {0000AA00-0A00-00a\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 47 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022behavior_alert_count\u0022: 2, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":175},{"id":9718386,"ip":"118.194.251.75","ts":"2026-06-20 04:41:22.000000","proto":"tcp","src_port":22656,"dst_port":70,"service":"gopher","classification":"java_rmi_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 7, \u0022payload_entropy\u0022: 2.807354922057604, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0604\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0604\u0022], \u0022matched_patterns\u0022: [\u0022pat-0604\u0022], \u0022matched_pattern_names\u0022: [\u0022Java RMI JRMI\u0022], \u0022pattern_ids\u0022: [\u0022pat-0604\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d8c49a0f759e2102fb8fa8368049d06a\u0022, \u0022path_pattern_hash\u0022: \u00227a566ca86213ccd15a91c0b5a885a24f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022request_sample\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022payload_snippet\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022payload_snippet\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022enterprise_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223e791ebfba47333dc163fe13189b9ecad05ff462\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022JRMIK\u0022, \u0022attack_vector\u0022: \u0022java rmi probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0604\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0604\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022java rmi probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022JRMIK\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":7},{"id":9718383,"ip":"118.194.251.75","ts":"2026-06-20 04:41:19.000000","proto":"tcp","src_port":22176,"dst_port":70,"service":"gopher","classification":"mongodb_wire_protocol","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 60, \u0022payload_entropy\u0022: 1.3389205950315934, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 58.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 33, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00228c7c0c971beea4be6c3d9327b21142a0f971d1f3\u0022, \u0022event_fingerprint\u0022: \u0022f6480b8149f268a352140771c86178257bab4342\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 80%\u0022, \u0022confidence\u0022: 0.8, \u0022classification_confidence\u0022: 0.8, \u0022precision_score\u0022: 90, \u0022precision_signals\u0022: [\u0022ET-PROTO-MongoDB-Wire\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022ET-PROTO-MongoDB-Wire\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022NFS RPC mount\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 33}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022mongodb_probe\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 80.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f60433e5ca098d6d06ab4b829e9f35c4\u0022, \u0022path_pattern_hash\u0022: \u00229060bd55aeb34075959b54fecab264ea\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 33}, \u0022payload_preview\u0022: \u0022:\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000@\\u0002\\u000f\\u0000\\u0001\\u0000=\\u0005\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022:\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000@\\u0002\\u000f\\u0000\\u0001\\u0000=\\u0005\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022:\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000@\\u0002\\u000f\\u0000\\u0001\\u0000=\\u0005\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022:\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000@\\u0002\\u000f\\u0000\\u0001\\u0000=\\u0005\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022:\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000@\\u0002\\u000f\\u0000\\u0001\\u0000=\\u0005\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 80%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e6c254cf4f4b1cc79a62ece601222843e83bf60e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022:\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000@\\u0002\\u000f\\u0000\\u0001\\u0000=\\u0005\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022:\/@=\/@\u0022, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 80 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 80%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 80%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 33\/100\u0022, \u0022confidence_pct\u0022: 80, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 33}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 33, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022ET-PROTO-MongoDB-Wire\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022ET-PROTO-MongoDB-Wire\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022:\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0002\\u0000\\u0000@\\u0002\\u000f\\u0000\\u0001\\u0000=\\u0005\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\/\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022:\/@=\/@\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 80 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 80 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_wire_protocol\u0022, \u0022net_mongodb_wire_protocol\u0022, \u0022rdp_cookie_alt\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_wire_protocol\u0022, \u0022net_mongodb_wire_protocol\u0022, \u0022rdp_cookie_alt\u0022]","anomalies":"[]","severity":6,"bytes_in":60},{"id":9718382,"ip":"118.194.251.75","ts":"2026-06-20 04:41:16.000000","proto":"tcp","src_port":21720,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 23, \u0022payload_entropy\u0022: 2.6081816167087406, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022947f08e762562490af13d3254ff011a6\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022DmdT\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0011\\u0011\\u0000\ufffd\\u0001\ufffd\\u0013\u0022, \u0022request_sample\u0022: \u0022DmdT\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0011\\u0011\\u0000\ufffd\\u0001\ufffd\\u0013\u0022, \u0022payload_snippet\u0022: \u0022DmdT\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0011\\u0011\\u0000\ufffd\\u0001\ufffd\\u0013\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022DmdT\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0011\\u0011\\u0000\ufffd\\u0001\ufffd\\u0013\u0022, \u0022payload_snippet\u0022: \u0022DmdT\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0011\\u0011\\u0000\ufffd\\u0001\ufffd\\u0013\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022faa7f2a5d8449e1938dd2ab16f70a7c57b51084a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DmdT\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0011\\u0011\\u0000\ufffd\\u0001\ufffd\\u0013\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022DmdT\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022DmdT\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0011\\u0011\\u0000\ufffd\\u0001\ufffd\\u0013\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022DmdT\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":23},{"id":9718378,"ip":"118.194.251.75","ts":"2026-06-20 04:41:13.000000","proto":"tcp","src_port":21158,"dst_port":70,"service":"gopher","classification":"port_70_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 22, \u0022payload_entropy\u0022: 3.133919825058653, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_70_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0376\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022S7 TPKT packet\u0022, \u0022ET H.323 setup\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0376\u0022, \u0022pat-0868\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022097791b86f9950e021480f7ef5b4d939\u0022, \u0022path_pattern_hash\u0022: \u0022f45b79e4d5c744e21dd185c497b2c5d2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0016\\u0011\ufffd\\u0000\\u0000\\u0000\\u0014\\u0000\ufffd\\u0002\\u0001\\u0000\ufffd\\u0002\\u0001\\u0002\ufffd\\u0001\\n\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0016\\u0011\ufffd\\u0000\\u0000\\u0000\\u0014\\u0000\ufffd\\u0002\\u0001\\u0000\ufffd\\u0002\\u0001\\u0002\ufffd\\u0001\\n\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0016\\u0011\ufffd\\u0000\\u0000\\u0000\\u0014\\u0000\ufffd\\u0002\\u0001\\u0000\ufffd\\u0002\\u0001\\u0002\ufffd\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0016\\u0011\ufffd\\u0000\\u0000\\u0000\\u0014\\u0000\ufffd\\u0002\\u0001\\u0000\ufffd\\u0002\\u0001\\u0002\ufffd\\u0001\\n\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0016\\u0011\ufffd\\u0000\\u0000\\u0000\\u0014\\u0000\ufffd\\u0002\\u0001\\u0000\ufffd\\u0002\\u0001\\u0002\ufffd\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_70_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002224f8726d24b0913954d4aca0eae12cf6c3ba0eb0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0016\\u0011\ufffd\\u0000\\u0000\\u0000\\u0014\\u0000\ufffd\\u0002\\u0001\\u0000\ufffd\\u0002\\u0001\\u0002\ufffd\\u0001\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022port 70 tcp \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_70_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_70_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0016\\u0011\ufffd\\u0000\\u0000\\u0000\\u0014\\u0000\ufffd\\u0002\\u0001\\u0000\ufffd\\u0002\\u0001\\u0002\ufffd\\u0001\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022port 70 tcp \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":22},{"id":9718377,"ip":"118.194.251.75","ts":"2026-06-20 04:41:10.000000","proto":"tcp","src_port":20674,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 11, \u0022payload_entropy\u0022: 2.4040097573248604, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002295bb1798cbe14e09d8a7b5feb33c741f\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022\ufffdt\\u0000\\u0000\\u0000\\u0005\\u0000+\\u000e\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffdt\\u0000\\u0000\\u0000\\u0005\\u0000+\\u000e\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffdt\\u0000\\u0000\\u0000\\u0005\\u0000+\\u000e\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffdt\\u0000\\u0000\\u0000\\u0005\\u0000+\\u000e\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffdt\\u0000\\u0000\\u0000\\u0005\\u0000+\\u000e\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a5c352b4d93064c51c49903adbef45e172e5db36\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffdt\\u0000\\u0000\\u0000\\u0005\\u0000+\\u000e\\u0001\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffdt+\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffdt\\u0000\\u0000\\u0000\\u0005\\u0000+\\u000e\\u0001\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffdt+\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":11},{"id":9718373,"ip":"118.194.251.75","ts":"2026-06-20 04:41:07.000000","proto":"tcp","src_port":20188,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 56, \u0022payload_entropy\u0022: 3.7279714939527033, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022fca620885715d4e346da0f82d84da595\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u00000.26.0\\u0007\\u0000\\u0000\\u00000.26.10202cb962ac59075b964b07152d234b70\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u00000.26.0\\u0007\\u0000\\u0000\\u00000.26.10202cb962ac59075b964b07152d234b70\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u00000.26.0\\u0007\\u0000\\u0000\\u00000.26.10202cb962ac59075b964b07152d234b70\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u00000.26.0\\u0007\\u0000\\u0000\\u00000.26.10202cb962ac59075b964b07152d234b70\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u00000.26.0\\u0007\\u0000\\u0000\\u00000.26.10202cb962ac59075b964b07152d234b70\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ce8ab3a84756d510ccf1090c1a05b8b71dda225e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u00000.26.0\\u0007\\u0000\\u0000\\u00000.26.10202cb962ac59075b964b07152d234b70\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u00220.26.00.26.10202cb962ac59075b964b07152d234b70\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\u0006\\u0000\\u0000\\u00000.26.0\\u0007\\u0000\\u0000\\u00000.26.10202cb962ac59075b964b07152d234b70\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u00220.26.00.26.10202cb962ac59075b964b07152d234b70\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":56},{"id":9718367,"ip":"118.194.251.75","ts":"2026-06-20 04:41:04.000000","proto":"tcp","src_port":19678,"dst_port":70,"service":"gopher","classification":"mongodb_version_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 49, \u0022payload_entropy\u0022: 4.193778152167447, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002221c2c28a865175fe7022e513b22f317172cbbe87\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_version_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022493a3d213b080175a70a3be3bdf3d870\u0022, \u0022path_pattern_hash\u0022: \u0022636701e8cc10cb6ce234b462a0e6c0ed\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000{\\\u0022Type\\\u0022:\\\u0022Auth\\\u0022,\\\u0022Payload\\\u0022:{\\\u0022Version\\\u0022:\\\u00222\\\u0022}}\u0022, \u0022request_sample\u0022: \u0022)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000{\\\u0022Type\\\u0022:\\\u0022Auth\\\u0022,\\\u0022Payload\\\u0022:{\\\u0022Version\\\u0022:\\\u00222\\\u0022}}\u0022, \u0022payload_snippet\u0022: \u0022)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000{\\\u0022Type\\\u0022:\\\u0022Auth\\\u0022,\\\u0022Payload\\\u0022:{\\\u0022Version\\\u0022:\\\u00222\\\u0022}}\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000{\\\u0022Type\\\u0022:\\\u0022Auth\\\u0022,\\\u0022Payload\\\u0022:{\\\u0022Version\\\u0022:\\\u00222\\\u0022}}\u0022, \u0022payload_snippet\u0022: \u0022)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000{\\\u0022Type\\\u0022:\\\u0022Auth\\\u0022,\\\u0022Payload\\\u0022:{\\\u0022Version\\\u0022:\\\u00222\\\u0022}}\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_version_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225309b79edfc6fbfd29bb39515ab2e8caa266c4b5\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000{\\\u0022Type\\\u0022:\\\u0022Auth\\\u0022,\\\u0022Payload\\\u0022:{\\\u0022Version\\\u0022:\\\u00222\\\u0022}}\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022){\\\u0022Type\\\u0022:\\\u0022Auth\\\u0022,\\\u0022Payload\\\u0022:{\\\u0022Version\\\u0022:\\\u00222\\\u0022}}\u0022, \u0022attack_vector\u0022: \u0022mongodb version probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_version_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mongodb_version_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022)\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000{\\\u0022Type\\\u0022:\\\u0022Auth\\\u0022,\\\u0022Payload\\\u0022:{\\\u0022Version\\\u0022:\\\u00222\\\u0022}}\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022mongodb version probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022){\\\u0022Type\\\u0022:\\\u0022Auth\\\u0022,\\\u0022Payload\\\u0022:{\\\u0022Version\\\u0022:\\\u00222\\\u0022}}\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_version\u0022, \u0022mongodb_version_2\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_version\u0022, \u0022mongodb_version_2\u0022]","anomalies":"[]","severity":0,"bytes_in":49},{"id":9718364,"ip":"118.194.251.75","ts":"2026-06-20 04:41:01.000000","proto":"tcp","src_port":19170,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 12, \u0022payload_entropy\u0022: 0.8112781244591328, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002289fcddd8e965f8ff958358b927013df6\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022acce19e7c0acecba3089752424b1085f7f4ea42b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":12},{"id":9718361,"ip":"118.194.251.75","ts":"2026-06-20 04:40:58.000000","proto":"tcp","src_port":18254,"dst_port":70,"service":"gopher","classification":"opcua_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 59, \u0022payload_entropy\u0022: 3.860214023388077, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022confidence\u0022: 0.47, \u0022classification_confidence\u0022: 0.47, \u0022precision_score\u0022: 56, \u0022precision_signals\u0022: [\u0022pat-0626\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0626\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022, \u0022pat-0626\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022, \u0022OPC UA HEL\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022, \u0022pat-0626\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 47.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022405e43878bd2caed9a786695e348bf9d\u0022, \u0022path_pattern_hash\u0022: \u00229665a326f7d8f70f1661dab78807b951\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022HELF;\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001b\\u0000\\u0000\\u0000opc.tcp:\/\/85.214.126.3:4840\u0022, \u0022request_sample\u0022: \u0022HELF;\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001b\\u0000\\u0000\\u0000opc.tcp:\/\/85.214.126.3:4840\u0022, \u0022payload_snippet\u0022: \u0022HELF;\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001b\\u0000\\u0000\\u0000opc.tcp:\/\/85.214.126.3:4840\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022HELF;\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001b\\u0000\\u0000\\u0000opc.tcp:\/\/85.214.126.3:4840\u0022, \u0022payload_snippet\u0022: \u0022HELF;\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001b\\u0000\\u0000\\u0000opc.tcp:\/\/85.214.126.3:4840\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e07f71a243bd139ec1fc68c471b53f22ba9c0da4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022HELF;\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001b\\u0000\\u0000\\u0000opc.tcp:\/\/85.214.126.3:4840\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022HELF;\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdopc.tcp:\/\/85.214.126.3:4840\u0022, \u0022attack_vector\u0022: \u0022opcua probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 47, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0626\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0626\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022HELF;\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u001b\\u0000\\u0000\\u0000opc.tcp:\/\/85.214.126.3:4840\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022opcua probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022HELF;\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdopc.tcp:\/\/85.214.126.3:4840\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 47 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 47 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":59},{"id":9718358,"ip":"118.194.251.75","ts":"2026-06-20 04:40:55.000000","proto":"tcp","src_port":17702,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 16, \u0022payload_entropy\u0022: 1.6216407621868583, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f49be22988ace8a28a7eea705f9e0c37\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022\\u0010\\u0000\\u0000\\u0000G\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\ufffd\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0010\\u0000\\u0000\\u0000G\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0000\\u0000\\u0000G\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\ufffd\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0010\\u0000\\u0000\\u0000G\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0010\\u0000\\u0000\\u0000G\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\ufffd\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00223a9b42713db70964fe4f1c7047c8e1461202f131\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0010\\u0000\\u0000\\u0000G\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\ufffd\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022G\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0010\\u0000\\u0000\\u0000G\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\ufffd\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022G\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":16},{"id":9718355,"ip":"118.194.251.75","ts":"2026-06-20 04:40:52.000000","proto":"tcp","src_port":17216,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 113, \u0022payload_entropy\u0022: 4.641748802606944, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002294179f64d7c7524a23b3cbf2af232c73\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000m\\u0000\\u0000\\u0000i{\\\u0022code\\\u0022:105,\\\u0022language\\\u0022:\\\u0022GO\\\u0022,\\\u0022version\\\u0022:317,\\\u0022opaque\\\u0022:2,\\\u0022flag\\\u0022:0,\\\u0022remark\\\u0022:\\\u0022\\\u0022,\\\u0022extFields\\\u0022:{\\\u0022topic\\\u0022:\\\u0022TBW102\\\u0022}}\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000m\\u0000\\u0000\\u0000i{\\\u0022code\\\u0022:105,\\\u0022language\\\u0022:\\\u0022GO\\\u0022,\\\u0022version\\\u0022:317,\\\u0022opaque\\\u0022:2,\\\u0022flag\\\u0022:0,\\\u0022remark\\\u0022:\\\u0022\\\u0022,\\\u0022extFields\\\u0022:{\\\u0022topic\\\u0022:\\\u0022TBW102\\\u0022}}\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000m\\u0000\\u0000\\u0000i{\\\u0022code\\\u0022:105,\\\u0022language\\\u0022:\\\u0022GO\\\u0022,\\\u0022version\\\u0022:317,\\\u0022opaque\\\u0022:2,\\\u0022flag\\\u0022:0,\\\u0022remark\\\u0022:\\\u0022\\\u0022,\\\u0022extFields\\\u0022:{\\\u0022topic\\\u0022:\\\u0022TBW102\\\u0022}}\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000m\\u0000\\u0000\\u0000i{\\\u0022code\\\u0022:105,\\\u0022language\\\u0022:\\\u0022GO\\\u0022,\\\u0022version\\\u0022:317,\\\u0022opaque\\\u0022:2,\\\u0022flag\\\u0022:0,\\\u0022remark\\\u0022:\\\u0022\\\u0022,\\\u0022extFields\\\u0022:{\\\u0022topic\\\u0022:\\\u0022TBW102\\\u0022}}\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000m\\u0000\\u0000\\u0000i{\\\u0022code\\\u0022:105,\\\u0022language\\\u0022:\\\u0022GO\\\u0022,\\\u0022version\\\u0022:317,\\\u0022opaque\\\u0022:2,\\\u0022flag\\\u0022:0,\\\u0022remark\\\u0022:\\\u0022\\\u0022,\\\u0022extFields\\\u0022:{\\\u0022topic\\\u0022:\\\u0022TBW102\\\u0022}}\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f566e7126306282c317fa144e342675f40d1c214\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000m\\u0000\\u0000\\u0000i{\\\u0022code\\\u0022:105,\\\u0022language\\\u0022:\\\u0022GO\\\u0022,\\\u0022version\\\u0022:317,\\\u0022opaque\\\u0022:2,\\\u0022flag\\\u0022:0,\\\u0022remark\\\u0022:\\\u0022\\\u0022,\\\u0022extFields\\\u0022:{\\\u0022topic\\\u0022:\\\u0022TBW102\\\u0022}}\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022mi{\\\u0022code\\\u0022:105,\\\u0022language\\\u0022:\\\u0022GO\\\u0022,\\\u0022version\\\u0022:317,\\\u0022opaque\\\u0022:2,\\\u0022flag\\\u0022:0,\\\u0022remark\\\u0022:\\\u0022\\\u0022,\\\u0022extFields\\\u0022:{\\\u0022topic\\\u0022:\\\u0022TBW102\\\u0022}}\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000m\\u0000\\u0000\\u0000i{\\\u0022code\\\u0022:105,\\\u0022language\\\u0022:\\\u0022GO\\\u0022,\\\u0022version\\\u0022:317,\\\u0022opaque\\\u0022:2,\\\u0022flag\\\u0022:0,\\\u0022remark\\\u0022:\\\u0022\\\u0022,\\\u0022extFields\\\u0022:{\\\u0022topic\\\u0022:\\\u0022TBW102\\\u0022}}\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022mi{\\\u0022code\\\u0022:105,\\\u0022language\\\u0022:\\\u0022GO\\\u0022,\\\u0022version\\\u0022:317,\\\u0022opaque\\\u0022:2,\\\u0022flag\\\u0022:0,\\\u0022remark\\\u0022:\\\u0022\\\u0022,\\\u0022extFields\\\u0022:{\\\u0022topic\\\u0022:\\\u0022TBW102\\\u0022}}\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":113},{"id":9718348,"ip":"118.194.251.75","ts":"2026-06-20 04:40:49.000000","proto":"tcp","src_port":16540,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 131, \u0022payload_entropy\u0022: 4.943692969509017, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227ac31581d9769a3294f2b8ec05c3e9e6\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u00222W\\u0000\\u0000\\u0000\\u00012C\\u0000\\u0000\\u0000wx^\\u0000j\\u0000\ufffd\ufffd2J\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000`{\\\u0022@timestamp\\\u0022:\\\u00222023-11-10T16:31:19.3549634+08:00\\\u0022,\\\u0022message\\\u0022:\\\u0022t\\\u0022,\\\u0022offset\\\u0022:1000,\\\u0022type\\\u0022:\\\u0022filebeat\\\u0022}\\u0003\\u00006\u0022, \u0022request_sample\u0022: \u00222W\\u0000\\u0000\\u0000\\u00012C\\u0000\\u0000\\u0000wx^\\u0000j\\u0000\ufffd\ufffd2J\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000`{\\\u0022@timestamp\\\u0022:\\\u00222023-11-10T16:31:19.3549634+08:00\\\u0022,\\\u0022message\\\u0022:\\\u0022t\\\u0022,\\\u0022offset\\\u0022:1000,\\\u0022type\\\u0022:\\\u0022filebeat\\\u0022}\\u0003\\u00006\ufffd\\u001b\u0022, \u0022payload_snippet\u0022: \u00222W\\u0000\\u0000\\u0000\\u00012C\\u0000\\u0000\\u0000wx^\\u0000j\\u0000\ufffd\ufffd2J\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000`{\\\u0022@timestamp\\\u0022:\\\u00222023-11-10T16:31:19.3549634+08:00\\\u0022,\\\u0022message\\\u0022:\\\u0022t\\\u0022,\\\u0022offset\\\u0022:1000,\\\u0022type\\\u0022:\\\u0022filebeat\\\u0022}\\u0003\\u00006\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u00222W\\u0000\\u0000\\u0000\\u00012C\\u0000\\u0000\\u0000wx^\\u0000j\\u0000\ufffd\ufffd2J\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000`{\\\u0022@timestamp\\\u0022:\\\u00222023-11-10T16:31:19.3549634+08:00\\\u0022,\\\u0022message\\\u0022:\\\u0022t\\\u0022,\\\u0022offset\\\u0022:1000,\\\u0022type\\\u0022:\\\u0022filebeat\\\u0022}\\u0003\\u00006\ufffd\\u001b\u0022, \u0022payload_snippet\u0022: \u00222W\\u0000\\u0000\\u0000\\u00012C\\u0000\\u0000\\u0000wx^\\u0000j\\u0000\ufffd\ufffd2J\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000`{\\\u0022@timestamp\\\u0022:\\\u00222023-11-10T16:31:19.3549634+08:00\\\u0022,\\\u0022message\\\u0022:\\\u0022t\\\u0022,\\\u0022offset\\\u0022:1000,\\\u0022type\\\u0022:\\\u0022filebeat\\\u0022}\\u0003\\u00006\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225115e7e0151b4db9fe926a21afde832911e10b75\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u00222W\\u0000\\u0000\\u0000\\u00012C\\u0000\\u0000\\u0000wx^\\u0000j\\u0000\ufffd\ufffd2J\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000`{\\\u0022@timestamp\\\u0022:\\\u00222023-11-10T16:31:19.3549634+08:00\\\u0022,\\\u0022message\\\u0022:\\\u0022t\\\u0022,\\\u0022offset\\\u0022:1000,\\\u0022type\\\u0022:\\\u0022filebeat\\\u0022}\\u0003\\u00006\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u00222W2Cwx^j\ufffd\ufffd2J`{\\\u0022@timestamp\\\u0022:\\\u00222023-11-10T16:31:19.3549634+08:00\\\u0022,\\\u0022message\\\u0022:\\\u0022t\\\u0022,\\\u0022offset\\\u0022:1000,\\\u0022type\\\u0022:\\\u0022filebeat\\\u0022}6\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u00222W\\u0000\\u0000\\u0000\\u00012C\\u0000\\u0000\\u0000wx^\\u0000j\\u0000\ufffd\ufffd2J\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000`{\\\u0022@timestamp\\\u0022:\\\u00222023-11-10T16:31:19.3549634+08:00\\\u0022,\\\u0022message\\\u0022:\\\u0022t\\\u0022,\\\u0022offset\\\u0022:1000,\\\u0022type\\\u0022:\\\u0022filebeat\\\u0022}\\u0003\\u00006\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u00222W2Cwx^j\ufffd\ufffd2J`{\\\u0022@timestamp\\\u0022:\\\u00222023-11-10T16:31:19.3549634+08:00\\\u0022,\\\u0022message\\\u0022:\\\u0022t\\\u0022,\\\u0022offset\\\u0022:1000,\\\u0022type\\\u0022:\\\u0022filebeat\\\u0022}6\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022behavior_alert_count\u0022: 2, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":131},{"id":9718342,"ip":"118.194.251.75","ts":"2026-06-20 04:40:46.000000","proto":"tcp","src_port":16068,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 29, \u0022payload_entropy\u0022: 4.064203408622266, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a28a90b32f6006a6cfa98505ba373419\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\u0019a\\n\\u00074.6.2.3\\u0010\\u0006\\\u0022\\t8798306680\\u0001\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000\\u0019a\\n\\u00074.6.2.3\\u0010\\u0006\\\u0022\\t8798306680\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000\\u0019a\\n\\u00074.6.2.3\\u0010\\u0006\\\u0022\\t8798306680\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000\\u0019a\\n\\u00074.6.2.3\\u0010\\u0006\\\u0022\\t8798306680\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000\\u0019a\\n\\u00074.6.2.3\\u0010\\u0006\\\u0022\\t8798306680\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022fd4702c8772130f821247990ee8a1c9c27f4fe04\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\u0019a\\n\\u00074.6.2.3\\u0010\\u0006\\\u0022\\t8798306680\\u0001\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022a\\n4.6.2.3\\\u0022\\t8798306680\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\u0019a\\n\\u00074.6.2.3\\u0010\\u0006\\\u0022\\t8798306680\\u0001\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022a\\n4.6.2.3\\\u0022\\t8798306680\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":29},{"id":9718341,"ip":"118.194.251.75","ts":"2026-06-20 04:40:43.000000","proto":"tcp","src_port":15516,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 93, \u0022payload_entropy\u0022: 4.682586603096229, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224d682adf59b1d9e41be709f5ccbc8084\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000]\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000I\\u0000\\u0000\\u0000223.75.123.71\\tIP\\tUSER\\tLOGON\\tQWRtaW4=\\tQWRtaW4=\\t\\t65536\\tUTF-8\\t805306367\\t1\\n\\n\\n\u0022, \u0022request_sample\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000]\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000I\\u0000\\u0000\\u0000223.75.123.71\\tIP\\tUSER\\tLOGON\\tQWRtaW4=\\tQWRtaW4=\\t\\t65536\\tUTF-8\\t805306367\\t1\\n\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000]\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000I\\u0000\\u0000\\u0000223.75.123.71\\tIP\\tUSER\\tLOGON\\tQWRtaW4=\\tQWRtaW4=\\t\\t65536\\tUTF-8\\t805306367\\t1\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000]\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000I\\u0000\\u0000\\u0000223.75.123.71\\tIP\\tUSER\\tLOGON\\tQWRtaW4=\\tQWRtaW4=\\t\\t65536\\tUTF-8\\t805306367\\t1\\n\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000]\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000I\\u0000\\u0000\\u0000223.75.123.71\\tIP\\tUSER\\tLOGON\\tQWRtaW4=\\tQWRtaW4=\\t\\t65536\\tUTF-8\\t805306367\\t1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c3cca34a22bd63292e6c8c43fd7e2b644ee047bf\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000]\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000I\\u0000\\u0000\\u0000223.75.123.71\\tIP\\tUSER\\tLOGON\\tQWRtaW4=\\tQWRtaW4=\\t\\t65536\\tUTF-8\\t805306367\\t1\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd]I223.75.123.71\\tIP\\tUSER\\tLOGON\\tQWRtaW4=\\tQWRtaW4=\\t\\t65536\\tUTF-8\\t805306367\\t1\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000]\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000I\\u0000\\u0000\\u0000223.75.123.71\\tIP\\tUSER\\tLOGON\\tQWRtaW4=\\tQWRtaW4=\\t\\t65536\\tUTF-8\\t805306367\\t1\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffd]I223.75.123.71\\tIP\\tUSER\\tLOGON\\tQWRtaW4=\\tQWRtaW4=\\t\\t65536\\tUTF-8\\t805306367\\t1\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":93},{"id":9718331,"ip":"118.194.251.75","ts":"2026-06-20 04:40:40.000000","proto":"tcp","src_port":15134,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 32, \u0022payload_entropy\u0022: 1.498778124459133, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002248d1c4bf25ef5b6ad32d76fb795398b9\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022\ufffd\\u0005\\u0000`\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0005\\u0002\\u0000\\u0001\\u0000\\u0000\ufffd\ufffd\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0005\\u0000`\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0005\\u0002\\u0000\\u0001\\u0000\\u0000\ufffd\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0005\\u0000`\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0005\\u0002\\u0000\\u0001\\u0000\\u0000\ufffd\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0005\\u0000`\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0005\\u0002\\u0000\\u0001\\u0000\\u0000\ufffd\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0005\\u0000`\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0005\\u0002\\u0000\\u0001\\u0000\\u0000\ufffd\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002265193913ffcc8d2daebc79040bb9363127e1d0ee\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0005\\u0000`\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0005\\u0002\\u0000\\u0001\\u0000\\u0000\ufffd\ufffd\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd`\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0005\\u0000`\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0005\\u0002\\u0000\\u0001\\u0000\\u0000\ufffd\ufffd\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd`\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":32},{"id":9718326,"ip":"118.194.251.75","ts":"2026-06-20 04:40:37.000000","proto":"tcp","src_port":14708,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 13, \u0022payload_entropy\u0022: 3.3927474104487847, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b95100bea23f1bbc831cc0175ad22cfe\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 0}, \u0022payload_preview\u0022: \u0022EXAMPLE.COM\\r\\n\u0022, \u0022request_sample\u0022: \u0022EXAMPLE.COM\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022EXAMPLE.COM\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022EXAMPLE.COM\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022EXAMPLE.COM\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ba188108d8e79982471f5ec80bde6a4b98d7cf70\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022EXAMPLE.COM\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022EXAMPLE.COM\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022EXAMPLE.COM\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022EXAMPLE.COM\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":13},{"id":9718323,"ip":"118.194.251.75","ts":"2026-06-20 04:40:34.000000","proto":"tcp","src_port":14232,"dst_port":70,"service":"gopher","classification":"xmrig_pattern","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 179, \u0022payload_entropy\u0022: 5.098770336543975, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 82.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 82.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 36, \u0022tag_count\u0022: 3, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002281048e5014717930c4da5022f787151ff74fdd51\u0022, \u0022event_fingerprint\u0022: \u00225b5b9ceb23f83a3c71e30434595afaa8964f29ed\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xmrig_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 82.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 36}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c500383ebccf2fc673ea77e9e47d6daf\u0022, \u0022path_pattern_hash\u0022: \u00228145f20c1f8c418bc873bfb04c479410\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 36}, \u0022payload_preview\u0022: \u0022{\\\u0022id\\\u0022:1,\\\u0022jsonrpc\\\u0022:\\\u00222.0\\\u0022,\\\u0022method\\\u0022:\\\u0022login\\\u0022,\\\u0022params\\\u0022:{\\\u0022login\\\u0022:\\\u0022YOUR_WALLET_ADDRESS\\\u0022,\\\u0022pass\\\u0022:\\\u0022x\\\u0022,\\\u0022agent\\\u0022:\\\u0022XMRig\/6.20.0-C3Pool\\\u0022,\\\u0022algo\\\u0022\u0022, \u0022request_sample\u0022: \u0022{\\\u0022id\\\u0022:1,\\\u0022jsonrpc\\\u0022:\\\u00222.0\\\u0022,\\\u0022method\\\u0022:\\\u0022login\\\u0022,\\\u0022params\\\u0022:{\\\u0022login\\\u0022:\\\u0022YOUR_WALLET_ADDRESS\\\u0022,\\\u0022pass\\\u0022:\\\u0022x\\\u0022,\\\u0022agent\\\u0022:\\\u0022XMRig\/6.20.0-C3Pool\\\u0022,\\\u0022algo\\\u0022:[\\\u0022cn\/1\\\u0022],\\\u0022algo-perf\\\u0022:{\\\u0022cn\/1\\\u0022:63.32038223248976}}}\\n\u0022, \u0022payload_snippet\u0022: \u0022{\\\u0022id\\\u0022:1,\\\u0022jsonrpc\\\u0022:\\\u00222.0\\\u0022,\\\u0022method\\\u0022:\\\u0022login\\\u0022,\\\u0022params\\\u0022:{\\\u0022login\\\u0022:\\\u0022YOUR_WALLET_ADDRESS\\\u0022,\\\u0022pass\\\u0022:\\\u0022x\\\u0022,\\\u0022agent\\\u0022:\\\u0022XMRig\/6.20.0-C3Pool\\\u0022,\\\u0022algo\\\u0022\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022{\\\u0022id\\\u0022:1,\\\u0022jsonrpc\\\u0022:\\\u00222.0\\\u0022,\\\u0022method\\\u0022:\\\u0022login\\\u0022,\\\u0022params\\\u0022:{\\\u0022login\\\u0022:\\\u0022YOUR_WALLET_ADDRESS\\\u0022,\\\u0022pass\\\u0022:\\\u0022x\\\u0022,\\\u0022agent\\\u0022:\\\u0022XMRig\/6.20.0-C3Pool\\\u0022,\\\u0022algo\\\u0022:[\\\u0022cn\/1\\\u0022],\\\u0022algo-perf\\\u0022:{\\\u0022cn\/1\\\u0022:63.32038223248976}}}\\n\u0022, \u0022payload_snippet\u0022: \u0022{\\\u0022id\\\u0022:1,\\\u0022jsonrpc\\\u0022:\\\u00222.0\\\u0022,\\\u0022method\\\u0022:\\\u0022login\\\u0022,\\\u0022params\\\u0022:{\\\u0022login\\\u0022:\\\u0022YOUR_WALLET_ADDRESS\\\u0022,\\\u0022pass\\\u0022:\\\u0022x\\\u0022,\\\u0022agent\\\u0022:\\\u0022XMRig\/6.20.0-C3Pool\\\u0022,\\\u0022algo\\\u0022\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xmrig_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022mitre_tactics\u0022: [\u0022TA0011\u0022], \u0022mitre\u0022: \u0022TA0011\u0022, \u0022threat_family\u0022: [\u0022cryptominer\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a3c89810642610776f1fd45b8e6a82f9558a8e68\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022{\\\u0022id\\\u0022:1,\\\u0022jsonrpc\\\u0022:\\\u00222.0\\\u0022,\\\u0022method\\\u0022:\\\u0022login\\\u0022,\\\u0022params\\\u0022:{\\\u0022login\\\u0022:\\\u0022YOUR_WALLET_ADDRESS\\\u0022,\\\u0022pass\\\u0022:\\\u0022x\\\u0022,\\\u0022agent\\\u0022:\\\u0022XMRig\/6.20.0-C3Pool\\\u0022,\\\u0022algo\\\u0022\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022{\\\u0022id\\\u0022:1,\\\u0022jsonrpc\\\u0022:\\\u00222.0\\\u0022,\\\u0022method\\\u0022:\\\u0022login\\\u0022,\\\u0022params\\\u0022:{\\\u0022login\\\u0022:\\\u0022YOUR_WALLET_ADDRESS\\\u0022,\\\u0022pass\\\u0022:\\\u0022x\\\u0022,\\\u0022agent\\\u0022:\\\u0022XMRig\/6.20.0-C3Pool\\\u0022,\\\u0022algo\\\u0022\u0022, \u0022attack_vector\u0022: \u0022xmrig pattern \u00b7 via GOPHER:70 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xmrig_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xmrig_pattern \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 36\/100 (Faible) \u2014 MITRE TA0011 \u2014 via GOPHER\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 82.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 36}, \u0022attack_stage\u0022: \u0022c2\u0022, \u0022attack_stage_label\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022risk_score\u0022: 36, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0011\u0022, \u0022mitre_technique\u0022: \u0022TA0011\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022{\\\u0022id\\\u0022:1,\\\u0022jsonrpc\\\u0022:\\\u00222.0\\\u0022,\\\u0022method\\\u0022:\\\u0022login\\\u0022,\\\u0022params\\\u0022:{\\\u0022login\\\u0022:\\\u0022YOUR_WALLET_ADDRESS\\\u0022,\\\u0022pass\\\u0022:\\\u0022x\\\u0022,\\\u0022agent\\\u0022:\\\u0022XMRig\/6.20.0-C3Pool\\\u0022,\\\u0022algo\\\u0022\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022xmrig pattern \u00b7 via GOPHER:70 \u00b7 (commande \u0026 contr\u00f4le)\u0022, \u0022evidence_snippet\u0022: \u0022{\\\u0022id\\\u0022:1,\\\u0022jsonrpc\\\u0022:\\\u00222.0\\\u0022,\\\u0022method\\\u0022:\\\u0022login\\\u0022,\\\u0022params\\\u0022:{\\\u0022login\\\u0022:\\\u0022YOUR_WALLET_ADDRESS\\\u0022,\\\u0022pass\\\u0022:\\\u0022x\\\u0022,\\\u0022agent\\\u0022:\\\u0022XMRig\/6.20.0-C3Pool\\\u0022,\\\u0022algo\\\u0022\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 3 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022command_and_control\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022command_and_control\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022cryptominer_probe\u0022, \u0022net_xmrig_pattern\u0022, \u0022xmrig_pattern\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022cryptominer_probe\u0022, \u0022net_xmrig_pattern\u0022, \u0022xmrig_pattern\u0022]","anomalies":"[]","severity":8,"bytes_in":179},{"id":9718319,"ip":"118.194.251.75","ts":"2026-06-20 04:40:31.000000","proto":"tcp","src_port":13738,"dst_port":70,"service":"gopher","classification":"postgres_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 14, \u0022payload_entropy\u0022: 1.9502120649147467, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 32.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0368\u0022, \u0022pat-0369\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0368\u0022, \u0022pat-0369\u0022], \u0022matched_patterns\u0022: [\u0022pat-0368\u0022, \u0022pat-0369\u0022, \u0022pat-0556\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022PostgreSQL cancel request\u0022, \u0022PostgreSQL startup\u0022, \u0022Kafka ApiVersions key\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0368\u0022, \u0022pat-0369\u0022, \u0022pat-0556\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002219214bd9a0c01f9428154f3b658852b6\u0022, \u0022path_pattern_hash\u0022: \u002280f3c71fe26f36a0a9399108643f66c5\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\n\\u0000\\u0012\\u0000\\u0000\ufffd\ufffd\ufffd\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000\\n\\u0000\\u0012\\u0000\\u0000\ufffd\ufffd\ufffd\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000\\n\\u0000\\u0012\\u0000\\u0000\ufffd\ufffd\ufffd\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000\\n\\u0000\\u0012\\u0000\\u0000\ufffd\ufffd\ufffd\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000\\n\\u0000\\u0012\\u0000\\u0000\ufffd\ufffd\ufffd\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dec98f4db808353cc804c2b04f3f4e94c74a60b1\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\n\\u0000\\u0012\\u0000\\u0000\ufffd\ufffd\ufffd\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 32.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0368\u0022, \u0022pat-0369\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0368\u0022, \u0022pat-0369\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\n\\u0000\\u0012\\u0000\\u0000\ufffd\ufffd\ufffd\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022postgres probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":14},{"id":9718309,"ip":"118.194.251.75","ts":"2026-06-20 04:40:28.000000","proto":"tcp","src_port":13284,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 40, \u0022payload_entropy\u0022: 3.2516094970590266, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ade4c3e7a4c503a0785a09ddcef1efb8\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0014anonymous_command_on\\u0000\\u0000\\u0000\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0014anonymous_command_on\\u0000\\u0000\\u0000\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0014anonymous_command_on\\u0000\\u0000\\u0000\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0014anonymous_command_on\\u0000\\u0000\\u0000\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0014anonymous_command_on\\u0000\\u0000\\u0000\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022faaac1977cbfe97eefe548e5d7c5f9f55410ad61\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0014anonymous_command_on\\u0000\\u0000\\u0000\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffdanonymous_command_on\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0001\\u0000\\u0001\\u0000\\u0000\\u0000\\u0014anonymous_command_on\\u0000\\u0000\\u0000\\u0000\\b\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffdanonymous_command_on\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":40},{"id":9718307,"ip":"118.194.251.75","ts":"2026-06-20 04:40:25.000000","proto":"tcp","src_port":12792,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 39, \u0022payload_entropy\u0022: 4.6632313853624945, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022268e50c3963f0c6fe6ca87afd0ce66b8\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022#\\u0000\\u0000\\u0000\\u0012!\\u0010\\u0003\\u001a\\u0006:62710*\\rfd135ge@\u0026yt_02\\u0006123456\u0022, \u0022request_sample\u0022: \u0022#\\u0000\\u0000\\u0000\\u0012!\\u0010\\u0003\\u001a\\u0006:62710*\\rfd135ge@\u0026yt_02\\u0006123456\u0022, \u0022payload_snippet\u0022: \u0022#\\u0000\\u0000\\u0000\\u0012!\\u0010\\u0003\\u001a\\u0006:62710*\\rfd135ge@\u0026yt_02\\u0006123456\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022#\\u0000\\u0000\\u0000\\u0012!\\u0010\\u0003\\u001a\\u0006:62710*\\rfd135ge@\u0026yt_02\\u0006123456\u0022, \u0022payload_snippet\u0022: \u0022#\\u0000\\u0000\\u0000\\u0012!\\u0010\\u0003\\u001a\\u0006:62710*\\rfd135ge@\u0026yt_02\\u0006123456\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002239b64bbd376d1b459ad4e710fca9edeec7d52630\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022#\\u0000\\u0000\\u0000\\u0012!\\u0010\\u0003\\u001a\\u0006:62710*\\rfd135ge@\u0026yt_02\\u0006123456\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022#!:62710*\\rfd135ge@\u0026yt_02123456\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022#\\u0000\\u0000\\u0000\\u0012!\\u0010\\u0003\\u001a\\u0006:62710*\\rfd135ge@\u0026yt_02\\u0006123456\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022#!:62710*\\rfd135ge@\u0026yt_02123456\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":39},{"id":9718306,"ip":"118.194.251.75","ts":"2026-06-20 04:40:22.000000","proto":"tcp","src_port":12268,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 43, \u0022payload_entropy\u0022: 5.10068335935326, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f4f17bcdc73af477913b79f96989f7d8\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022\ufffdx\\u0017\\u0001#\\u0000\\u0000\\u0000.\ufffd=\\b\ufffd\ufffd\ufffd$\\u0000\ufffd\u0027\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0017\ufffd\ufffdW\\u001dE\\u0005$e\ufffdV\ufffd\u003E\\\\\ufffd\u0022, \u0022request_sample\u0022: \u0022\ufffdx\\u0017\\u0001#\\u0000\\u0000\\u0000.\ufffd=\\b\ufffd\ufffd\ufffd$\\u0000\ufffd\u0027\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0017\ufffd\ufffdW\\u001dE\\u0005$e\ufffdV\ufffd\u003E\\\\\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\ufffdx\\u0017\\u0001#\\u0000\\u0000\\u0000.\ufffd=\\b\ufffd\ufffd\ufffd$\\u0000\ufffd\u0027\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0017\ufffd\ufffdW\\u001dE\\u0005$e\ufffdV\ufffd\u003E\\\\\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffdx\\u0017\\u0001#\\u0000\\u0000\\u0000.\ufffd=\\b\ufffd\ufffd\ufffd$\\u0000\ufffd\u0027\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0017\ufffd\ufffdW\\u001dE\\u0005$e\ufffdV\ufffd\u003E\\\\\ufffd\u0022, \u0022payload_snippet\u0022: \u0022\ufffdx\\u0017\\u0001#\\u0000\\u0000\\u0000.\ufffd=\\b\ufffd\ufffd\ufffd$\\u0000\ufffd\u0027\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0017\ufffd\ufffdW\\u001dE\\u0005$e\ufffdV\ufffd\u003E\\\\\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b23b6934bd05c6076df07fceed659f56a9e84298\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffdx\\u0017\\u0001#\\u0000\\u0000\\u0000.\ufffd=\\b\ufffd\ufffd\ufffd$\\u0000\ufffd\u0027\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0017\ufffd\ufffdW\\u001dE\\u0005$e\ufffdV\ufffd\u003E\\\\\ufffd\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffdx#.\ufffd=\ufffd\ufffd\ufffd$\ufffd\u0027\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdWE$e\ufffdV\ufffd\u003E\\\\\ufffd\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffdx\\u0017\\u0001#\\u0000\\u0000\\u0000.\ufffd=\\b\ufffd\ufffd\ufffd$\\u0000\ufffd\u0027\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\\u0017\ufffd\ufffdW\\u001dE\\u0005$e\ufffdV\ufffd\u003E\\\\\ufffd\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffdx#.\ufffd=\ufffd\ufffd\ufffd$\ufffd\u0027\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdWE$e\ufffdV\ufffd\u003E\\\\\ufffd\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":43},{"id":9718304,"ip":"118.194.251.75","ts":"2026-06-20 04:40:19.000000","proto":"tcp","src_port":11818,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 156, \u0022payload_entropy\u0022: 1.0056921668856296, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00225ca0ed1490012fe941f931322c79c1f4\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_snippet\u0022: \u0022\\u0000\ufffd\\u0000\\u0001\\u001a+\u003CM\\u0000\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001none\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ppap\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\ufffd\\u0000\\u0001\\u001a+\u003CM\\u0000\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001none\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ppap\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\ufffd\\u0000\\u0001\\u001a+\u003CM\\u0000\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001none\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ppap\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220d626836a67952e4a7033dccb45e18ebfd7889dc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\ufffd\\u0000\\u0001\\u001a+\u003CM\\u0000\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001none\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ppap\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd+\u003CM\ufffd\ufffdnoneppap\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\ufffd\\u0000\\u0001\\u001a+\u003CM\\u0000\\u0001\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\\u0001\ufffd\ufffd\\u0000\\u0001none\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000ppap\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd+\u003CM\ufffd\ufffdnoneppap\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":156},{"id":9718296,"ip":"118.194.251.75","ts":"2026-06-20 04:40:16.000000","proto":"tcp","src_port":11326,"dst_port":70,"service":"gopher","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 144, \u0022payload_entropy\u0022: 4.6684321087757565, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 39, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022, \u0022pat-0530\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022LFI Double-dot bypass\u0022, \u0022XMPP stream\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022, \u0022pat-0530\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 39}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222c2f7964ac7971e254cec36837483540\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 39}, \u0022payload_preview\u0022: \u0022\u003C?xml version=\u00271.0\u0027?\u003E\u003Cstream:stream xmlns:stream=\u0027http:\/\/etherx.jabber.org\/streams\u0027 xmlns=\u0027jabber:client\u0027 xml:lang=\u0027ru-RU\u0027 to=\u0027.\u0022, \u0022request_sample\u0022: \u0022\u003C?xml version=\u00271.0\u0027?\u003E\u003Cstream:stream xmlns:stream=\u0027http:\/\/etherx.jabber.org\/streams\u0027 xmlns=\u0027jabber:client\u0027 xml:lang=\u0027ru-RU\u0027 to=\u0027.\u0027 version=\u00271.0\u0027\u003E\u0022, \u0022payload_snippet\u0022: \u0022\u003C?xml version=\u00271.0\u0027?\u003E\u003Cstream:stream xmlns:stream=\u0027http:\/\/etherx.jabber.org\/streams\u0027 xmlns=\u0027jabber:client\u0027 xml:lang=\u0027ru-RU\u0027 to=\u0027.\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\u003C?xml version=\u00271.0\u0027?\u003E\u003Cstream:stream xmlns:stream=\u0027http:\/\/etherx.jabber.org\/streams\u0027 xmlns=\u0027jabber:client\u0027 xml:lang=\u0027ru-RU\u0027 to=\u0027.\u0027 version=\u00271.0\u0027\u003E\u0022, \u0022payload_snippet\u0022: \u0022\u003C?xml version=\u00271.0\u0027?\u003E\u003Cstream:stream xmlns:stream=\u0027http:\/\/etherx.jabber.org\/streams\u0027 xmlns=\u0027jabber:client\u0027 xml:lang=\u0027ru-RU\u0027 to=\u0027.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222db9aced5245d0c8bc7f381308fe62fa84293db5\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\u003C?xml version=\u00271.0\u0027?\u003E\u003Cstream:stream xmlns:stream=\u0027http:\/\/etherx.jabber.org\/streams\u0027 xmlns=\u0027jabber:client\u0027 xml:lang=\u0027ru-RU\u0027 to=\u0027.\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022\u003C?xml version=\u00271.0\u0027?\u003E\u003Cstream:stream xmlns:stream=\u0027http:\/\/etherx.jabber.org\/streams\u0027 xmlns=\u0027jabber:client\u0027 xml:lang=\u0027ru-RU\u0027 to=\u0027.\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via GOPHER:70 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 39\/100 (Faible) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via GOPHER\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 39}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 39, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\u003C?xml version=\u00271.0\u0027?\u003E\u003Cstream:stream xmlns:stream=\u0027http:\/\/etherx.jabber.org\/streams\u0027 xmlns=\u0027jabber:client\u0027 xml:lang=\u0027ru-RU\u0027 to=\u0027.\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via GOPHER:70 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022\u003C?xml version=\u00271.0\u0027?\u003E\u003Cstream:stream xmlns:stream=\u0027http:\/\/etherx.jabber.org\/streams\u0027 xmlns=\u0027jabber:client\u0027 xml:lang=\u0027ru-RU\u0027 to=\u0027.\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":144},{"id":9718291,"ip":"118.194.251.75","ts":"2026-06-20 04:40:13.000000","proto":"tcp","src_port":10872,"dst_port":70,"service":"gopher","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 20, \u0022payload_entropy\u0022: 2.1709505944546685, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00222d5f2b87dd037e1bb1c1f8b9f3a815f8eb575594\u0022, \u0022event_fingerprint\u0022: \u0022411efea85805d4ba674cf50bff68f395707c3e5f\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0768\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002278303524a43907117dd5e6de4f427da3\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0012\\u0002index\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0012\\u0002index\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0002index\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0012\\u0002index\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0012\\u0002index\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225a48c830aa184c78d415152e24770ce67f18b0b8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0012\\u0002index\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022index\ufffd\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0768\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0768\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0012\\u0002index\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022index\ufffd\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]","anomalies":"[]","severity":5,"bytes_in":20},{"id":9718288,"ip":"118.194.251.75","ts":"2026-06-20 04:40:10.000000","proto":"tcp","src_port":10414,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 118, \u0022payload_entropy\u0022: 5.151202745659785, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e4c389aa171b6c4fc8c08b745ec87f45\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022\\u0006\ufffd\ufffdJoin\u00e5Nodes\\u0001\ufffdUserStateLen\\u0000\ufffd\ufffdAddr\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd8\\u0001\ufffdIncarnation\\u0001\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\\u001f\\n\ufffdState\\u0000\ufffdVsn\ufffd\\u0001\\u0005\\u0002\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0006\ufffd\ufffdJoin\u00e5Nodes\\u0001\ufffdUserStateLen\\u0000\ufffd\ufffdAddr\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd8\\u0001\ufffdIncarnation\\u0001\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\\u001f\\n\ufffdState\\u0000\ufffdVsn\ufffd\\u0001\\u0005\\u0002\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0006\ufffd\ufffdJoin\u00e5Nodes\\u0001\ufffdUserStateLen\\u0000\ufffd\ufffdAddr\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd8\\u0001\ufffdIncarnation\\u0001\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\\u001f\\n\ufffdState\\u0000\ufffdVsn\ufffd\\u0001\\u0005\\u0002\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0006\ufffd\ufffdJoin\u00e5Nodes\\u0001\ufffdUserStateLen\\u0000\ufffd\ufffdAddr\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd8\\u0001\ufffdIncarnation\\u0001\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\\u001f\\n\ufffdState\\u0000\ufffdVsn\ufffd\\u0001\\u0005\\u0002\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0006\ufffd\ufffdJoin\u00e5Nodes\\u0001\ufffdUserStateLen\\u0000\ufffd\ufffdAddr\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd8\\u0001\ufffdIncarnation\\u0001\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\\u001f\\n\ufffdState\\u0000\ufffdVsn\ufffd\\u0001\\u0005\\u0002\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022424f57fc36a7a24fbea86a41b6ded5a1ccdf8b3b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0006\ufffd\ufffdJoin\u00e5Nodes\\u0001\ufffdUserStateLen\\u0000\ufffd\ufffdAddr\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd8\\u0001\ufffdIncarnation\\u0001\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\\u001f\\n\ufffdState\\u0000\ufffdVsn\ufffd\\u0001\\u0005\\u0002\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdJoin\u00e5Nodes\ufffdUserStateLen\ufffd\ufffdAddr\ufffd\ufffd\ufffd\ufffd\ufffd8\ufffdIncarnation\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\\n\ufffdState\ufffdVsn\ufffd\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0006\ufffd\ufffdJoin\u00e5Nodes\\u0001\ufffdUserStateLen\\u0000\ufffd\ufffdAddr\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd8\\u0001\ufffdIncarnation\\u0001\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\\u001f\\n\ufffdState\\u0000\ufffdVsn\ufffd\\u0001\\u0005\\u0002\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdJoin\u00e5Nodes\ufffdUserStateLen\ufffd\ufffdAddr\ufffd\ufffd\ufffd\ufffd\ufffd8\ufffdIncarnation\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\\n\ufffdState\ufffdVsn\ufffd\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":118},{"id":9718285,"ip":"118.194.251.75","ts":"2026-06-20 04:40:07.000000","proto":"tcp","src_port":64790,"dst_port":70,"service":"gopher","classification":"rdp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 11, \u0022payload_entropy\u0022: 1.6729330318733675, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0348\u0022, \u0022pat-0352\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0352\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0352\u0022, \u0022pat-0868\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022RDP negotiation\u0022, \u0022ET H.323 setup\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0352\u0022, \u0022pat-0868\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00226771a78868614c6768349c36da4591da\u0022, \u0022path_pattern_hash\u0022: \u00225dd788b551ee7afb63321e74cfc538f6\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u000b\\u0006\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u000b\\u0006\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u000b\\u0006\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u000b\\u0006\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u000b\\u0006\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022dc3790bdb50d35d8374bb0316c0b452a0e91d7d0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u000b\\u0006\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 % \u2014 via GOPHER\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0348\u0022, \u0022pat-0352\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022, \u0022pat-0352\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u000b\\u0006\ufffd\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022rdp probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":11},{"id":9718283,"ip":"118.194.251.75","ts":"2026-06-20 04:40:04.000000","proto":"tcp","src_port":64306,"dst_port":70,"service":"gopher","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 16, \u0022payload_entropy\u0022: 2.5306390622295662, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0356\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0356\u0022], \u0022matched_patterns\u0022: [\u0022pat-0356\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022MSSQL TDS prelogin\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0356\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224128f0bf8d86360e67d6f2d54987a8fb\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022TNMP\\u0004\\u0000\\u0000\\u0000TNME\\u0000\\u0000\\u0004\\u0000\u0022, \u0022request_sample\u0022: \u0022TNMP\\u0004\\u0000\\u0000\\u0000TNME\\u0000\\u0000\\u0004\\u0000\u0022, \u0022payload_snippet\u0022: \u0022TNMP\\u0004\\u0000\\u0000\\u0000TNME\\u0000\\u0000\\u0004\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022TNMP\\u0004\\u0000\\u0000\\u0000TNME\\u0000\\u0000\\u0004\\u0000\u0022, \u0022payload_snippet\u0022: \u0022TNMP\\u0004\\u0000\\u0000\\u0000TNME\\u0000\\u0000\\u0004\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b077d8dcbd24ea450d93284e682a7d141283529f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022TNMP\\u0004\\u0000\\u0000\\u0000TNME\\u0000\\u0000\\u0004\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022TNMPTNME\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0356\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0356\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022TNMP\\u0004\\u0000\\u0000\\u0000TNME\\u0000\\u0000\\u0004\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022TNMPTNME\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":16},{"id":9718280,"ip":"118.194.251.75","ts":"2026-06-20 04:40:01.000000","proto":"tcp","src_port":63842,"dst_port":70,"service":"gopher","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 223, \u0022payload_entropy\u0022: 5.2138020186451035, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022SIP protocol\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a45f037b8553e06cc139b7e55155fc44\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022INVITES sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42 \u0022, \u0022request_sample\u0022: \u0022INVITES sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42 OPTIONS\\r\\nMax-Forwards: 70\\r\\nContent-Length: 0\\r\\nContact: \u003Csip:nm@nm\u003E\\r\\nAccept: application\/sdp\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022INVITES sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022INVITES sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42 OPTIONS\\r\\nMax-Forwards: 70\\r\\nContent-Length: 0\\r\\nContact: \u003Csip:nm@nm\u003E\\r\\nAccept: application\/sdp\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022INVITES sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a6f7468f261d7a7f1b2e761cc86a705364d24f63\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITES sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022INVITES sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via GOPHER:70 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via GOPHER\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022INVITES sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via GOPHER:70 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022INVITES sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":223},{"id":9718276,"ip":"118.194.251.75","ts":"2026-06-20 04:39:58.000000","proto":"tcp","src_port":63430,"dst_port":70,"service":"gopher","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 223, \u0022payload_entropy\u0022: 5.197167462839961, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022, \u0022pat-0420\u0022, \u0022pat-0535\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022SIP protocol\u0022, \u0022HTTP OPTIONS method\u0022, \u0022SIP OPTIONS\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022, \u0022pat-0420\u0022, \u0022pat-0535\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220712a7f81d9d033f2caa8a8a90bbc4a8\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022OPTIONS sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42 \u0022, \u0022request_sample\u0022: \u0022OPTIONS sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42 OPTIONS\\r\\nMax-Forwards: 70\\r\\nContent-Length: 0\\r\\nContact: \u003Csip:nm@nm\u003E\\r\\nAccept: application\/sdp\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42 OPTIONS\\r\\nMax-Forwards: 70\\r\\nContent-Length: 0\\r\\nContact: \u003Csip:nm@nm\u003E\\r\\nAccept: application\/sdp\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226c088dae19403ee4549c627a54fc94be2b331fc0\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via GOPHER:70 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via GOPHER\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via GOPHER:70 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS sip:nm SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP nm;branch=foo\\r\\nFrom: \u003Csip:nm@nm\u003E;tag=root\\r\\nTo: \u003Csip:nm2@nm2\u003E\\r\\nCall-ID: 50000\\r\\nCSeq: 42\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":223},{"id":9718275,"ip":"118.194.251.75","ts":"2026-06-20 04:39:55.000000","proto":"tcp","src_port":62956,"dst_port":70,"service":"gopher","classification":"ldap_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 14, \u0022payload_entropy\u0022: 2.9852281360342516, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 54.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab ldap_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0859\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0859\u0022], \u0022matched_patterns\u0022: [\u0022pat-0859\u0022, \u0022pat-0554\u0022], \u0022matched_pattern_names\u0022: [\u0022ET LDAP anon bind\u0022, \u0022Minecraft varint handshake\u0022], \u0022pattern_ids\u0022: [\u0022pat-0859\u0022, \u0022pat-0554\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022548b3df94bdc85e8b94b0de75b5e0379\u0022, \u0022path_pattern_hash\u0022: \u002279ba87c92cce1f6abf5b6560fb8afdba\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u00220\\f\\u0002\\u0001\\u0001`\\u0007\\u0002\\u0001\\u0002\\u0004\\u0000\ufffd\\u0000\u0022, \u0022request_sample\u0022: \u00220\\f\\u0002\\u0001\\u0001`\\u0007\\u0002\\u0001\\u0002\\u0004\\u0000\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u00220\\f\\u0002\\u0001\\u0001`\\u0007\\u0002\\u0001\\u0002\\u0004\\u0000\ufffd\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u00220\\f\\u0002\\u0001\\u0001`\\u0007\\u0002\\u0001\\u0002\\u0004\\u0000\ufffd\\u0000\u0022, \u0022payload_snippet\u0022: \u00220\\f\\u0002\\u0001\\u0001`\\u0007\\u0002\\u0001\\u0002\\u0004\\u0000\ufffd\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab ldap_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224fb767ff049a21d5a923d9dd16deab86c58b4a29\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u00220\\f\\u0002\\u0001\\u0001`\\u0007\\u0002\\u0001\\u0002\\u0004\\u0000\ufffd\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u00220`\ufffd\u0022, \u0022attack_vector\u0022: \u0022ldap probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab ldap_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab ldap_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 54.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0859\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0859\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u00220\\f\\u0002\\u0001\\u0001`\\u0007\\u0002\\u0001\\u0002\\u0004\\u0000\ufffd\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022ldap probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u00220`\ufffd\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":14},{"id":9718273,"ip":"118.194.251.75","ts":"2026-06-20 04:39:52.000000","proto":"tcp","src_port":62516,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 51, \u0022payload_entropy\u0022: 3.7946877264252636, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0768\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022edc124f1d34ba290330abcac2736b204\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u00220\ufffd\\u0000\\u0000\\u0000-\\u0002\\u0001\\u0007c\ufffd\\u0000\\u0000\\u0000$\\u0004\\u0000\\n\\u0001\\u0000\\n\\u0001\\u0000\\u0002\\u0001\\u0000\\u0002\\u0001d\\u0001\\u0001\\u0000\ufffd\\u000bobjectClass0\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u00220\ufffd\\u0000\\u0000\\u0000-\\u0002\\u0001\\u0007c\ufffd\\u0000\\u0000\\u0000$\\u0004\\u0000\\n\\u0001\\u0000\\n\\u0001\\u0000\\u0002\\u0001\\u0000\\u0002\\u0001d\\u0001\\u0001\\u0000\ufffd\\u000bobjectClass0\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u00220\ufffd\\u0000\\u0000\\u0000-\\u0002\\u0001\\u0007c\ufffd\\u0000\\u0000\\u0000$\\u0004\\u0000\\n\\u0001\\u0000\\n\\u0001\\u0000\\u0002\\u0001\\u0000\\u0002\\u0001d\\u0001\\u0001\\u0000\ufffd\\u000bobjectClass0\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u00220\ufffd\\u0000\\u0000\\u0000-\\u0002\\u0001\\u0007c\ufffd\\u0000\\u0000\\u0000$\\u0004\\u0000\\n\\u0001\\u0000\\n\\u0001\\u0000\\u0002\\u0001\\u0000\\u0002\\u0001d\\u0001\\u0001\\u0000\ufffd\\u000bobjectClass0\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u00220\ufffd\\u0000\\u0000\\u0000-\\u0002\\u0001\\u0007c\ufffd\\u0000\\u0000\\u0000$\\u0004\\u0000\\n\\u0001\\u0000\\n\\u0001\\u0000\\u0002\\u0001\\u0000\\u0002\\u0001d\\u0001\\u0001\\u0000\ufffd\\u000bobjectClass0\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d37b7caca6fb52d49382fa79a15dc90d785ea265\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u00220\ufffd\\u0000\\u0000\\u0000-\\u0002\\u0001\\u0007c\ufffd\\u0000\\u0000\\u0000$\\u0004\\u0000\\n\\u0001\\u0000\\n\\u0001\\u0000\\u0002\\u0001\\u0000\\u0002\\u0001d\\u0001\\u0001\\u0000\ufffd\\u000bobjectClass0\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u00220\ufffd-c\ufffd$\\n\\nd\ufffdobjectClass0\ufffd\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0768\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0768\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u00220\ufffd\\u0000\\u0000\\u0000-\\u0002\\u0001\\u0007c\ufffd\\u0000\\u0000\\u0000$\\u0004\\u0000\\n\\u0001\\u0000\\n\\u0001\\u0000\\u0002\\u0001\\u0000\\u0002\\u0001d\\u0001\\u0001\\u0000\ufffd\\u000bobjectClass0\ufffd\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u00220\ufffd-c\ufffd$\\n\\nd\ufffdobjectClass0\ufffd\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":51},{"id":9718270,"ip":"118.194.251.75","ts":"2026-06-20 04:39:49.000000","proto":"tcp","src_port":62000,"dst_port":70,"service":"gopher","classification":"modbus_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 126, \u0022payload_entropy\u0022: 3.6365655435185062, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 58.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 33, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab modbus_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0357\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0357\u0022], \u0022matched_patterns\u0022: [\u0022pat-0357\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Modbus TCP header\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0357\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 33}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002298cb3978bd8d0583d0e6d69919db9eca\u0022, \u0022path_pattern_hash\u0022: \u00228ae4962b81dca47862d9dd3befc69030\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 33}, \u0022payload_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdversion\\u0000\\u0000\\u0000\\u0000\\u0000f\\u0000\\u0000\\u0000GH\ufffd\\u0013\\u0011\\u0001\\u0000\\r\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0006\\t=Z\\u0000\\u0000\\u0000\\u0000\\t\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffdYKI\\u000b \ufffd\\r\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0123A\ufffd\\u0004\ufffd\ufffd\\u0010\/Satoshi:0.15.1\/\\u0000\\u0000\\u0000\\u0000\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\ufffd\ufffd\ufffdversion\\u0000\\u0000\\u0000\\u0000\\u0000f\\u0000\\u0000\\u0000GH\ufffd\\u0013\\u0011\\u0001\\u0000\\r\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0006\\t=Z\\u0000\\u0000\\u0000\\u0000\\t\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffdYKI\\u000b \ufffd\\r\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0123A\ufffd\\u0004\ufffd\ufffd\\u0010\/Satoshi:0.15.1\/\\u0000\\u0000\\u0000\\u0000\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdversion\\u0000\\u0000\\u0000\\u0000\\u0000f\\u0000\\u0000\\u0000GH\ufffd\\u0013\\u0011\\u0001\\u0000\\r\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0006\\t=Z\\u0000\\u0000\\u0000\\u0000\\t\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffdYKI\\u000b \ufffd\\r\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0123A\ufffd\\u0004\ufffd\ufffd\\u0010\/Satoshi:0.15.1\/\\u0000\\u0000\\u0000\\u0000\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab modbus_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022ics_probe\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002233daa4b0e9025edbc579eb2cdce99fd27537bf06\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\ufffd\ufffd\ufffdversion\\u0000\\u0000\\u0000\\u0000\\u0000f\\u0000\\u0000\\u0000GH\ufffd\\u0013\\u0011\\u0001\\u0000\\r\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0006\\t=Z\\u0000\\u0000\\u0000\\u0000\\t\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffdYKI\\u000b \ufffd\\r\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0123A\ufffd\\u0004\ufffd\ufffd\\u0010\/Satoshi:0.15.1\/\\u0000\\u0000\\u0000\\u0000\\u0001\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdversionfGH\ufffd\\r\\t=Z\\t\ufffd\ufffdYKI \ufffd\\r\u0123A\ufffd\ufffd\ufffd\/Satoshi:0.15.1\/\u0022, \u0022attack_vector\u0022: \u0022modbus probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab modbus_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab modbus_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 33\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 33}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 33, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0357\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0357\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\ufffd\ufffd\ufffdversion\\u0000\\u0000\\u0000\\u0000\\u0000f\\u0000\\u0000\\u0000GH\ufffd\\u0013\\u0011\\u0001\\u0000\\r\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0006\\t=Z\\u0000\\u0000\\u0000\\u0000\\t\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffdYKI\\u000b \ufffd\\r\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0123A\ufffd\\u0004\ufffd\ufffd\\u0010\/Satoshi:0.15.1\/\\u0000\\u0000\\u0000\\u0000\\u0001\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022modbus probe \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\ufffd\ufffdversionfGH\ufffd\\r\\t=Z\\t\ufffd\ufffdYKI \ufffd\\r\u0123A\ufffd\ufffd\ufffd\/Satoshi:0.15.1\/\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":126},{"id":9718263,"ip":"118.194.251.75","ts":"2026-06-20 04:39:46.000000","proto":"tcp","src_port":61514,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 3.169925001442312, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0577\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002239b37e76df338b7381ea8bb116701c98\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022\\u0001default\\n\u0022, \u0022request_sample\u0022: \u0022\\u0001default\\n\u0022, \u0022payload_snippet\u0022: \u0022\\u0001default\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0001default\\n\u0022, \u0022payload_snippet\u0022: \u0022\\u0001default\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224a1163bc0461e50aceeecadc6b641e4d2fb99390\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0001default\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022default\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0577\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0577\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0001default\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022default\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":9},{"id":9718261,"ip":"118.194.251.75","ts":"2026-06-20 04:39:43.000000","proto":"tcp","src_port":61082,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 53, \u0022payload_entropy\u0022: 4.704058897836964, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 16.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 32.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 16.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 24, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220d8b3f3515cf9f475a8871be63367df1a00be3e9\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 16.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 24}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002208bd34a37b11f5c307f84418e0c2a579\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 24}, \u0022payload_preview\u0022: \u0022GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022request_sample\u0022: \u0022GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022628521cfb6c8f4504b1875fc16d3fe12dc5c7e3a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 1 signal(aux) capteur\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 16.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 32.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 24}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 24, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 0 % \u2014 1 signal(aux) capteur\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http_get_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http_get_probe\u0022]","anomalies":"[]","severity":2,"bytes_in":53},{"id":9718256,"ip":"118.194.251.75","ts":"2026-06-20 04:39:40.000000","proto":"tcp","src_port":60528,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 12, \u0022payload_entropy\u0022: 0.8166890883150209, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0768\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad33d13d6bc3bd05c9957f130811a989\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022l\\u0000\\u000b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022l\\u0000\\u000b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022l\\u0000\\u000b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022l\\u0000\\u000b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022l\\u0000\\u000b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022162b2b7b2bb0d6eeffd5cfc74360fadc33679222\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022l\\u0000\\u000b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022l\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0768\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0768\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022l\\u0000\\u000b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022l\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":12},{"id":9718252,"ip":"118.194.251.75","ts":"2026-06-20 04:39:37.000000","proto":"tcp","src_port":60050,"dst_port":70,"service":"gopher","classification":"gopher","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00226957656c636f6d6520746f20686f6e6579706f7420676f706865720966616b6509310d0a2e0d0a\u0022, \u0022emulator_response_len\u0022: 39, \u0022bytes_in\u0022: 168, \u0022payload_entropy\u0022: 4.517824025292926, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022service\u0022: \u0022gopher\u0022, \u0022app_proto\u0022: \u0022gopher\u0022, \u0022asn\u0022: 135377, \u0022country\u0022: \u0022TH\u0022, \u0022dst_port\u0022: 70, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 5, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227de9773556d61cd035254f140e77d1a6710f3f0c\u0022, \u0022event_fingerprint\u0022: \u00226fd84d2a15eac085f88e04a17911c43e5059e0f8\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 5}, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022TH\u0022, \u0022asn\u0022: 135377, \u0022org\u0022: \u0022UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224c8b954e7bc1bc076c8d1bd64820e67f\u0022, \u0022path_pattern_hash\u0022: \u00229cc1ee455a3363ffc504f40006f70d0c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022risk_score\u0022: 5}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\ufffd\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\b\\u0001@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u0006\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0002PC NETWORK PROGRAM 1.0\\u0000\\u0002MICROSOFT NETWORKS 1.03\\u0000\\u0002MICROSOFT NETWORKS 3.0\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000\ufffd\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\b\\u0001@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u0006\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0002PC NETWORK PROGRAM 1.0\\u0000\\u0002MICROSOFT NETWORKS 1.03\\u0000\\u0002MICROSOFT NETWORKS 3.0\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.2X002\\u0000\\u0002Samba\\u0000\\u0002NT LANMAN 1.0\\u0000\\u0002NT LM 0.12\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000\ufffd\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\b\\u0001@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u0006\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0002PC NETWORK PROGRAM 1.0\\u0000\\u0002MICROSOFT NETWORKS 1.03\\u0000\\u0002MICROSOFT NETWORKS 3.0\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000\ufffd\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\b\\u0001@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u0006\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0002PC NETWORK PROGRAM 1.0\\u0000\\u0002MICROSOFT NETWORKS 1.03\\u0000\\u0002MICROSOFT NETWORKS 3.0\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.2X002\\u0000\\u0002Samba\\u0000\\u0002NT LANMAN 1.0\\u0000\\u0002NT LM 0.12\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000\ufffd\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\b\\u0001@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u0006\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0002PC NETWORK PROGRAM 1.0\\u0000\\u0002MICROSOFT NETWORKS 1.03\\u0000\\u0002MICROSOFT NETWORKS 3.0\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222d6a9c38f553c26a5a91954aef9a2f2a176cbf2e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\ufffd\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\b\\u0001@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u0006\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0002PC NETWORK PROGRAM 1.0\\u0000\\u0002MICROSOFT NETWORKS 1.03\\u0000\\u0002MICROSOFT NETWORKS 3.0\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdSMBr@@\ufffdPC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.\u0022, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab gopher \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 5}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 5, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022, \u0022dst_port\u0022: 70, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\ufffd\ufffdSMBr\\u0000\\u0000\\u0000\\u0000\\b\\u0001@\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000@\\u0006\\u0000\\u0000\\u0001\\u0000\\u0000\ufffd\\u0000\\u0002PC NETWORK PROGRAM 1.0\\u0000\\u0002MICROSOFT NETWORKS 1.03\\u0000\\u0002MICROSOFT NETWORKS 3.0\\u0000\\u0002LANMAN1.0\\u0000\\u0002LM1.\u0022, \u0022port\u0022: 70, \u0022service\u0022: \u0022gopher\u0022, \u0022service_label_fr\u0022: \u0022GOPHER\u0022}, \u0022attack_vector\u0022: \u0022gopher \u00b7 via GOPHER:70 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdSMBr@@\ufffdPC NETWORK PROGRAM 1.0MICROSOFT NETWORKS 1.03MICROSOFT NETWORKS 3.0LANMAN1.0LM1.\u0022, \u0022target_port_label\u0022: \u002270 \u00b7 GOPHER\u0022, \u0022emulator_service\u0022: \u0022gopher\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022gopher\u0022, \u0022service_banner\u0022: \u0022honeypot-gopher\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002270\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":168}],"total_events":239}