Détails IP 13.59.6.180

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « postgres_probe » (signaux protocolaires) · confiance 49%

Confiance 49 % — Score WAF 8

Comparaison ASN / FAI

ASN 16509 · 13.56.0.0/14 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 15 événements sur la période pour cette IP.

3.130.168.2 Sonde PostgreSQL 18/06/2026 12:04 UTC
3.143.162.210 Sonde PostgreSQL 18/06/2026 11:56 UTC
3.131.220.121 Sonde PostgreSQL 18/06/2026 11:53 UTC
16.58.56.214 Protocole wire MongoDB 18/06/2026 11:51 UTC
18.218.118.203 Sonde PostgreSQL 18/06/2026 11:49 UTC
3.129.187.38 Sonde PostgreSQL 18/06/2026 11:49 UTC
3.134.216.108 Sonde PostgreSQL 18/06/2026 11:48 UTC
18.188.122.161 Sonde PostgreSQL 18/06/2026 11:41 UTC

IPs apparentées

Même FAI Amazon.com, Inc. — corrélation indicative.

3.130.168.2 Sonde PostgreSQL
3.143.162.210 Sonde PostgreSQL
3.131.220.121 Sonde PostgreSQL
16.58.56.214 Protocole wire MongoDB
18.218.118.203 Sonde PostgreSQL

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

IMAP TCP 5 HTTP TCP 4 ADMIN ALT TCP 3 TLS TCP 2

IMAP

5

HTTP

4

ADMIN ALT

3

TLS

2

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

De

À

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

15 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
16/06/2026 02:37:43 UTC	TCP	143 · IMAP	imap	Sonde PostgreSQL postgres probe · via IMAP:143 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 35fa0a83e466acbe Émulateur IMAP WAF — Recommandation Surveiller Tags imap_emulated net_pop3_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 143 Chemin / cible — Service IMAP Payload ��}ɵ��wh̔��J-��#��̥�� r��D`S�Q ��qb9��lZ��7H�c/�&&̨̩�/�0�+�,�� /5� { Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��}ɵ��wh̔��J-��#��̥�� r��D`S�Q ��qb9��lZ��7H�c/�&&̨̩�/�0�+�,�� /5� { Requête brute (extrait) ��}ɵ��wh̔��J-��#��̥�� r��D`S�Q ��qb9��lZ��7H�c/�&&̨̩�/�0�+�,�� /5� { �+ 3&$ 06�l>��<��S,��5k��6��%��ts�e Meta JSON brut { "protocol_emulated": true, "emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a", "emulator_response_len": 27, "bytes_in": 243, "payload_entropy": 5.839933321934569, "port_category": "well_known", "org": "Amazon.com, Inc.", "service": "imap", "app_proto": "imap", "asn": 16509, "country": "US", "dst_port": 143, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2f45474cfafae088642f702bdc389103c10e443e", "event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "imap", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a527c6afc9f539f187efc146c179df25", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "35fa0a83e466acbec1cfbb9016d550ab", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 143, "service": "imap", "service_name": "imap", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\u0275\ufffd\ufffd\ufffd\ufffdwh\u0314\ufffd\ufffdJ-\ufffd\ufffd#\ufffd\ufffd\u001b\ufffd\u0325\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd r\ufffd\ufffdD`S\ufffdQ\n\ufffd\ufffdqb9\ufffd\ufffdlZ\ufffd\ufffd7H\u0017\ufffd\u0003c\/\ufffd&\u001a\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\u0275\ufffd\ufffd\ufffd\ufffdwh\u0314\ufffd\ufffdJ-\ufffd\ufffd#\ufffd\ufffd\u001b\ufffd\u0325\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd r\ufffd\ufffdD`S\ufffdQ\n\ufffd\ufffdqb9\ufffd\ufffdlZ\ufffd\ufffd7H\u0017\ufffd\u0003c\/\ufffd&\u001a\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 06\u0000\ufffdl>\ufffd\ufffd\ufffd<\ufffd\ufffdS,\ufffd\ufffd5k\u001e\ufffd\ufffd\ufffd6\ufffd\ufffd%\ufffd\ufffdts\ufffde", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\u0275\ufffd\ufffd\ufffd\ufffdwh\u0314\ufffd\ufffdJ-\ufffd\ufffd#\ufffd\ufffd\u001b\ufffd\u0325\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd r\ufffd\ufffdD`S\ufffdQ\n\ufffd\ufffdqb9\ufffd\ufffdlZ\ufffd\ufffd7H\u0017\ufffd\u0003c\/\ufffd&\u001a\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6458404706f8468b7c54bdaba0b0d45d05d99de4", "protocol_details": { "imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\u0275\ufffd\ufffd\ufffd\ufffdwh\u0314\ufffd\ufffdJ-\ufffd\ufffd#\ufffd\ufffd\u001b\ufffd\u0325\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd r\ufffd\ufffdD`S\ufffdQ\n\ufffd\ufffdqb9\ufffd\ufffdlZ\ufffd\ufffd7H\u0017\ufffd\u0003c\/\ufffd&\u001a\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 143, "service": "imap", "service_label_fr": "IMAP" }, "evidence_snippet": "\ufffd\ufffd}\u0275\ufffd\ufffd\ufffd\ufffdwh\u0314\ufffd\ufffdJ-\ufffd\ufffd#\ufffd\ufffd\ufffd\u0325\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd r\ufffd\ufffdD`S\ufffdQ\n\ufffd\ufffdqb9\ufffd\ufffdlZ\ufffd\ufffd7H\ufffdc\/\ufffd&&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "attack_vector": "postgres probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)", "target_port_label": "143 \u00b7 IMAP", "emulator_service": "imap", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "imap", "service_label_fr": "IMAP", "dst_port": 143, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-imap", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\u0275\ufffd\ufffd\ufffd\ufffdwh\u0314\ufffd\ufffdJ-\ufffd\ufffd#\ufffd\ufffd\u001b\ufffd\u0325\u0006\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd r\ufffd\ufffdD`S\ufffdQ\n\ufffd\ufffdqb9\ufffd\ufffdlZ\ufffd\ufffd7H\u0017\ufffd\u0003c\/\ufffd&\u001a\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 143, "service": "imap", "service_label_fr": "IMAP" }, "attack_vector": "postgres probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd}\u0275\ufffd\ufffd\ufffd\ufffdwh\u0314\ufffd\ufffdJ-\ufffd\ufffd#\ufffd\ufffd\ufffd\u0325\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd r\ufffd\ufffdD`S\ufffdQ\n\ufffd\ufffdqb9\ufffd\ufffdlZ\ufffd\ufffd7H\ufffdc\/\ufffd&&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "target_port_label": "143 \u00b7 IMAP", "emulator_service": "imap", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "imap", "service_banner": "honeypot-imap", "service_os": "linux", "dst_port": "143" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "imap_emulated", "net_pop3_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
16/06/2026 02:37:10 UTC	TCP	143 · IMAP	imap	Sonde port 143/TCP port 143 tcp · via IMAP:143 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur IMAP WAF — Recommandation Surveiller Tags imap_emulated net_pop3_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 143 Chemin / cible — Preuve honeypot — Sonde port 143/TCP Connexion détectée sur le port 143 (TCP) du capteur simulé. Service IMAP Pourquoi cette classification : Type « port_143_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a", "emulator_response_len": 27, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "well_known", "org": "Amazon.com, Inc.", "service": "imap", "app_proto": "imap", "asn": 16509, "country": "US", "dst_port": 143, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 2, "anomaly_count": 0, "campaign_key": "5dbb86240b20f1f0274445eb39af610c11d0b46e", "event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862", "classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "imap", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "a16ceff6d669b3e29397887a084460a7" }, "target_context": { "dst_port": 143, "service": "imap", "service_name": "imap", "risk_score": 38 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "da35f1a884bb164b5c2101de8bd642a51fba2296", "protocol_details": { "imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)", "port": 143, "service": "imap", "service_label_fr": "IMAP" }, "attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)", "target_port_label": "143 \u00b7 IMAP", "emulator_service": "imap", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "imap", "service_label_fr": "IMAP", "dst_port": 143, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-imap", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)", "port": 143, "service": "imap", "service_label_fr": "IMAP" }, "attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "143 \u00b7 IMAP", "emulator_service": "imap", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "imap", "service_banner": "honeypot-imap", "service_os": "linux", "dst_port": "143" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "imap_emulated", "net_pop3_probe" ], "asn_dc_heuristic": true }
16/06/2026 02:36:15 UTC	TCP	143 · IMAP	imap	Sonde PostgreSQL postgres probe · via IMAP:143 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur IMAP WAF — Recommandation Surveiller Tags imap_emulated net_pop3_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 143 Chemin / cible — Service IMAP Payload �\|:$�V:w�&�c�'h�-�"�U �H.��:�? 9v�Q�:F}�f�Š�׹��_��t�8&̨̩�/�0�+�,�� /5� � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �\|:$�V:w�&�c�'h�-�"�U �H.��:�? 9v�Q�:F}�f�Š�׹��_��t�8&̨̩�/�0�+�,�� /5� � Requête brute (extrait) �\|:$�V:w�&�c�'h�-�"�U �H.��:�? 9v�Q�:F}�f�Š�׹��_��t�8&̨̩�/�0�+�,�� /5� � � h2http/1.1+ 3&$ �,ئ�:#��?��$�%��S{�c� Meta JSON brut { "protocol_emulated": true, "emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a", "emulator_response_len": 27, "bytes_in": 261, "payload_entropy": 5.845886638530143, "port_category": "well_known", "org": "Amazon.com, Inc.", "service": "imap", "app_proto": "imap", "asn": 16509, "country": "US", "dst_port": 143, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2f45474cfafae088642f702bdc389103c10e443e", "event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "imap", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d4533134e1cb31d52e1b06a3ca1ab00d", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 143, "service": "imap", "service_name": "imap", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\|:$\ufffdV:w\ufffd\u0019&\ufffdc\ufffd'h\ufffd-\ufffd\u0010\u001f\"\ufffdU \ufffdH.\ufffd\ufffd:\ufffd? 9v\ufffd\u0019Q\ufffd:F}\ufffd\u0006f\ufffd\u0160\ufffd\u001e\u05f9\ufffd\ufffd_\u001e\ufffd\ufffd\ufffd\ufffdt\ufffd\u001e8\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\|:$\ufffdV:w\ufffd\u0019&\ufffdc\ufffd'h\ufffd-\ufffd\u0010\u001f\"\ufffdU \ufffdH.\ufffd\ufffd:\ufffd? 9v\ufffd\u0019Q\ufffd:F}\ufffd\u0006f\ufffd\u0160\ufffd\u001e\u05f9\ufffd\ufffd_\u001e\ufffd\ufffd\ufffd\ufffdt\ufffd\u001e8\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd,\u0626\ufffd:\u0002#\ufffd\ufffd?\ufffd\ufffd\ufffd$\ufffd%\ufffd\ufffd\ufffd\u0017S{\ufffd\u001ac\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\|:$\ufffdV:w\ufffd\u0019&\ufffdc\ufffd'h\ufffd-\ufffd\u0010\u001f\"\ufffdU \ufffdH.\ufffd\ufffd:\ufffd? 9v\ufffd\u0019Q\ufffd:F}\ufffd\u0006f\ufffd\u0160\ufffd\u001e\u05f9\ufffd\ufffd_\u001e\ufffd\ufffd\ufffd\ufffdt\ufffd\u001e8\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4aef4cdb5101a8bf36ace000c2de10d87bb06d34", "protocol_details": { "imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)", "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\|:$\ufffdV:w\ufffd\u0019&\ufffdc\ufffd'h\ufffd-\ufffd\u0010\u001f\"\ufffdU \ufffdH.\ufffd\ufffd:\ufffd? 9v\ufffd\u0019Q\ufffd:F}\ufffd\u0006f\ufffd\u0160\ufffd\u001e\u05f9\ufffd\ufffd_\u001e\ufffd\ufffd\ufffd\ufffdt\ufffd\u001e8\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "port": 143, "service": "imap", "service_label_fr": "IMAP" }, "evidence_snippet": "\ufffd\|:$\ufffdV:w\ufffd&\ufffdc\ufffd'h\ufffd-\ufffd\"\ufffdU \ufffdH.\ufffd\ufffd:\ufffd? 9v\ufffdQ\ufffd:F}\ufffdf\ufffd\u0160\ufffd\u05f9\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffdt\ufffd8&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "attack_vector": "postgres probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)", "target_port_label": "143 \u00b7 IMAP", "emulator_service": "imap", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "imap", "service_label_fr": "IMAP", "dst_port": 143, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-imap", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)", "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\|:$\ufffdV:w\ufffd\u0019&\ufffdc\ufffd'h\ufffd-\ufffd\u0010\u001f\"\ufffdU \ufffdH.\ufffd\ufffd:\ufffd? 9v\ufffd\u0019Q\ufffd:F}\ufffd\u0006f\ufffd\u0160\ufffd\u001e\u05f9\ufffd\ufffd_\u001e\ufffd\ufffd\ufffd\ufffdt\ufffd\u001e8\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "port": 143, "service": "imap", "service_label_fr": "IMAP" }, "attack_vector": "postgres probe \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\|:$\ufffdV:w\ufffd&\ufffdc\ufffd'h\ufffd-\ufffd\"\ufffdU \ufffdH.\ufffd\ufffd:\ufffd? 9v\ufffdQ\ufffd:F}\ufffdf\ufffd\u0160\ufffd\u05f9\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffdt\ufffd8&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "target_port_label": "143 \u00b7 IMAP", "emulator_service": "imap", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "imap", "service_banner": "honeypot-imap", "service_os": "linux", "dst_port": "143" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "imap_emulated", "net_pop3_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
16/06/2026 02:35:47 UTC	TCP	143 · IMAP	imap	Sonde port 143/TCP port 143 tcp · via IMAP:143 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur IMAP WAF — Recommandation Surveiller Tags imap_emulated net_pop3_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 143 Chemin / cible — Preuve honeypot — Sonde port 143/TCP Connexion détectée sur le port 143 (TCP) du capteur simulé. Service IMAP Pourquoi cette classification : Type « port_143_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a", "emulator_response_len": 27, "bytes_in": 1, "payload_entropy": 0, "port_category": "well_known", "org": "Amazon.com, Inc.", "service": "imap", "app_proto": "imap", "asn": 16509, "country": "US", "dst_port": 143, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0 }, "risk_score": 38, "tag_count": 2, "anomaly_count": 0, "campaign_key": "5dbb86240b20f1f0274445eb39af610c11d0b46e", "event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862", "classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "imap", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "01ba4719c80b6fe911b091a7c05124b6", "path_pattern_hash": "a16ceff6d669b3e29397887a084460a7" }, "target_context": { "dst_port": 143, "service": "imap", "service_name": "imap", "risk_score": 38 }, "payload_preview": "\n", "request_sample": "\n", "evidence": { "request_sample": "\n", "classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2d0e07384be0c5cccdea437d0366ba726d615d84", "protocol_details": { "imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)", "port": 143, "service": "imap", "service_label_fr": "IMAP" }, "attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)", "target_port_label": "143 \u00b7 IMAP", "emulator_service": "imap", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 0, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "imap", "service_label_fr": "IMAP", "dst_port": 143, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-imap", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)", "port": 143, "service": "imap", "service_label_fr": "IMAP" }, "attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "143 \u00b7 IMAP", "emulator_service": "imap", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "imap", "service_banner": "honeypot-imap", "service_os": "linux", "dst_port": "143" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "imap_emulated", "net_pop3_probe" ], "asn_dc_heuristic": true }
16/06/2026 02:35:43 UTC	TCP	143 · IMAP	imap	Sonde port 143/TCP port 143 tcp · via IMAP:143 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur IMAP WAF — Recommandation Surveiller Tags http_get_probe imap_emulated mozi_pattern net_pop3_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 143 Chemin / cible — Preuve honeypot — Sonde port 143/TCP Connexion détectée sur le port 143 (TCP) du capteur simulé. Service IMAP Payload GET / HTTP/1.1 Host: 62.3.50.33:143 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/1 Pourquoi cette classification : Type « port_143_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 45 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:143 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/1 Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:143 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "2a204f4b20494d41503420686f6e6579706f742072656164790d0a", "emulator_response_len": 27, "bytes_in": 190, "payload_entropy": 5.27421597328896, "port_category": "well_known", "org": "Amazon.com, Inc.", "service": "imap", "app_proto": "imap", "asn": 16509, "country": "US", "dst_port": 143, "risk_waf": 8, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15 }, "risk_score": 45, "tag_count": 4, "anomaly_count": 0, "campaign_key": "641008c6368a29e5084ba1165fed644ef0e9d02f", "event_fingerprint": "2aee505ca8261046f5734d427b2e1084c257e862", "classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 45 }, "named_classification_skipped": true, "named_candidate": "pop3_probe", "service_name": "imap", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "22ab6a444c1fc6cd0b4c9877a8d0fe81", "path_pattern_hash": "a16ceff6d669b3e29397887a084460a7" }, "target_context": { "dst_port": 143, "service": "imap", "service_name": "imap", "risk_score": 45 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:143\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:143\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:143\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/1", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:143\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:143\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/1", "classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1cd58d529e560fd586fdae0a5684fabcd31bbe77", "protocol_details": { "imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)", "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:143\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/1", "port": 143, "service": "imap", "service_label_fr": "IMAP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:143\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/1", "attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)", "target_port_label": "143 \u00b7 IMAP", "emulator_service": "imap", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_143_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 55, "confidence_breakdown": { "waf": 8, "classification": 42, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "imap", "service_label_fr": "IMAP", "dst_port": 143, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-imap", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "imap_auth_fr": "Sonde protocole IMAP (LOGIN\/CAPABILITY)", "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:143\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/1", "port": 143, "service": "imap", "service_label_fr": "IMAP" }, "attack_vector": "port 143 tcp \u00b7 via IMAP:143 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:143\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/1", "target_port_label": "143 \u00b7 IMAP", "emulator_service": "imap", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "imap", "service_banner": "honeypot-imap", "service_os": "linux", "dst_port": "143" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "imap_emulated", "mozi_pattern", "net_pop3_probe" ], "asn_dc_heuristic": true }
16/06/2026 02:26:11 UTC	TCP	8899 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:8899 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 35fa0a83e466acbe Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8899 Chemin / cible — Service TLS Payload ��H(��2X��D��U��ky�� &�K�ցmySBP�3j�\|?��>I�q&̨̩�/�0�+�,�� /5� { Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��H(��2X��D��U��ky�� &�K�ցmySBP�3j�\|?��>I�q&̨̩�/�0�+�,�� /5� { Requête brute (extrait) ��H(��2X��D��U��ky�� &�K�ցmySBP�3j�\|?��>I�q&̨̩�/�0�+�,�� /5� { �+ 3&$ S� `09�u,�f�/8��P�Ο�K�+�Lu{ Meta JSON brut { "tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 243, "payload_entropy": 5.758430065529652, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "tls", "app_proto": "tls", "asn": 16509, "country": "US", "dst_port": 8899, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ff1feb1dbf71c373aa6d6bc6be0875c01428e04d", "event_fingerprint": "708315377a699eb21a2c6ae0875072cc161755d8", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "35fa0a83e466acbec1cfbb9016d550ab", "payload_hash": "3cef3727c57f2cf46e68f3d520695848", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8899, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffd\ufffdH(\ufffd\ufffd2X\ufffd\ufffdD\ufffd\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffdU\ufffd\u001f\ufffd\ufffdk\u0004y\ufffd\ufffd \u0013&\u0005\ufffdK\ufffd\u0019\u0015\u0581mySBP\ufffd3j\ufffd\|?\ufffd\ufffd>\u0000I\u0000\ufffdq\u0013\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffd\ufffdH(\ufffd\ufffd2X\ufffd\ufffdD\ufffd\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffdU\ufffd\u001f\ufffd\ufffdk\u0004y\ufffd\ufffd \u0013&\u0005\ufffdK\ufffd\u0019\u0015\u0581mySBP\ufffd3j\ufffd\|?\ufffd\ufffd>\u0000I\u0000\ufffdq\u0013\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0006S\ufffd\t`09\ufffdu,\ufffdf\ufffd\/8\ufffd\ufffdP\ufffd\u039f\ufffd\u001eK\ufffd\u001b+\ufffdL\u001du{", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffd\ufffdH(\ufffd\ufffd2X\ufffd\ufffdD\ufffd\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffdU\ufffd\u001f\ufffd\ufffdk\u0004y\ufffd\ufffd \u0013&\u0005\ufffdK\ufffd\u0019\u0015\u0581mySBP\ufffd3j\ufffd\|?\ufffd\ufffd>\u0000I\u0000\ufffdq\u0013\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eb58eb04266f17ce1768918645f73545d56a6454", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffd\ufffdH(\ufffd\ufffd2X\ufffd\ufffdD\ufffd\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffdU\ufffd\u001f\ufffd\ufffdk\u0004y\ufffd\ufffd \u0013&\u0005\ufffdK\ufffd\u0019\u0015\u0581mySBP\ufffd3j\ufffd\|?\ufffd\ufffd>\u0000I\u0000\ufffdq\u0013\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8899, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdH(\ufffd\ufffd2X\ufffd\ufffdD\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdU\ufffd\ufffd\ufffdky\ufffd\ufffd &\ufffdK\ufffd\u0581mySBP\ufffd3j\ufffd\|?\ufffd\ufffd>I\ufffdq&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "attack_vector": "postgres probe \u00b7 via TLS:8899 \u00b7 (sonde \/ probe)", "target_port_label": "8899 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8899, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffd\ufffdH(\ufffd\ufffd2X\ufffd\ufffdD\ufffd\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffd\ufffdU\ufffd\u001f\ufffd\ufffdk\u0004y\ufffd\ufffd \u0013&\u0005\ufffdK\ufffd\u0019\u0015\u0581mySBP\ufffd3j\ufffd\|?\ufffd\ufffd>\u0000I\u0000\ufffdq\u0013\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8899, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:8899 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdH(\ufffd\ufffd2X\ufffd\ufffdD\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdU\ufffd\ufffd\ufffdky\ufffd\ufffd &\ufffdK\ufffd\u0581mySBP\ufffd3j\ufffd\|?\ufffd\ufffd>I\ufffdq&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "target_port_label": "8899 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8899" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:8899", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
16/06/2026 02:25:30 UTC	TCP	8899 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:8899 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 7c1e207beb00684b Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8899 Chemin / cible — Service TLS Payload �T�SE �P_�>[��+�Uz6�f��f�u� �N'� �j��~�-g�\�.�蟮n��j� #&̨̩�/�0�+�,�� /5� � Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �T�SE �P_�>[��+�Uz6�f��f�u� �N'� �j��~�-g�\�.�蟮n��j�#&̨̩�/�0�+�,�� /5� � Requête brute (extrait) �T�SE �P_�>[��+�Uz6�f��f�u� �N'� �j��~�-g�\�.�蟮n��j� #&̨̩�/�0�+�,�� /5� � � h2http/1.1+ 3&$ -�VuQa<%��H"��w�G�v�� Meta JSON brut { "tls_ja3_hash": "7c1e207beb00684bbbe144f1b0abe1d5", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "tls_alpn": [ "h2", "http\/1.1" ], "bytes_in": 261, "payload_entropy": 5.9131955711558, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "tls", "app_proto": "tls", "asn": 16509, "country": "US", "dst_port": 8899, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ff1feb1dbf71c373aa6d6bc6be0875c01428e04d", "event_fingerprint": "972ca51f0857f482e948a0d2eb8d4c3590d59363", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "7c1e207beb00684bbbe144f1b0abe1d5", "payload_hash": "298b8fd587e398e8a8cff7d6c6fc969b", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 8899, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003T\ufffdSE \ufffdP_\ufffd>[\ufffd\ufffd\u0012+\ufffdUz6\ufffd\u001af\ufffd\ufffd\ufffd\ufffdf\ufffdu\ufffd \ufffdN'\ufffd \ufffdj\ufffd\ufffd~\ufffd-g\ufffd\\\ufffd.\ufffd\u87een\ufffd\b\ufffd\ufffdj\ufffd\f#\u0011\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003T\ufffdSE \ufffdP_\ufffd>[\ufffd\ufffd\u0012+\ufffdUz6\ufffd\u001af\ufffd\ufffd\ufffd\ufffdf\ufffdu\ufffd \ufffdN'\ufffd \ufffdj\ufffd\ufffd~\ufffd-g\ufffd\\\ufffd.\ufffd\u87een\ufffd\b\ufffd\ufffdj\ufffd\f#\u0011\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 -\ufffdV\u001cuQa<%\ufffd\b\ufffdH\"\ufffd\ufffdw\ufffdG\ufffdv\ufffd\u0011\u0011\ufffd\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003T\ufffdSE \ufffdP_\ufffd>[\ufffd\ufffd\u0012+\ufffdUz6\ufffd\u001af\ufffd\ufffd\ufffd\ufffdf\ufffdu\ufffd \ufffdN'\ufffd \ufffdj\ufffd\ufffd~\ufffd-g\ufffd\\\ufffd.\ufffd\u87een\ufffd\b\ufffd\ufffdj\ufffd\f#\u0011\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "503f89bed4830eb3a5309aba71274e9822cfc86d", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003T\ufffdSE \ufffdP_\ufffd>[\ufffd\ufffd\u0012+\ufffdUz6\ufffd\u001af\ufffd\ufffd\ufffd\ufffdf\ufffdu\ufffd \ufffdN'\ufffd \ufffdj\ufffd\ufffd~\ufffd-g\ufffd\\\ufffd.\ufffd\u87een\ufffd\b\ufffd\ufffdj\ufffd\f#\u0011\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "7c1e207beb00684bbbe144f1b0abe1d5", "port": 8899, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffdT\ufffdSE \ufffdP_\ufffd>[\ufffd\ufffd+\ufffdUz6\ufffdf\ufffd\ufffd\ufffd\ufffdf\ufffdu\ufffd \ufffdN'\ufffd \ufffdj\ufffd\ufffd~\ufffd-g\ufffd\\\ufffd.\ufffd\u87een\ufffd\ufffd\ufffdj\ufffd#&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "attack_vector": "postgres probe \u00b7 via TLS:8899 \u00b7 (sonde \/ probe)", "target_port_label": "8899 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8899, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003T\ufffdSE \ufffdP_\ufffd>[\ufffd\ufffd\u0012+\ufffdUz6\ufffd\u001af\ufffd\ufffd\ufffd\ufffdf\ufffdu\ufffd \ufffdN'\ufffd \ufffdj\ufffd\ufffd~\ufffd-g\ufffd\\\ufffd.\ufffd\u87een\ufffd\b\ufffd\ufffdj\ufffd\f#\u0011\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "7c1e207beb00684bbbe144f1b0abe1d5", "port": 8899, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:8899 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffdT\ufffdSE \ufffdP_\ufffd>[\ufffd\ufffd+\ufffdUz6\ufffdf\ufffd\ufffd\ufffd\ufffdf\ufffdu\ufffd \ufffdN'\ufffd \ufffdj\ufffd\ufffd~\ufffd-g\ufffd\\\ufffd.\ufffd\u87een\ufffd\ufffd\ufffdj\ufffd#*&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "target_port_label": "8899 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8899" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:8899", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
16/06/2026 02:24:45 UTC	TCP	8899 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:8899 · (tentative d'exploit)	Élevée	Moyen · 49
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8899 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 49 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8899 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/ Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8899 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4", "http_host_hash": "2fb63756fe5a0e4d86498992fb1b091f8f61fad8", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.31370494532267, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "US", "dst_port": 8899, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "8ec8c9c54bc1e068ff6f8b5f4174578af15eff4f", "event_fingerprint": "7ff128363fbe74328e7551abeb09946be29f2bab", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 49, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cb226636f11f4f631f065fb419a8bab8", "payload_hash": "9d4f4775d5f51645d142e85b8095f56f", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8899, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8899\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8899\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8899\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "evidence": { "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8899\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8899\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "55885e07cf54eb1830c7942beae32cc0851c5442", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 8899, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8899\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "attack_vector": "exploit attempt \u00b7 via HTTP:8899 \u00b7 (tentative d'exploit)", "target_port_label": "8899 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 49, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8899, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 8899, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:8899 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8899\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "target_port_label": "8899 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8899" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:8899" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 96 }
16/06/2026 02:23:40 UTC	TCP	8899	—	Sonde port Sonde port · port 8899 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8899 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 1, "payload_entropy": 0, "port_category": "registered", "org": "Amazon.com, Inc.", "service": null, "app_proto": null, "asn": 16509, "country": "US", "dst_port": 8899, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.3, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "3272b2371a169387f9a6f66d80c1a8af9506c45a", "event_fingerprint": "7684f4d25a5dd78ac37b3768911e61d8f0e1a509", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "01ba4719c80b6fe911b091a7c05124b6", "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 8899, "risk_score": 44 }, "payload_preview": "\n", "request_sample": "\n", "evidence": { "request_sample": "\n", "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a0e6ad61c2ce02d71f3166253f1fb5ea07b13aab", "protocol_details": { "port": 8899 }, "attack_vector": "Sonde port \u00b7 port 8899 \u00b7 (sonde \/ probe)", "target_port_label": "8899", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 8899, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "port": 8899 }, "attack_vector": "Sonde port \u00b7 port 8899 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "8899", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "8899" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:8899" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
16/06/2026 02:23:33 UTC	TCP	8899 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:8899 · (tentative d'exploit)	Élevée	Moyen · 49
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8899 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 49 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8899 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/ Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8899 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4", "http_host_hash": "2fb63756fe5a0e4d86498992fb1b091f8f61fad8", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.31370494532267, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "US", "dst_port": 8899, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15 }, "risk_score": 49, "tag_count": 3, "anomaly_count": 0, "campaign_key": "8ec8c9c54bc1e068ff6f8b5f4174578af15eff4f", "event_fingerprint": "7ff128363fbe74328e7551abeb09946be29f2bab", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 49 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cb226636f11f4f631f065fb419a8bab8", "payload_hash": "9d4f4775d5f51645d142e85b8095f56f", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8899, "service": "http", "service_name": "http", "risk_score": 49 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8899\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8899\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8899\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "evidence": { "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8899\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8899\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "55885e07cf54eb1830c7942beae32cc0851c5442", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 8899, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8899\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "attack_vector": "exploit attempt \u00b7 via HTTP:8899 \u00b7 (tentative d'exploit)", "target_port_label": "8899 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 49\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 25, "novelty": 15, "risk_score": 49 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 49, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8899, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 8899, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:8899 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8899\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "target_port_label": "8899 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8899" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "asn_dc_heuristic": true }
16/06/2026 02:05:47 UTC	TCP	9999 · ADMIN ALT	admin-alt	Sonde PostgreSQL postgres probe · via ADMIN ALT:9999 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 35fa0a83e466acbe Émulateur ADMIN-ALT WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9999 Chemin / cible — Service ADMIN ALT Payload ��hMp�©ڡs��&��ik<��_+�Q{�� m�%�}�~d��K��R!��Tl6�J]�&̨̩�/�0�+�,�� /5� { Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��hMp�©ڡs��&��ik<��_+�Q{�� m�%�}�~d��K��R!��Tl6�J]�&̨̩�/�0�+�,�� /5� { Requête brute (extrait) ��hMp�©ڡs��&��ik<��_+�Q{�� m�%�}�~d��K��R!��Tl6�J]�&̨̩�/�0�+�,�� /5� { �+ 3&$ +��[��yA�J�^�/x��#��w�; Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 243, "payload_entropy": 5.886609361815864, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "admin-alt", "app_proto": "admin-alt", "asn": 16509, "country": "US", "dst_port": 9999, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "71e0a038aaec3062d9b3f018bb65ab92d2779b4c", "event_fingerprint": "bdae3a5e708dccdbe307a2861747dd09885f206a", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "admin-alt", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0180b670065542f40a398a8bdf9f5f9e", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "35fa0a83e466acbec1cfbb9016d550ab", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja3": "771,52392-52393-49199-49200-49195-49196-49171-49161-49172-49162-156-157-47-53-49170-10-4867-4865-4866,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9999, "service": "admin-alt", "service_name": "admin-alt", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003hMp\ufffd\u00a9\u06a1s\ufffd\ufffd\u0016&\ufffd\ufffd\ufffdik<\ufffd\ufffd\ufffd\ufffd_+\ufffdQ{\ufffd\ufffd m\ufffd%\ufffd}\ufffd~d\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffd\ufffd\u0011\ufffdR!\ufffd\ufffd\ufffd\ufffdTl6\ufffdJ]\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003hMp\ufffd\u00a9\u06a1s\ufffd\ufffd\u0016&\ufffd\ufffd\ufffdik<\ufffd\ufffd\ufffd\ufffd_+\ufffdQ{\ufffd\ufffd m\ufffd%\ufffd}\ufffd~d\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffd\ufffd\u0011\ufffdR!\ufffd\ufffd\ufffd\ufffdTl6\ufffdJ]\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 +\ufffd\ufffd\ufffd[\ufffd\u0001\ufffdy\u0004A\ufffd\u001eJ\ufffd^\ufffd\/x\ufffd\u0019\ufffd\u000f#\ufffd\ufffdw\ufffd\u0004\u0013;\u0019", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003hMp\ufffd\u00a9\u06a1s\ufffd\ufffd\u0016&\ufffd\ufffd\ufffdik<\ufffd\ufffd\ufffd\ufffd_+\ufffdQ{\ufffd\ufffd m\ufffd%\ufffd}\ufffd~d\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffd\ufffd\u0011\ufffdR!\ufffd\ufffd\ufffd\ufffdTl6\ufffdJ]\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "68e9ea39f90d3f5ce404cc3cc213477b7ba67b4a", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003hMp\ufffd\u00a9\u06a1s\ufffd\ufffd\u0016&\ufffd\ufffd\ufffdik<\ufffd\ufffd\ufffd\ufffd_+\ufffdQ{\ufffd\ufffd m\ufffd%\ufffd}\ufffd~d\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffd\ufffd\u0011\ufffdR!\ufffd\ufffd\ufffd\ufffdTl6\ufffdJ]\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9999, "service": "admin-alt", "service_label_fr": "ADMIN ALT" }, "evidence_snippet": "\ufffd\ufffdhMp\ufffd\u00a9\u06a1s\ufffd\ufffd&\ufffd\ufffd\ufffdik<\ufffd\ufffd\ufffd\ufffd_+\ufffdQ{\ufffd\ufffd m\ufffd%\ufffd}\ufffd~d\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffd\ufffd\ufffdR!\ufffd\ufffd\ufffd\ufffdTl6\ufffdJ]\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "attack_vector": "postgres probe \u00b7 via ADMIN ALT:9999 \u00b7 (sonde \/ probe)", "target_port_label": "9999 \u00b7 ADMIN ALT", "emulator_service": "admin-alt", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "admin-alt", "service_label_fr": "ADMIN ALT", "dst_port": 9999, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-admin-alt", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003hMp\ufffd\u00a9\u06a1s\ufffd\ufffd\u0016&\ufffd\ufffd\ufffdik<\ufffd\ufffd\ufffd\ufffd_+\ufffdQ{\ufffd\ufffd m\ufffd%\ufffd}\ufffd~d\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffd\ufffd\u0011\ufffdR!\ufffd\ufffd\ufffd\ufffdTl6\ufffdJ]\ufffd\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "35fa0a83e466acbec1cfbb9016d550ab", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9999, "service": "admin-alt", "service_label_fr": "ADMIN ALT" }, "attack_vector": "postgres probe \u00b7 via ADMIN ALT:9999 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdhMp\ufffd\u00a9\u06a1s\ufffd\ufffd&\ufffd\ufffd\ufffdik<\ufffd\ufffd\ufffd\ufffd_+\ufffdQ{\ufffd\ufffd m\ufffd%\ufffd}\ufffd~d\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffd\ufffd\ufffdR!\ufffd\ufffd\ufffd\ufffdTl6\ufffdJ]\ufffd&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n{", "target_port_label": "9999 \u00b7 ADMIN ALT", "emulator_service": "admin-alt", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "admin_alt", "service_banner": "honeypot-admin-alt", "service_os": "linux", "dst_port": "9999" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "admin-alt", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
16/06/2026 02:04:50 UTC	TCP	9999 · ADMIN ALT	admin-alt	Sonde PostgreSQL postgres probe · via ADMIN ALT:9999 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole Émulateur ADMIN-ALT WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9999 Chemin / cible — Service ADMIN ALT Payload �וi@Gޒ��EI!��9$��#v��-5\ g�.C5 �]S4��y��A��E��B��}&̨̩�/�0�+�,�� /5� � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �וi@Gޒ��EI!��9$��#v��-5\ g�.C5 �]S4��y��A��E��B��}&̨̩�/�0�+�,�� /5� � Requête brute (extrait) �וi@Gޒ��EI!��9$��#v��-5\ g�.C5 �]S4��y��A��E��B��}&̨̩�/�0�+�,�� /5� � � h2http/1.1+ 3&$ 9�l� .��S&��ѥ= af�򎂋�D� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 261, "payload_entropy": 5.926322341440836, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "admin-alt", "app_proto": "admin-alt", "asn": 16509, "country": "US", "dst_port": 9999, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "71e0a038aaec3062d9b3f018bb65ab92d2779b4c", "event_fingerprint": "bdae3a5e708dccdbe307a2861747dd09885f206a", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "admin-alt", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "be64ce3e28dade01e4d2803bfbb3a4d5", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 9999, "service": "admin-alt", "service_name": "admin-alt", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u05d5i@G\u0016\u0792\ufffd\ufffd\ufffdEI\u001f!\ufffd\ufffd\u0015\ufffd9$\ufffd\u0014\u0019\ufffd#v\ufffd\ufffd-5\\ g\u0002\ufffd.C5\t\ufffd]\u0014S4\ufffd\ufffdy\ufffd\ufffd\ufffdA\ufffd\ufffdE\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffd\ufffd}\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u05d5i@G\u0016\u0792\ufffd\ufffd\ufffdEI\u001f!\ufffd\ufffd\u0015\ufffd9$\ufffd\u0014\u0019\ufffd#v\ufffd\ufffd-5\\ g\u0002\ufffd.C5\t\ufffd]\u0014S4\ufffd\ufffdy\ufffd\ufffd\ufffdA\ufffd\ufffdE\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffd\ufffd}\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0010\u0000\u000e\u0000\f\u0002h2\bhttp\/1.1\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 9\ufffdl\ufffd\r.\ufffd\ufffdS\u001e&\ufffd\ufffd\u0465=\taf\ufffd\ud9f8\udc8b\ufffdD\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u05d5i@G\u0016\u0792\ufffd\ufffd\ufffdEI\u001f!\ufffd\ufffd\u0015\ufffd9$\ufffd\u0014\u0019\ufffd#v\ufffd\ufffd-5\\ g\u0002\ufffd.C5\t\ufffd]\u0014S4\ufffd\ufffdy\ufffd\ufffd\ufffdA\ufffd\ufffdE\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffd\ufffd}\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6aa011475b2140ffe9ddeb5c6daca11e83b3d7c2", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u05d5i@G\u0016\u0792\ufffd\ufffd\ufffdEI\u001f!\ufffd\ufffd\u0015\ufffd9$\ufffd\u0014\u0019\ufffd#v\ufffd\ufffd-5\\ g\u0002\ufffd.C5\t\ufffd]\u0014S4\ufffd\ufffdy\ufffd\ufffd\ufffdA\ufffd\ufffdE\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffd\ufffd}\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "port": 9999, "service": "admin-alt", "service_label_fr": "ADMIN ALT" }, "evidence_snippet": "\ufffd\u05d5i@G\u0792\ufffd\ufffd\ufffdEI!\ufffd\ufffd\ufffd9$\ufffd\ufffd#v\ufffd\ufffd-5\\ g\ufffd.C5\t\ufffd]S4\ufffd\ufffdy\ufffd\ufffd\ufffdA\ufffd\ufffdE\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffd\ufffd}&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "attack_vector": "postgres probe \u00b7 via ADMIN ALT:9999 \u00b7 (sonde \/ probe)", "target_port_label": "9999 \u00b7 ADMIN ALT", "emulator_service": "admin-alt", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "admin-alt", "service_label_fr": "ADMIN ALT", "dst_port": 9999, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-admin-alt", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0001\u0000\u0001\u0000\u0000\ufffd\u0003\u0003\u05d5i@G\u0016\u0792\ufffd\ufffd\ufffdEI\u001f!\ufffd\ufffd\u0015\ufffd9$\ufffd\u0014\u0019\ufffd#v\ufffd\ufffd-5\\ g\u0002\ufffd.C5\t\ufffd]\u0014S4\ufffd\ufffdy\ufffd\ufffd\ufffdA\ufffd\ufffdE\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffd\ufffd}\u0000&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0003\u0013\u0001\u0013\u0002\u0001\u0000\u0000\ufffd\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "port": 9999, "service": "admin-alt", "service_label_fr": "ADMIN ALT" }, "attack_vector": "postgres probe \u00b7 via ADMIN ALT:9999 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\u05d5i@G\u0792\ufffd\ufffd\ufffdEI!\ufffd\ufffd\ufffd9$\ufffd\ufffd#v\ufffd\ufffd-5\\ g\ufffd.C5\t\ufffd]S4\ufffd\ufffdy\ufffd\ufffd\ufffdA\ufffd\ufffdE\ufffd\ufffdB\ufffd\ufffd\ufffd\ufffd\ufffd}&\u0328\u0329\ufffd\/\ufffd0\ufffd+\ufffd,\ufffd\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\/5\ufffd\n\ufffd", "target_port_label": "9999 \u00b7 ADMIN ALT", "emulator_service": "admin-alt", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "admin_alt", "service_banner": "honeypot-admin-alt", "service_os": "linux", "dst_port": "9999" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "admin-alt", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ], "asn_dc_heuristic": true }
16/06/2026 02:03:01 UTC	TCP	9999 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:9999 · (tentative d'exploit)	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9999 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 52 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9999 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/ Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9999 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4", "http_host_hash": "83a22baaf629d53e39c79d30e6b18dca9da1a92c", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.292762536945706, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "US", "dst_port": 9999, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 4, "anomaly_count": 0, "campaign_key": "aa0d080d5f055349ccfe5818e9c44f4a4640be4f", "event_fingerprint": "40878c406b78c3c05ae157428aaa7e6fc39c6cac", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cb226636f11f4f631f065fb419a8bab8", "payload_hash": "b1b634ca3d765a22eb55a8e2496ad6be", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9999, "service": "http", "service_name": "http", "risk_score": 52 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "evidence": { "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "73d8b2bde6a586a6ad54f8b8d6447b024902494e", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 9999, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "attack_vector": "exploit attempt \u00b7 via HTTP:9999 \u00b7 (tentative d'exploit)", "target_port_label": "9999 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 52, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9999, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 9999, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:9999 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "target_port_label": "9999 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9999" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "admin-alt", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ], "asn_dc_heuristic": true }
16/06/2026 02:01:40 UTC	TCP	9999 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:9999 · (tentative d'exploit)	Élevée	Moyen · 52
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0001 TA0001 TA0002 Protocole GET / UA visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_web_probe Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9999 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 70% Corrélation +8 Risque capteur Moyen · 52 Confiance : Confiance 62 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9999 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/ Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9999 User-Agent: visionheight.com/scan Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/126.0.0.0 Safari/537.36 Accept: / Accept-Encoding: gzip Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "6bd3154a88ac556741885ed569cfb89736385db4", "http_host_hash": "83a22baaf629d53e39c79d30e6b18dca9da1a92c", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 191, "payload_entropy": 5.292762536945706, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "http", "app_proto": "http", "asn": 16509, "country": "US", "dst_port": 9999, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 4, "anomaly_count": 0, "campaign_key": "aa0d080d5f055349ccfe5818e9c44f4a4640be4f", "event_fingerprint": "40878c406b78c3c05ae157428aaa7e6fc39c6cac", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.7, "classification_confidence": 0.7, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "cb226636f11f4f631f065fb419a8bab8", "payload_hash": "b1b634ca3d765a22eb55a8e2496ad6be", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9999, "service": "http", "service_name": "http", "risk_score": 52 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "evidence": { "method": "GET", "path": "\/", "user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36\r\nAccept: \/\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "73d8b2bde6a586a6ad54f8b8d6447b024902494e", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 9999, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "attack_vector": "exploit attempt \u00b7 via HTTP:9999 \u00b7 (tentative d'exploit)", "target_port_label": "9999 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 70 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 70, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 8 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 52, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9999, "protocol_emulated": true, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/126.0.0.0 Safari\/537.36", "port": 9999, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:9999 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: visionheight.com\/scan Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome\/", "target_port_label": "9999 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 70 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +8 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9999" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "admin-alt", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_web_probe" ], "asn_dc_heuristic": true }
16/06/2026 02:01:28 UTC	TCP	9999 · ADMIN ALT	admin-alt	admin-alt admin-alt · via ADMIN ALT:9999 · (sonde / probe)	Faible	Faible · 1
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur ADMIN-ALT WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9999 Chemin / cible — Service ADMIN ALT Pourquoi cette classification : Type « admin-alt » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 1 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 1, "payload_entropy": 0, "port_category": "registered", "org": "Amazon.com, Inc.", "service": "admin-alt", "app_proto": "admin-alt", "asn": 16509, "country": "US", "dst_port": 9999, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0 }, "risk_score": 1, "tag_count": 0, "anomaly_count": 0, "campaign_key": "206c95a9eb725a1fc21f04db3e4cf4233b894a69", "event_fingerprint": "bdae3a5e708dccdbe307a2861747dd09885f206a", "classification_reason": "Type \u00ab admin-alt \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 1 }, "named_classification_skipped": false, "service_name": "admin-alt", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 16509, "org": "Amazon.com, Inc.", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "01ba4719c80b6fe911b091a7c05124b6", "path_pattern_hash": "d3aaa0a3d94e4e5a70802f7b7e17f9f7" }, "target_context": { "dst_port": 9999, "service": "admin-alt", "service_name": "admin-alt", "risk_score": 1 }, "payload_preview": "\n", "request_sample": "\n", "evidence": { "request_sample": "\n", "classification_reason": "Type \u00ab admin-alt \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3842c85cf421633757d8ec5e20f6a3d9762715fe", "protocol_details": { "port": 9999, "service": "admin-alt", "service_label_fr": "ADMIN ALT" }, "attack_vector": "admin-alt \u00b7 via ADMIN ALT:9999 \u00b7 (sonde \/ probe)", "target_port_label": "9999 \u00b7 ADMIN ALT", "emulator_service": "admin-alt", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab admin-alt \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab admin-alt \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 1 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 1, "risk_label": "Faible", "service_name": "admin-alt", "service_label_fr": "ADMIN ALT", "dst_port": 9999, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-admin-alt", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 9999, "service": "admin-alt", "service_label_fr": "ADMIN ALT" }, "attack_vector": "admin-alt \u00b7 via ADMIN ALT:9999 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "9999 \u00b7 ADMIN ALT", "emulator_service": "admin-alt", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "admin_alt", "service_banner": "honeypot-admin-alt", "service_os": "linux", "dst_port": "9999" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }

13.59.6.180

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence