Méthode
GET
Port
1110
Chemin / cible
/
Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59%
Confiance classification
59%
Risque capteur
Moyen
· 46
Confiance : Confiance 59 % — Motif catalogue confirmé · 3 tag(s) WAF
Signaux
pat-0284
Technique MITRE
TA0001
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 941130
Ligne de requête
GET / HTTP/1.1
User-Agent
Dalvik/2.1.0 (Linux; U; Android 9.0; ZTE BA520 Build/MRA58K)
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:1110
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9.0; ZTE BA520 Build/MRA58K)
Accept-Encoding
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:1110 User-Agent: Dalvik/2.1.0 (Linux; U; Android 9.0; ZTE BA520 Build/MRA58K) Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,applic
Meta JSON brut
{
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "b16282a7fa437db295a1c0ee409cf7d692d467c2",
"http_host_hash": "f467d15de80c803720c0947535567d0e1bb61709",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 374,
"payload_entropy": 5.427883265295355,
"port_category": "registered",
"org": "Chinanet",
"service": "http",
"app_proto": "http",
"asn": 4134,
"country": "CN",
"dst_port": 1110,
"risk_waf": 72,
"risk_classification": 68,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 25,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15
},
"risk_score": 46,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ff337f8fc3484b1660f99acb9283dd9f4d86bf83",
"event_fingerprint": "6801bd2b1e0b24a38e8d0e43a2e41432cf2be405",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"confidence": 0.59,
"classification_confidence": 0.59,
"precision_score": 70,
"precision_signals": [
"pat-0284"
],
"kb_rule_ids": [
"pat-0284"
],
"matched_patterns": [
"pat-0284"
],
"matched_pattern_names": [
"CRS 941130"
],
"pattern_ids": [
"pat-0284"
],
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 46
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 59,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 4134,
"org": "Chinanet",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "4d2f4327a2305f89e4487de0ff5d654c",
"payload_hash": "520d47745d134d2c28996219f4dc877d",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 1110,
"service": "http",
"service_name": "http",
"risk_score": 46
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1110\r\nUser-Agent: Dalvik\/2.1.0 (Linux; U; Android 9.0; ZTE BA520 Build\/MRA58K)\r\nAccept-Encoding",
"method": "GET",
"path": "\/",
"user_agent": "Dalvik\/2.1.0 (Linux; U; Android 9.0; ZTE BA520 Build\/MRA58K)",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1110\r\nUser-Agent: Dalvik\/2.1.0 (Linux; U; Android 9.0; ZTE BA520 Build\/MRA58K)\r\nAccept-Encoding: gzip, deflate\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,applic",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1110\r\nUser-Agent: Dalvik\/2.1.0 (Linux; U; Android 9.0; ZTE BA520 Build\/MRA58K)\r\nAccept-Encoding",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Dalvik\/2.1.0 (Linux; U; Android 9.0; ZTE BA520 Build\/MRA58K)",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1110\r\nUser-Agent: Dalvik\/2.1.0 (Linux; U; Android 9.0; ZTE BA520 Build\/MRA58K)\r\nAccept-Encoding: gzip, deflate\r\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,applic",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1110\r\nUser-Agent: Dalvik\/2.1.0 (Linux; U; Android 9.0; ZTE BA520 Build\/MRA58K)\r\nAccept-Encoding",
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre": "TA0001",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9db824925486f4137c79bebd3e9e65f1eda4c6ce",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Dalvik\/2.1.0 (Linux; U; Android 9.0; ZTE BA520 Build\/MRA58K)",
"port": 1110,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1110\r\nUser-Agent: Dalvik\/2.1.0 (Linux; U; Android 9.0; ZTE BA520 Build\/MRA58K)\r\nAccept-Encoding",
"attack_vector": "xss attack \u00b7 via HTTP:1110 \u00b7 (tentative d'exploit)",
"target_port_label": "1110 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"classification_reason_label_fr": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP",
"confidence_pct": 59,
"confidence_breakdown": {
"waf": 72,
"classification": 68,
"behavior": 0,
"geo": 0,
"protocol": 25,
"novelty": 15,
"risk_score": 46
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 46,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 1110,
"protocol_emulated": null,
"tags_summary": [
"pat-0284"
],
"tags_summary_labels_fr": [
"pat-0284"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0001",
"mitre_technique": "TA0001",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Dalvik\/2.1.0 (Linux; U; Android 9.0; ZTE BA520 Build\/MRA58K)",
"port": 1110,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "xss attack \u00b7 via HTTP:1110 \u00b7 (tentative d'exploit)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1110\r\nUser-Agent: Dalvik\/2.1.0 (Linux; U; Android 9.0; ZTE BA520 Build\/MRA58K)\r\nAccept-Encoding",
"target_port_label": "1110 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 59 % \u2014 Motif catalogue confirm\u00e9 \u00b7 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 59 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "1110"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
|