Méthode
—
Port
2376
Chemin / cible
—
Service
DOCKER TLS
Payload
����S���O��a�T�w�w��#�)�Ƿ��e�4����$���!@���������������������� � � � � ��������������������������������� �!�"�#�$�%�&�'�(�)�*
Pourquoi cette classification : Type « docker_tls_probe » (signaux protocolaires) · confiance 62%
Confiance classification
62%
Risque capteur
Moyen
· 45
Confiance : Confiance 62 % — 5 signal(aux) capteur
Protocole émulé
1
Signaux
Docker Tls
Upstream
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
Minecraft varint handshake
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����S���O��a�T�w�w��#�)�Ƿ��e�4����$���!@���������������������� �
�����
��������������������������������� �!�"�#�$�%�&�'�(�)�*
Requête brute (extrait)
����S���O��a�T�w�w��#�)�Ƿ��e�4����$���!@���������������������� � � � � ��������������������������������� �!�"�#�$�%�&�'�(�)�*�+�,�-�.�/�0�1�2�3�4�5�6�7�8�9�:�;�<�=�>�?�@�A�B�C�D�E�F�g�h�i�j�k�l�m����������������������������������������������������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "15030300020228",
"emulator_response_len": 7,
"bytes_in": 856,
"payload_entropy": 5.626463646855194,
"port_category": "registered",
"org": "Chinanet",
"service": "docker-tls",
"app_proto": "docker-tls",
"asn": 4134,
"country": "CN",
"dst_port": 2376,
"risk_waf": 8,
"risk_classification": 44,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 8,
"classification": 44,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 25
},
"risk_score": 45,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "8b17215afa683664673e4e271716fbb0ba8f91d8",
"event_fingerprint": "0e1c691ada97ecfe1cd84524e4db6b819b7ed10b",
"classification_reason": "Type \u00ab docker_tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 62%",
"confidence": 0.62,
"classification_confidence": 0.62,
"precision_score": 69,
"precision_signals": [
"INT-docker-tls",
"INT-upstream"
],
"kb_rule_ids": [
"INT-docker-tls",
"INT-upstream"
],
"matched_patterns": [
"pat-0554",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"Minecraft varint handshake",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0554",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 44,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 25,
"risk_score": 45
},
"named_classification_skipped": false,
"service_name": "docker-tls",
"risk_confidence_factor": 62,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 4134,
"org": "Chinanet",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "3b5be59067df1ced2b34044923f64b0f",
"path_pattern_hash": "d32a2cff6903ffd31fff36df36da58ae"
},
"target_context": {
"dst_port": 2376,
"service": "docker-tls",
"service_name": "docker-tls",
"risk_score": 45
},
"payload_snippet": "\u0016\u0003\u0001\u0003S\u0001\u0000\u0003O\u0003\u0003a\ufffdT\ufffdw\ufffdw\ufffd\ufffd#\ufffd)\ufffd\u07bc\u01f7\ufffd\ufffde\ufffd4\u0002\u0004\ufffd\ufffd$\ufffd\u0004\ufffd!@\u0000\u0002\ufffd\u0000\u0000\u0000\u0001\u0000\u0002\u0000\u0003\u0000\u0004\u0000\u0005\u0000\u0006\u0000\u0007\u0000\b\u0000\t\u0000\n\u0000\u000b\u0000\f\u0000\r\u0000\u000e\u0000\u000f\u0000\u0010\u0000\u0011\u0000\u0012\u0000\u0013\u0000\u0014\u0000\u0015\u0000\u0016\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u001a\u0000\u001b\u0000\u001e\u0000\u001f\u0000 \u0000!\u0000\"\u0000#\u0000$\u0000%\u0000&\u0000'\u0000(\u0000)\u0000*",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0003S\u0001\u0000\u0003O\u0003\u0003a\ufffdT\ufffdw\ufffdw\ufffd\ufffd#\ufffd)\ufffd\u07bc\u01f7\ufffd\ufffde\ufffd4\u0002\u0004\ufffd\ufffd$\ufffd\u0004\ufffd!@\u0000\u0002\ufffd\u0000\u0000\u0000\u0001\u0000\u0002\u0000\u0003\u0000\u0004\u0000\u0005\u0000\u0006\u0000\u0007\u0000\b\u0000\t\u0000\n\u0000\u000b\u0000\f\u0000\r\u0000\u000e\u0000\u000f\u0000\u0010\u0000\u0011\u0000\u0012\u0000\u0013\u0000\u0014\u0000\u0015\u0000\u0016\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u001a\u0000\u001b\u0000\u001e\u0000\u001f\u0000 \u0000!\u0000\"\u0000#\u0000$\u0000%\u0000&\u0000'\u0000(\u0000)\u0000*\u0000+\u0000,\u0000-\u0000.\u0000\/\u00000\u00001\u00002\u00003\u00004\u00005\u00006\u00007\u00008\u00009\u0000:\u0000;\u0000<\u0000=\u0000>\u0000?\u0000@\u0000A\u0000B\u0000C\u0000D\u0000E\u0000F\u0000g\u0000h\u0000i\u0000j\u0000k\u0000l\u0000m\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd\u0000\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0003S\u0001\u0000\u0003O\u0003\u0003a\ufffdT\ufffdw\ufffdw\ufffd\ufffd#\ufffd)\ufffd\u07bc\u01f7\ufffd\ufffde\ufffd4\u0002\u0004\ufffd\ufffd$\ufffd\u0004\ufffd!@\u0000\u0002\ufffd\u0000\u0000\u0000\u0001\u0000\u0002\u0000\u0003\u0000\u0004\u0000\u0005\u0000\u0006\u0000\u0007\u0000\b\u0000\t\u0000\n\u0000\u000b\u0000\f\u0000\r\u0000\u000e\u0000\u000f\u0000\u0010\u0000\u0011\u0000\u0012\u0000\u0013\u0000\u0014\u0000\u0015\u0000\u0016\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u001a\u0000\u001b\u0000\u001e\u0000\u001f\u0000 \u0000!\u0000\"\u0000#\u0000$\u0000%\u0000&\u0000'\u0000(\u0000)\u0000*",
"classification_reason": "Type \u00ab docker_tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 62%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3e8e9601faaee7ec5494934323e45467ebb4ef77",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0003S\u0001\u0000\u0003O\u0003\u0003a\ufffdT\ufffdw\ufffdw\ufffd\ufffd#\ufffd)\ufffd\u07bc\u01f7\ufffd\ufffde\ufffd4\u0002\u0004\ufffd\ufffd$\ufffd\u0004\ufffd!@\u0000\u0002\ufffd\u0000\u0000\u0000\u0001\u0000\u0002\u0000\u0003\u0000\u0004\u0000\u0005\u0000\u0006\u0000\u0007\u0000\b\u0000\t\u0000\n\u0000\u000b\u0000\f\u0000\r\u0000\u000e\u0000\u000f\u0000\u0010\u0000\u0011\u0000\u0012\u0000\u0013\u0000\u0014\u0000\u0015\u0000\u0016\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u001a\u0000\u001b\u0000\u001e\u0000\u001f\u0000 \u0000!\u0000\"\u0000#\u0000$\u0000%\u0000&\u0000'\u0000(\u0000)\u0000*",
"port": 2376,
"service": "docker-tls",
"service_label_fr": "DOCKER TLS"
},
"evidence_snippet": "SOa\ufffdT\ufffdw\ufffdw\ufffd\ufffd#\ufffd)\ufffd\u07bc\u01f7\ufffd\ufffde\ufffd4\ufffd\ufffd$\ufffd\ufffd!@\ufffd\t\n\r !\"#$%&'()*",
"attack_vector": "docker tls probe \u00b7 via DOCKER TLS:2376 \u00b7 (sonde \/ probe)",
"target_port_label": "2376 \u00b7 DOCKER TLS",
"emulator_service": "docker-tls",
"confidence_reason": "Confiance 62 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab docker_tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 62%",
"classification_reason_label_fr": "Type \u00ab docker_tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 62%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 62,
"confidence_breakdown": {
"waf": 8,
"classification": 44,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 25,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "docker-tls",
"service_label_fr": "DOCKER TLS",
"dst_port": 2376,
"protocol_emulated": true,
"tags_summary": [
"INT-docker-tls",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Docker Tls",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-docker-tls",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0003S\u0001\u0000\u0003O\u0003\u0003a\ufffdT\ufffdw\ufffdw\ufffd\ufffd#\ufffd)\ufffd\u07bc\u01f7\ufffd\ufffde\ufffd4\u0002\u0004\ufffd\ufffd$\ufffd\u0004\ufffd!@\u0000\u0002\ufffd\u0000\u0000\u0000\u0001\u0000\u0002\u0000\u0003\u0000\u0004\u0000\u0005\u0000\u0006\u0000\u0007\u0000\b\u0000\t\u0000\n\u0000\u000b\u0000\f\u0000\r\u0000\u000e\u0000\u000f\u0000\u0010\u0000\u0011\u0000\u0012\u0000\u0013\u0000\u0014\u0000\u0015\u0000\u0016\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u001a\u0000\u001b\u0000\u001e\u0000\u001f\u0000 \u0000!\u0000\"\u0000#\u0000$\u0000%\u0000&\u0000'\u0000(\u0000)\u0000*",
"port": 2376,
"service": "docker-tls",
"service_label_fr": "DOCKER TLS"
},
"attack_vector": "docker tls probe \u00b7 via DOCKER TLS:2376 \u00b7 (sonde \/ probe)",
"evidence_snippet": "SOa\ufffdT\ufffdw\ufffdw\ufffd\ufffd#\ufffd)\ufffd\u07bc\u01f7\ufffd\ufffde\ufffd4\ufffd\ufffd$\ufffd\ufffd!@\ufffd\t\n\r !\"#$%&'()*",
"target_port_label": "2376 \u00b7 DOCKER TLS",
"emulator_service": "docker-tls",
"confidence_reason": "Confiance 62 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "docker_tls",
"service_banner": "honeypot-docker-tls",
"service_os": "linux",
"dst_port": "2376"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"docker_api_probe",
"docker_tls_emulated",
"docker_tls_payload",
"net_docker_tls_probe",
"tls_clienthello"
]
}
|