Renseignement sur les menaces

États-Unis

136.112.73.222

FAI Google LLC Première vue 13/06/2026 19:19 UTC Dernière vue 13/06/2026 19:22 UTC Risque Élevé

Période analysée : 2026-06-09 → 2026-06-16

Activité suspecte — risque 53/100 (Moyen) — MITRE T1046 — confiance 100 % — via POSTGRES — multi-protocole (78 protocoles · 5 min)

Campagne multi-ports détectée sur une fenêtre courte

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 66/100 Élevé

Première observation 13/06/2026 19:19 UTC

Dernière observation 13/06/2026 19:22 UTC

Événements (période) 563

MITRE ATT&CK principal T1046 559 occurrences

Activité suspecte — risque 53/100 (Moyen) — MITRE T1046 — confiance 100 % — via POSTGRES — multi-protocole (78 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Rafale d'authentification SSH · confiance 100%

Confiance 100 % — Score WAF 8 · Bonus corrélation +23

Comparaison ASN / FAI

ASN 396982 · 136.112.0.0/16 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 563 événements sur la période pour cette IP.

147.185.133.204 Scanner web 16/06/2026 00:57 UTC
35.203.210.223 Scanner web 16/06/2026 00:57 UTC
147.185.132.127 Scanner web 16/06/2026 00:57 UTC
162.216.149.248 Scanner web 16/06/2026 00:53 UTC
35.203.210.44 Scanner web 16/06/2026 00:52 UTC
198.235.24.196 Sonde port 16/06/2026 00:50 UTC
147.185.132.174 Sonde port 16/06/2026 00:50 UTC
205.210.31.135 Scanner web 16/06/2026 00:49 UTC

Événements (filtres)

563

Première observation

13/06/2026 19:19 UTC

Dernière observation

13/06/2026 19:22 UTC

Dernière activité (filtres)

13/06/2026 19:22 UTC

Événements 7j

563

Ports distincts (7j)

161

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

TLS TCP 160 HTTP TCP 125 HTTPS TCP 9 REDIS TCP 7 CASSANDRA TCP 6 MONGODB TCP 6 REMOTEANYTHING TCP 6 CASSANDRA JMX TCP 6 TOR OR TCP 6 RTSP TCP 6 DOCKER TLS TCP 6 MEMCACHED ALT TCP 6 POSTGRES TCP 6 CLICKHOUSE NATIVE TCP 6 UPNP TCP TCP 6 GAME UNREAL TCP 6 MONGODB SHARD TCP 6 RTSP ALT TCP 6 X11 TCP 6 JETDIRECT TCP 6

TLS

160

HTTP

125

HTTPS

REDIS

CASSANDRA

MONGODB

Géolocalisation

Origine réseau déclarée

États-Unis unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 10001 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Reconnaissance

Chaîne d'attaque

Reconnaissance

Vecteur d'attaque

port scan syn · via POSTGRES:5432 · (reconnaissance)

Détails protocole

PostgreSQL: Handshake PostgreSQL (startup)

Aperçu payload

GET / HTTP/1.1 Host: 62.3.50.33:5432 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, li

Port / service

5432 · POSTGRES

Service émulé

POSTGRES

Raison confiance

Confiance 100 % — 5 signal(aux) capteur

Technique MITRE

T1046

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min)

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S

Confiance

100% Corrélation +23

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

563 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

563 événement(s) — page 3/12

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
13/06/2026 19:20:00 UTC	TCP	9090 · HTTP	http	Scan de ports port scan syn · via HTTP:9090 · (reconnaissance)	Élevée	Moyen · 54
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9090 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9090 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Geck Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9090 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b", "emulator_response_len": 146, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "4018596b050f49104cd08fbeaaf8e04293663a4c", "http_host_hash": "6252543ba3eb2998668ea356c7da6ab747cb08d7", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 234, "payload_entropy": 5.4172455797739545, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 9090, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "ea1de701971c4464e3c6d14361455a6d11e99e98", "event_fingerprint": "21d478b01b65a92acaf01fb8e864bf215ffb4b49", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2ae2a0311330911597934e2486a5ed1f", "payload_hash": "babb5811b18c8f7432532c0f540d877e", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9090, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9be0f1e9221f8a27e25b92ed1124fc033f7645df", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36", "port": 9090, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "attack_vector": "port scan syn \u00b7 via HTTP:9090 \u00b7 (reconnaissance)", "target_port_label": "9090 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9090, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.109 Safari\/537.36", "port": 9090, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9090 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9090\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "target_port_label": "9090 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.33, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:20:00 UTC	TCP	9201 · HTTP	http	Scan de ports port scan syn · via HTTP:9201 · (reconnaissance)	Élevée	Moyen · 56
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / Requête Elasticsearch : / UA Mozilla/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko/2003051… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9201 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko/20030517 Mozilla Firebird/0.6 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9201 User-Agent: Mozilla/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko/20030517 Mozilla Fire Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9201 User-Agent: Mozilla/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko/20030517 Mozilla Firebird/0.6 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "ca9b5cbe2fa1dd4d9da41a80a7aae0baf25a5590", "http_host_hash": "664e3a87c18b188d04fa05f633a3d5a70083f680", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 205, "payload_entropy": 5.3608827995392865, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 9201, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "7102902c3b0018978f14b56ef532e521fb376242", "event_fingerprint": "aacd6da98e37f753a0aa56a8253ec265d56c9bc1", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3f397ad907ad1a110e5b37327be373a1", "payload_hash": "a1ba58c8763b3aee201142e1fb671dfa", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9201, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9201\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Fire", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Firebird\/0.6", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9201\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Firebird\/0.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9201\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Fire", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Firebird\/0.6", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9201\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Firebird\/0.6\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9201\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Fire", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f4a6bbc328e61a207b2d543b492004b85daa4513", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Firebird\/0.6", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/", "port": 9201, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9201\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Fire", "attack_vector": "port scan syn \u00b7 via HTTP:9201 \u00b7 (reconnaissance)", "target_port_label": "9201 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9201, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Firebird\/0.6", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/", "port": 9201, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9201 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9201\r\nUser-Agent: Mozilla\/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko\/20030517 Mozilla Fire", "target_port_label": "9201 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9201" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.2, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:20:00 UTC	TCP	9202 · HTTP	http	Scan de ports port scan syn · via HTTP:9202 · (reconnaissance)	Élevée	Moyen · 57
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9202 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9202 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Ch Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9202 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "746c97dbb13d6984570db47d357e3dba2d4e421c", "http_host_hash": "6e8c2e8656fc13dd6ead1c36834052efec40ef08", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 228, "payload_entropy": 5.424333887457482, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 9202, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "64c0213b164ea0820e373f0e4b2cee13c6e42e28", "event_fingerprint": "4c703e46793063141f50031278b6446ecbf76e3c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f2568922252b755c279e512ec2341397", "payload_hash": "a8e197b37060ba81382f7ca7c5b75edb", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9202, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9202\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9202\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9202\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9202\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9202\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "21f26a1a4409603dac78cec3d01a4a82e5cbb084", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "port": 9202, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9202\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "attack_vector": "port scan syn \u00b7 via HTTP:9202 \u00b7 (reconnaissance)", "target_port_label": "9202 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9202, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3202.94 Safari\/537.36", "port": 9202, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9202 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9202\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "target_port_label": "9202 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9202" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.23, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:20:00 UTC	TCP	9200 · ELASTICSEARCH	elasticsearch	Scan de ports port scan syn · via ELASTICSEARCH:9200 · (reconnaissance)	Élevée	Moyen · 57
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / Requête Elasticsearch : / UA Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KH… Émulateur ELASTICSEARCH WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible / Service ELASTICSEARCH Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko) Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9200 User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (lik Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9200 User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a582d656c61737469632d70726f647563743a20456c61737469637365617263680d0a436f6e74656e742d4c656e6774683a2034380d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a7b22636c", "emulator_response_len": 172, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "34e84c9ab3d0d0abeb0255d6d74575b64fd006f2", "http_host_hash": "d19a1b8472adabca1ee6e310101ca46b45ece34e", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 205, "payload_entropy": 5.409859661734324, "port_category": "registered", "org": "Google LLC", "service": "elasticsearch", "app_proto": "elasticsearch", "asn": 396982, "country": "US", "dst_port": 9200, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b0315347999428eb5f03e0f3f8521aac046b2449", "event_fingerprint": "9fad56c821c1c5ddd2cc50fc2ca67d9c1727e39e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 57, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "elasticsearch", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "130790c3175bbf07b1ef215234433b21", "payload_hash": "85a55b578bb2467b5bf13a65f3b7b931", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9200, "service": "elasticsearch", "service_name": "elasticsearch", "risk_score": 57 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/3.5; NetBSD 4.0_RC3; X11) KHTML\/3.5.7 (lik", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Konqueror\/3.5; NetBSD 4.0_RC3; X11) KHTML\/3.5.7 (like Gecko)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/3.5; NetBSD 4.0_RC3; X11) KHTML\/3.5.7 (like Gecko)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/3.5; NetBSD 4.0_RC3; X11) KHTML\/3.5.7 (lik", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (compatible; Konqueror\/3.5; NetBSD 4.0_RC3; X11) KHTML\/3.5.7 (like Gecko)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/3.5; NetBSD 4.0_RC3; X11) KHTML\/3.5.7 (like Gecko)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/3.5; NetBSD 4.0_RC3; X11) KHTML\/3.5.7 (lik", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d2f54da5d80bd91e9cc78ccb97fd7f963c6774a5", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Konqueror\/3.5; NetBSD 4.0_RC3; X11) KHTML\/3.5.7 (like Gecko)", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/3.5; NetBSD 4.0_RC3; X11) KHTML\/3.5.7 (lik", "attack_vector": "port scan syn \u00b7 via ELASTICSEARCH:9200 \u00b7 (reconnaissance)", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via ELASTICSEARCH \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 57, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 57, "risk_label": "Moyen", "service_name": "elasticsearch", "service_label_fr": "ELASTICSEARCH", "dst_port": 9200, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Elasticsearch 8.11", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (compatible; Konqueror\/3.5; NetBSD 4.0_RC3; X11) KHTML\/3.5.7 (like Gecko)", "elasticsearch_probe_fr": "Requ\u00eate Elasticsearch : \/", "port": 9200, "service": "elasticsearch", "service_label_fr": "ELASTICSEARCH" }, "attack_vector": "port scan syn \u00b7 via ELASTICSEARCH:9200 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9200\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/3.5; NetBSD 4.0_RC3; X11) KHTML\/3.5.7 (lik", "target_port_label": "9200 \u00b7 ELASTICSEARCH", "emulator_service": "elasticsearch", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch", "service_banner": "Elasticsearch 8.11", "service_os": "linux", "dst_port": "9200" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.2, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:20:00 UTC	TCP	9100 · JETDIRECT	jetdirect	Scan de ports port scan syn · via JETDIRECT:9100 · (reconnaissance)	Élevée	Moyen · 54
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur JETDIRECT WAF — Recommandation Investiguer Tags http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9100 Chemin / cible — Service JETDIRECT Payload GET / HTTP/1.1 Host: 62.3.50.33:9100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a", "emulator_response_len": 40, "bytes_in": 196, "payload_entropy": 5.242644086780173, "port_category": "registered", "org": "Google LLC", "service": "jetdirect", "app_proto": "jetdirect", "asn": 396982, "country": "US", "dst_port": 9100, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15 }, "risk_score": 54, "tag_count": 3, "anomaly_count": 0, "campaign_key": "bad156d407802f951e09e8625259d6d356ba9c98", "event_fingerprint": "a7885f8ee12ae1a414d575fc45cf0af2df68f04d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "jetdirect", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0bb2ced55217aeb9363415309219b128", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9100, "service": "jetdirect", "service_name": "jetdirect", "risk_score": 54 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1\r", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "304853c866456f2f6acc28d6c9daa77225a4d69a", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1", "port": 9100, "service": "jetdirect", "service_label_fr": "JETDIRECT" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1", "attack_vector": "port scan syn \u00b7 via JETDIRECT:9100 \u00b7 (reconnaissance)", "target_port_label": "9100 \u00b7 JETDIRECT", "emulator_service": "jetdirect", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via JETDIRECT \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 54, "risk_label": "Moyen", "service_name": "jetdirect", "service_label_fr": "JETDIRECT", "dst_port": 9100, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-jetdirect", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1", "port": 9100, "service": "jetdirect", "service_label_fr": "JETDIRECT" }, "attack_vector": "port scan syn \u00b7 via JETDIRECT:9100 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9100\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:10.0.1) Gecko\/20100101 Firefox\/10.0.1", "target_port_label": "9100 \u00b7 JETDIRECT", "emulator_service": "jetdirect", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "jetdirect", "service_banner": "honeypot-jetdirect", "service_os": "linux", "dst_port": "9100" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.27, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:20:00 UTC	TCP	9400 · HTTP	http	Scan de ports port scan syn · via HTTP:9400 · (reconnaissance)	Élevée	Moyen · 44
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA SonyEricssonK550i/R1JD Browser/NetFront/3.3 Profile/MIDP-2.0 Co… Émulateur HTTP WAF 9 Recommandation Surveiller Tags 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9400 Chemin / cible / Service HTTP Pourquoi cette classification : Tags WAF: nosqli-3, sap-sapcontrol-path · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 44 Confiance : Confiance 100 % — 2 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent SonyEricssonK550i/R1JD Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 Règles WAF nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9400 User-Agent: SonyEricssonK550i/R1JD Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CL Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9400 User-Agent: SonyEricssonK550i/R1JD Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "08e944d74c1cc6c8ab54283ec864bffad7bcd9b7", "http_host_hash": "93cbddeebb40368661e52794ed235fef470a2303", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 203, "payload_entropy": 5.27870648439695, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 9400, "risk_waf": 44, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.2, "risk_breakdown": { "waf": 44, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "bf4146587f677622860b4d85ccc9d90d539ddbfb", "event_fingerprint": "5cf5ad458f0532782df733e62316ff7296b26c81", "classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 44, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 44, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "372f920dba09ff13f363ab8d9be2705d", "payload_hash": "3536a3fbdea91d2129097663d4da8ff5", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9400, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9400\r\nUser-Agent: SonyEricssonK550i\/R1JD Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CL", "method": "GET", "path": "\/", "user_agent": "SonyEricssonK550i\/R1JD Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9400\r\nUser-Agent: SonyEricssonK550i\/R1JD Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9400\r\nUser-Agent: SonyEricssonK550i\/R1JD Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CL", "evidence": { "method": "GET", "path": "\/", "user_agent": "SonyEricssonK550i\/R1JD Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "waf_tags": [ "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9400\r\nUser-Agent: SonyEricssonK550i\/R1JD Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9400\r\nUser-Agent: SonyEricssonK550i\/R1JD Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CL", "classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7495c142284845bb466d96786520e3b8082a5fbf", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "SonyEricssonK550i\/R1JD Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "port": 9400, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9400\r\nUser-Agent: SonyEricssonK550i\/R1JD Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CL", "attack_vector": "port scan syn \u00b7 via HTTP:9400 \u00b7 (reconnaissance)", "target_port_label": "9400 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%", "classification_reason_label_fr": "Tags WAF: nosqli-3, sap-sapcontrol-path \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 44, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 44, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 44, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9400, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "SonyEricssonK550i\/R1JD Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1", "port": 9400, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9400 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9400\r\nUser-Agent: SonyEricssonK550i\/R1JD Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CL", "target_port_label": "9400 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 44 \u00b7 Bonus corr\u00e9lation +23 \u00b7 2 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9400" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.24, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:20:00 UTC	TCP	9411 · HTTP	http	Scan de ports port scan syn · via HTTP:9411 · (reconnaissance)	Élevée	Moyen · 55
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (SymbianOS/9.4; U; Series60/5.0 SonyEricssonP100/01… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9411 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (SymbianOS/9.4; U; Series60/5.0 SonyEricssonP100/01; Profile/MIDP-2.1 Configuration/CLDC-1.1) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 Safari/525 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9411 User-Agent: Mozilla/5.0 (SymbianOS/9.4; U; Series60/5.0 SonyEricssonP100/01; Profile/MIDP Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9411 User-Agent: Mozilla/5.0 (SymbianOS/9.4; U; Series60/5.0 SonyEricssonP100/01; Profile/MIDP-2.1 Configuration/CLDC-1.1) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 Safari/525 Accept-Charset: utf-8 Accept-Encoding: Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "f03f5ba0500dbd77ff637daf635b9a4067f72d42", "http_host_hash": "5c9e6c78af61d8db5d31615b1d31dfa805437ce8", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 284, "payload_entropy": 5.426348367574549, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 9411, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "47de64ef4b39feef0bcd84b8c18b1ce5df3ea5cc", "event_fingerprint": "fd486d26e825f3064b665ad8f752133d90dcb0d3", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "70a5596375fe73299194ae1708d1f629", "payload_hash": "3d3f7fdd62bebeb488a31e6565a80b67", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9411, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9411\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; U; Series60\/5.0 SonyEricssonP100\/01; Profile\/MIDP", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (SymbianOS\/9.4; U; Series60\/5.0 SonyEricssonP100\/01; Profile\/MIDP-2.1 Configuration\/CLDC-1.1) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 Safari\/525", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9411\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; U; Series60\/5.0 SonyEricssonP100\/01; Profile\/MIDP-2.1 Configuration\/CLDC-1.1) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 Safari\/525\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9411\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; U; Series60\/5.0 SonyEricssonP100\/01; Profile\/MIDP", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (SymbianOS\/9.4; U; Series60\/5.0 SonyEricssonP100\/01; Profile\/MIDP-2.1 Configuration\/CLDC-1.1) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 Safari\/525", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9411\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; U; Series60\/5.0 SonyEricssonP100\/01; Profile\/MIDP-2.1 Configuration\/CLDC-1.1) AppleWebKit\/525 (KHTML, like Gecko) Version\/3.0 Safari\/525\r\nAccept-Charset: utf-8\r\nAccept-Encoding:", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9411\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; U; Series60\/5.0 SonyEricssonP100\/01; Profile\/MIDP", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fac1297209aa5ab1aff10db19ae59a0ac669e824", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (SymbianOS\/9.4; U; Series60\/5.0 SonyEricssonP100\/01; Profile\/MIDP-2.1 Configuration\/CLDC-1.1) AppleWebKit\/5\u2026", "port": 9411, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9411\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; U; Series60\/5.0 SonyEricssonP100\/01; Profile\/MIDP", "attack_vector": "port scan syn \u00b7 via HTTP:9411 \u00b7 (reconnaissance)", "target_port_label": "9411 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9411, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (SymbianOS\/9.4; U; Series60\/5.0 SonyEricssonP100\/01; Profile\/MIDP-2.1 Configuration\/CLDC-1.1) AppleWebKit\/5\u2026", "port": 9411, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9411 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9411\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.4; U; Series60\/5.0 SonyEricssonP100\/01; Profile\/MIDP", "target_port_label": "9411 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9411" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.2, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:20:00 UTC	TCP	9443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:9443 · (reconnaissance)	Élevée	Moyen · 55
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur HTTPS WAF — Recommandation Investiguer Tags http_alt_port http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9443 Chemin / cible — Service HTTPS Payload GET / HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90) Accept-Charset: Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) HTTPS alt 9443 probe User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90) Accept-Charset: Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9443 User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 179, "payload_entropy": 5.287599577543719, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "US", "dst_port": 9443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 55, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ed0331d8d2e62cd4a0b0ef5245b40a7a05b38cae", "event_fingerprint": "fb2cae5b6b97540dd8affff2f1b0a66ca956efc9", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "matched_patterns": [ "pat-0600" ], "matched_pattern_names": [ "HTTPS alt 9443 probe" ], "pattern_ids": [ "pat-0600" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 55, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7f45b4eee4c4e8ea508917db4d44b937", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9443, "service": "https", "service_name": "https", "risk_score": 55 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)\r\nAccept-Charset: ", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)\r\nAccept-Charset:", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)\r\nAccept-Charset:", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "96f7e3a47f081c51e5ec3723a1492ce980ea37c7", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)\r\nAccept-Charset:", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)\r\nAccept-Charset:", "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTPS \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 55, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 55, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 9443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)\r\nAccept-Charset:", "port": 9443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:9443 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9443\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)\r\nAccept-Charset:", "target_port_label": "9443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "9443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.24, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_investigate", "tags_list": [ "http_alt_port", "http_get_probe", "mozi_pattern", "net_flood", "websphere_probe" ], "asn_dc_heuristic": true }
13/06/2026 19:20:00 UTC	TCP	9600 · HTTP	http	Scan de ports port scan syn · via HTTP:9600 · (reconnaissance)	Élevée	Moyen · 56
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit/537.3… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9600 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9600 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9600 User-Agent: Mozilla/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "0a43c526d2b7e0a2dfbd0cfa361335603fe9127d", "http_host_hash": "44cc785096eee70b8adc49c022e7d721f0cbe382", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 245, "payload_entropy": 5.432237427597684, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 9600, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "bbe17820b52d0f13a6a76bb9a0b76374a65a1758", "event_fingerprint": "58945d40ae9ce74f64599613c1ed3764c76ba887", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bd3d051de151d9c7546bb93161c19229", "payload_hash": "6372b611b57ca3d03277fca234826c41", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9600, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d1490aa1ab4c93a73e284eb1428fb35cfb90fe7e", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/\u2026", "port": 9600, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like", "attack_vector": "port scan syn \u00b7 via HTTP:9600 \u00b7 (reconnaissance)", "target_port_label": "9600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9600, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/\u2026", "port": 9600, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9600 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ONEPLUS A5000) AppleWebKit\/537.36 (KHTML, like", "target_port_label": "9600 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.2, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:20:00 UTC	TCP	9800 · HTTP	http	Scan de ports port scan syn · via HTTP:9800 · (reconnaissance)	Élevée	Moyen · 53
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9800 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240&Win32 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240&Win32 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "b0364640299db33f8404b11696d99381bae30e58", "http_host_hash": "cdd33c2e29f66cb136ed4dbe98ab4617106c43de", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.427632565236334, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 9800, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 53, "tag_count": 4, "anomaly_count": 0, "campaign_key": "622a795e037fa4aebdee39533efd541216aa7651", "event_fingerprint": "f0cfb2c3682d2fb350fc805bb871a49995bcb77c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "7236346f5c04ebdd8f79152ee3fb55b6", "payload_hash": "c7568abaf5a92d093b6e72ff395bd6bd", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9800, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9800\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240&Win32", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9800\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240&Win32\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9800\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240&Win32", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9800\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.10240&Win32\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9800\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "34ab4bb11a9225bb95f3cf299ba2606c1ada9151", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edg\u2026", "port": 9800, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9800\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "attack_vector": "port scan syn \u00b7 via HTTP:9800 \u00b7 (reconnaissance)", "target_port_label": "9800 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9800, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edg\u2026", "port": 9800, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9800 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9800\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec", "target_port_label": "9800 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9800" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.2, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:20:00 UTC	TCP	9700 · HTTP	http	Scan de ports port scan syn · via HTTP:9700 · (reconnaissance)	Élevée	Moyen · 57
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build/HUAWEI… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9700 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build/HUAWEIPRA-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.13.0.1207 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9700 User-Agent: Mozilla/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build/HUAWEIPRA-LX1) Apple Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9700 User-Agent: Mozilla/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build/HUAWEIPRA-LX1) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/57.0.2987.108 UCBrowser/12.13.0.1207 Mobile Safari/537.36 Accept-Charset: Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "860913b61e46d7facc0ced91a573eef44a22f05d", "http_host_hash": "0a0b8f448e59191d2da0c04ca939bed628dedb35", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 307, "payload_entropy": 5.516028470547379, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 9700, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "45000648eb89031256f874f678b272bc798902ec", "event_fingerprint": "23e962bf4410b3b4349e8a2e0d3e3a64b5e4477b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "855dbe16b519013e705ccb640f8fde6a", "payload_hash": "f34d7e84d10fbb27d6dbe98411f4fb2b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9700, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9700\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build\/HUAWEIPRA-LX1) Apple", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build\/HUAWEIPRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 UCBrowser\/12.13.0.1207 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9700\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build\/HUAWEIPRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 UCBrowser\/12.13.0.1207 Mobile Safari\/537.36\r\nAccept-Charset: ", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9700\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build\/HUAWEIPRA-LX1) Apple", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build\/HUAWEIPRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 UCBrowser\/12.13.0.1207 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9700\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build\/HUAWEIPRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/57.0.2987.108 UCBrowser\/12.13.0.1207 Mobile Safari\/537.36\r\nAccept-Charset: ", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9700\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build\/HUAWEIPRA-LX1) Apple", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e87341bb185cf300948b7df947f0736e39818032", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build\/HUAWEIPRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/\u2026", "port": 9700, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9700\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build\/HUAWEIPRA-LX1) Apple", "attack_vector": "port scan syn \u00b7 via HTTP:9700 \u00b7 (reconnaissance)", "target_port_label": "9700 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9700, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build\/HUAWEIPRA-LX1) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/\u2026", "port": 9700, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9700 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9700\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 7.0; en-US; PRA-LX1 Build\/HUAWEIPRA-LX1) Apple", "target_port_label": "9700 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9700" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.28, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:20:00 UTC	TCP	9900 · HTTP	http	Scan de ports port scan syn · via HTTP:9900 · (reconnaissance)	Élevée	Moyen · 54
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Linux; Android 9; ELE-L09) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9900 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; ELE-L09) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 9; ELE-L09) AppleWebKit/537.36 (KHTML, like Gecko Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9900 User-Agent: Mozilla/5.0 (Linux; Android 9; ELE-L09) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d4213e87f50f2b1ff1f423219d60cd9df84a9cee", "http_host_hash": "644bf1e7d4424d875bb198a2d6fada630a6b209e", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 240, "payload_entropy": 5.396502447924321, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 9900, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "957d51c1f23892e01b2c370e4abb98c26814fe2c", "event_fingerprint": "10303abac2fece05340c2bff54106b34c1316ec9", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f8e440f448c37585e3d439a7ebcaf6f8", "payload_hash": "627e029ceb0077a23f1041da3f8af0f0", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9900, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "75f3228d73a57f7a02d89b9060db9c46efe173e1", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko", "attack_vector": "port scan syn \u00b7 via HTTP:9900 \u00b7 (reconnaissance)", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 9900, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9900 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko", "target_port_label": "9900 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.22, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:20:00 UTC	TCP	9990 · HTTP	http	Scan de ports port scan syn · via HTTP:9990 · (reconnaissance)	Élevée	Moyen · 54
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/1… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9990 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9990 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0 Accept-Ch Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9990 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "0a540c4e158404bf13daf9dab34433773f42270d", "http_host_hash": "461706fb12ef9a743999df8757ab92cc14f281b3", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 186, "payload_entropy": 5.254735031283607, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 9990, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2987edc3a626cdd2d5cb691501b672da1fa4d6e8", "event_fingerprint": "cfb1d21592275b072900e2b260437f74dd90dd6b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "894d186111a59dd4bf59e8ded183ded7", "payload_hash": "b0a89e9d7d4ce0d08ef9bf84ad3f869f", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9990, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9990\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0\r\nAccept-Ch", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9990\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9990\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0\r\nAccept-Ch", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9990\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9990\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0\r\nAccept-Ch", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6215a6c7399b6461ae4cf06c292fab806522294d", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "port": 9990, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9990\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0\r\nAccept-Ch", "attack_vector": "port scan syn \u00b7 via HTTP:9990 \u00b7 (reconnaissance)", "target_port_label": "9990 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9990, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0", "port": 9990, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9990 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9990\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:12.0) Gecko\/20100101 Firefox\/12.0\r\nAccept-Ch", "target_port_label": "9990 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9990" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.2, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:20:00 UTC	TCP	9902 · HTTP	http	Scan de ports port scan syn · via HTTP:9902 · (reconnaissance)	Élevée	Moyen · 55
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9902 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9902 User-Agent: Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, li Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9902 User-Agent: Mozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "fd84c72d69faf33df573dcd0340e5a121c99ab2d", "http_host_hash": "2df472fd8185242a840070ff0b74163f4605460a", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.403756554925413, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 9902, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "10ce56c0dfc06106b9f757aa34384565bb8c76a5", "event_fingerprint": "57fef0ce49037f4426373182fd59651fd3afb096", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f5bf208ca505ba301b62dd806f861235", "payload_hash": "03f17ee90e184addf837e335999827b9", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9902, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9902\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, li", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9902\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9902\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, li", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9902\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9902\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, li", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "95c1334c4f14a70229a4eef67189165c46f159f3", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148\u2026", "port": 9902, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9902\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, li", "attack_vector": "port scan syn \u00b7 via HTTP:9902 \u00b7 (reconnaissance)", "target_port_label": "9902 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9902, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148\u2026", "port": 9902, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9902 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9902\r\nUser-Agent: Mozilla\/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, li", "target_port_label": "9902 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9902" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.35, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:20:00 UTC	TCP	9980 · HTTP	http	Scan de ports port scan syn · via HTTP:9980 · (reconnaissance)	Élevée	Moyen · 57
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA mukewang/7.2.0 (iPhone; iOS 12.3.1; Scale/2.00) webview Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9980 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent mukewang/7.2.0 (iPhone; iOS 12.3.1; Scale/2.00) webview Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9980 User-Agent: mukewang/7.2.0 (iPhone; iOS 12.3.1; Scale/2.00) webview Accept-Charset: utf- Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9980 User-Agent: mukewang/7.2.0 (iPhone; iOS 12.3.1; Scale/2.00) webview Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d0046fc2f6f955023af1026813de23233802b65f", "http_host_hash": "a16cf608d994fa61a0d75635af4ae29a4388762e", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 175, "payload_entropy": 5.260146646736708, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 9980, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "dd068af7ee8cb32f838b05eecde2708464928215", "event_fingerprint": "da61fb8219be0d2d48753e66b097b589d589594d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "34ddee18ddecaa440b728c00eacd3d58", "payload_hash": "f4dc9e91a40de5c18709881b3f0b9d6c", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9980, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9980\r\nUser-Agent: mukewang\/7.2.0 (iPhone; iOS 12.3.1; Scale\/2.00) webview\r\nAccept-Charset: utf-", "method": "GET", "path": "\/", "user_agent": "mukewang\/7.2.0 (iPhone; iOS 12.3.1; Scale\/2.00) webview", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9980\r\nUser-Agent: mukewang\/7.2.0 (iPhone; iOS 12.3.1; Scale\/2.00) webview\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9980\r\nUser-Agent: mukewang\/7.2.0 (iPhone; iOS 12.3.1; Scale\/2.00) webview\r\nAccept-Charset: utf-", "evidence": { "method": "GET", "path": "\/", "user_agent": "mukewang\/7.2.0 (iPhone; iOS 12.3.1; Scale\/2.00) webview", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9980\r\nUser-Agent: mukewang\/7.2.0 (iPhone; iOS 12.3.1; Scale\/2.00) webview\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9980\r\nUser-Agent: mukewang\/7.2.0 (iPhone; iOS 12.3.1; Scale\/2.00) webview\r\nAccept-Charset: utf-", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d9b1cfc578a74f9b1937941c71a528a722ef629d", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "mukewang\/7.2.0 (iPhone; iOS 12.3.1; Scale\/2.00) webview", "port": 9980, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9980\r\nUser-Agent: mukewang\/7.2.0 (iPhone; iOS 12.3.1; Scale\/2.00) webview\r\nAccept-Charset: utf-", "attack_vector": "port scan syn \u00b7 via HTTP:9980 \u00b7 (reconnaissance)", "target_port_label": "9980 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9980, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "mukewang\/7.2.0 (iPhone; iOS 12.3.1; Scale\/2.00) webview", "port": 9980, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9980 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9980\r\nUser-Agent: mukewang\/7.2.0 (iPhone; iOS 12.3.1; Scale\/2.00) webview\r\nAccept-Charset: utf-", "target_port_label": "9980 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9980" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.3, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:20:00 UTC	TCP	9901 · HTTP	http	Scan de ports port scan syn · via HTTP:9901 · (reconnaissance)	Élevée	Moyen · 54
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9901 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.4 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9901 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9901 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3880.4 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "07e94e087c0a84d819a3861a408d65d331d456df", "http_host_hash": "9a0d91d976f8736fe81fe3d8c16dfb97e2f2ee63", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 239, "payload_entropy": 5.411377122506215, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 9901, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.3, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "41b4521785639faf4745e85d368d9526ba2e9e16", "event_fingerprint": "e627f6cbda58acb4f9ed84284fcdee2fb4b712d0", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "8ab1fe59c144b572905595d46e7e661a", "payload_hash": "33cd83e7287eab388eef2d1a97119d19", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9901, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9901\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9901\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9901\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9901\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9901\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "215f848986691d91311bd2cf2349ce0c30c47e98", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "port": 9901, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9901\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "port scan syn \u00b7 via HTTP:9901 \u00b7 (reconnaissance)", "target_port_label": "9901 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9901, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3880.4 Safari\/537.36", "port": 9901, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9901 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9901\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "9901 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9901" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.25, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:20:00 UTC	TCP	9989 · HTTP	http	Scan de ports port scan syn · via HTTP:9989 · (reconnaissance)	Élevée	Moyen · 54
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9989 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.35 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9989 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9989 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.35 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "2b894689c4598dc38ad9ae0d881590961f587bc4", "http_host_hash": "8ec78d27f6db52e1c22bced0d8c4a527c8fc03cd", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 240, "payload_entropy": 5.414078131832623, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 9989, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "850d1c1c9b758b536333464026911c58e59c2d19", "event_fingerprint": "1e46a9247651e0904c8172f0165c48f862a394b1", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "f89139e348949b62ced355daef19c7ce", "payload_hash": "c44e1c59f860da890979ca62b409e53b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9989, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9989\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9989\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9989\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9989\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9989\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c1f7b25445775ca29e906546d88af11efa882616", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36", "port": 9989, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9989\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "port scan syn \u00b7 via HTTP:9989 \u00b7 (reconnaissance)", "target_port_label": "9989 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9989, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.35 Safari\/537.36", "port": 9989, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9989 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9989\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "9989 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9989" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.2, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:20:00 UTC	TCP	9998 · HTTP	http	Scan de ports port scan syn · via HTTP:9998 · (reconnaissance)	Élevée	Moyen · 55
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9998 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 UBrowser/6.2.4098.3 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9998 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Ch Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9998 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 UBrowser/6.2.4098.3 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "e5d3dd628246002a3eee817a2562d8a8c6261b60", "http_host_hash": "8695d606561d67d9b540a5289fdb147f7c1082eb", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 248, "payload_entropy": 5.449201247837187, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 9998, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "57a87499081b07755678c1c27ee483df98e2c20c", "event_fingerprint": "0ddc97b931816c12db7a2cd15057e99151f3e8ab", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "44bb2a4234f58d20595a57f6bcc5e02f", "payload_hash": "774dde5d58c60f2abf2f16419b6fbf8c", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9998, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9998\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 UBrowser\/6.2.4098.3 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9998\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 UBrowser\/6.2.4098.3 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9998\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 UBrowser\/6.2.4098.3 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9998\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 UBrowser\/6.2.4098.3 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9998\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "57e421ae0f675665165933aecbc3527c0d4945cc", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 UBrowser\/6.2.4098.3 Safa\u2026", "port": 9998, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9998\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "attack_vector": "port scan syn \u00b7 via HTTP:9998 \u00b7 (reconnaissance)", "target_port_label": "9998 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9998, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/55.0.2883.87 UBrowser\/6.2.4098.3 Safa\u2026", "port": 9998, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9998 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9998\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "target_port_label": "9998 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9998" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.2, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:20:00 UTC	TCP	9999 · HTTP	http	Scan de ports port scan syn · via HTTP:9999 · (reconnaissance)	Élevée	Moyen · 55
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWeb… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9999 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9999 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit/605.1.15 ( Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9999 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/76.0.3809.81 Mobile/15E148 Safari/605.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "0b14336d041ad65f18402b6a6059659832a7862f", "http_host_hash": "83a22baaf629d53e39c79d30e6b18dca9da1a92c", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 261, "payload_entropy": 5.383303039085834, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 9999, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "06c5402354fbad3b60ecf8c5318c49a99384cb10", "event_fingerprint": "40878c406b78c3c05ae157428aaa7e6fc39c6cac", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "bae14fa0d02dcf3caa27f446fc1be4be", "payload_hash": "f88adae8e857a7408155031ac0544478", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9999, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobile\/15E148 Safari\/605.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "79c4135826b78f8b26d01d7b5498597e777f3a8d", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobi\u2026", "port": 9999, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (", "attack_vector": "port scan syn \u00b7 via HTTP:9999 \u00b7 (reconnaissance)", "target_port_label": "9999 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9999, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) CriOS\/76.0.3809.81 Mobi\u2026", "port": 9999, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:9999 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 13_0 like Mac OS X) AppleWebKit\/605.1.15 (", "target_port_label": "9999 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9999" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.2, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:20:00 UTC	TCP	9300 · ELASTICSEARCH TRANSPORT	elasticsearch-transport	Scan de ports port scan syn · via ELASTICSEARCH TRANSPORT:9300 · (reconnaissance)	Élevée	Moyen · 53
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur ELASTICSEARCH-TRANSPORT WAF — Recommandation Investiguer Tags elasticsearch_tcp_probe elasticsearch_transport elasticsearch_transport_emulated elasticsearch_transport_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9300 Chemin / cible — Service ELASTICSEARCH TRANSPORT Payload GET / HTTP/1.1 Host: 62.3.50.33:9300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, li Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 7 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "45530000002d0000000000000000000000000000000000000000000000000000000000000000000000000000000000372e31372e3900", "emulator_response_len": 54, "bytes_in": 240, "payload_entropy": 5.391650159574485, "port_category": "registered", "org": "Google LLC", "service": "elasticsearch-transport", "app_proto": "elasticsearch-transport", "asn": 396982, "country": "US", "dst_port": 9300, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 2.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 53, "tag_count": 7, "anomaly_count": 0, "campaign_key": "9f6e4293222d556e8b05e88ed21c392dda585389", "event_fingerprint": "799a01625b8a0465d40f9f6462855760051318c2", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 53, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "elasticsearch-transport", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "88b6ef2e0253624fc19fcd107a1eb1a1", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 9300, "service": "elasticsearch-transport", "service_name": "elasticsearch-transport", "risk_score": 53 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.75 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.75 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5bd0a1162cd830e2386dfea4d505eeb6ae92cf66", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li", "port": 9300, "service": "elasticsearch-transport", "service_label_fr": "ELASTICSEARCH TRANSPORT" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "port scan syn \u00b7 via ELASTICSEARCH TRANSPORT:9300 \u00b7 (reconnaissance)", "target_port_label": "9300 \u00b7 ELASTICSEARCH TRANSPORT", "emulator_service": "elasticsearch-transport", "confidence_reason": "Confiance 100 % \u2014 7 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via ELASTICSEARCH TRANSPORT \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 53, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 53, "risk_label": "Moyen", "service_name": "elasticsearch-transport", "service_label_fr": "ELASTICSEARCH TRANSPORT", "dst_port": 9300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-elasticsearch-transport", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li", "port": 9300, "service": "elasticsearch-transport", "service_label_fr": "ELASTICSEARCH TRANSPORT" }, "attack_vector": "port scan syn \u00b7 via ELASTICSEARCH TRANSPORT:9300 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9300\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "9300 \u00b7 ELASTICSEARCH TRANSPORT", "emulator_service": "elasticsearch-transport", "confidence_reason": "Confiance 100 % \u2014 7 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "elasticsearch_transport", "service_banner": "honeypot-elasticsearch-transport", "service_os": "linux", "dst_port": "9300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 32.2, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "elasticsearch_tcp_probe", "elasticsearch_transport", "elasticsearch_transport_emulated", "elasticsearch_transport_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	7272 · HTTP	http	Scan de ports port scan syn · via HTTP:7272 · (reconnaissance)	Élevée	Moyen · 55
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, … Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7272 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7272 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Ch Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7272 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "359ae07b9484c3e9c9f4947afc9655deb769883a", "http_host_hash": "b0d38afaff8cf96804ce9e513f85f9ae3b51dca7", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 229, "payload_entropy": 5.433587480748623, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 7272, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4eec01d9e535cdafd0ab5ea30f44a5d5838b62c5", "event_fingerprint": "00e43a16dc764f920f159d093fc9e7838e4a704e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0e0fc461fc60c5103c50e2bd67f1e72d", "payload_hash": "3c151e158577189b53ff3dcbc0acef93", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 7272, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7272\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7272\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7272\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7272\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7272\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3acde658825f5e74a1201502b06812ac7e2a7775", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36", "port": 7272, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7272\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "attack_vector": "port scan syn \u00b7 via HTTP:7272 \u00b7 (reconnaissance)", "target_port_label": "7272 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7272, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.108 Safari\/537.36", "port": 7272, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:7272 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7272\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "target_port_label": "7272 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7272" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 40.09, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	7373 · HTTP	http	Scan de ports port scan syn · via HTTP:7373 · (reconnaissance)	Élevée	Moyen · 57
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/605… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7373 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/605.1.15 (KHTML, Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7373 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "87714776a81642cc8483a46c9b386e769e683fe6", "http_host_hash": "15b11503bff7a610021756e1e0b43a8ce8783cc2", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 237, "payload_entropy": 5.362428308854933, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 7373, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a2795bc65c1c96944a0bd3e5f50c3585b1ec718c", "event_fingerprint": "79dc1febcd2858d47681c2f8d648a9619c0cfb95", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "37904114285671e34c5108f65a8f0e1e", "payload_hash": "fc3dd1d832fe86f67e2b4b584901b1d8", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 7373, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/605.1.15 (KHTML, ", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/605.1.15 (KHTML,", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/605.1.15 (KHTML,", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a82048f0b72fea7160869eac6395cd64d0fdeddb", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/605.1.15 (KHTML,", "attack_vector": "port scan syn \u00b7 via HTTP:7373 \u00b7 (reconnaissance)", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7373, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/12.1 Safari\/605.1.15", "port": 7373, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:7373 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7373\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit\/605.1.15 (KHTML,", "target_port_label": "7373 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7373" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 40.01, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	7474 · NEO4J HTTP	neo4j-http	Scan de ports port scan syn · via NEO4J HTTP:7474 · (reconnaissance)	Élevée	Moyen · 53
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur NEO4J-HTTP WAF — Recommandation Investiguer Tags http_get_probe mozi_pattern neo4j_http_emulated neo4j_http_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7474 Chemin / cible — Service NEO4J HTTP Payload GET / HTTP/1.1 Host: 62.3.50.33:7474 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-N960U) AppleWebKit/537.36 (KHTML, like Geck Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7474 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-N960U) AppleWebKit/537.36 (KHTML, like Geck Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7474 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-N960U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f74206e656f346a5f6874747020726561647920706f72743d373437340d0a", "emulator_response_len": 41, "bytes_in": 241, "payload_entropy": 5.442739691265165, "port_category": "registered", "org": "Google LLC", "service": "neo4j-http", "app_proto": "neo4j-http", "asn": 396982, "country": "US", "dst_port": 7474, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 2.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 53, "tag_count": 5, "anomaly_count": 0, "campaign_key": "a5d5c121034e83b4d041388ab1430c5c9b0a1ca2", "event_fingerprint": "567b5a7b5228f3d7fb85dff2966ccc2eba4ea747", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 53, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "neo4j-http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bab00c9e2cf990108d8bb6924c2aaaf4", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 7474, "service": "neo4j-http", "service_name": "neo4j-http", "risk_score": 53 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N960U) AppleWebKit\/537.36 (KHTML, like Geck", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N960U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N960U) AppleWebKit\/537.36 (KHTML, like Geck", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N960U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N960U) AppleWebKit\/537.36 (KHTML, like Geck", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e42686fd3d4083029511a93765726f343ae1f0fa", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N960U) AppleWebKit\/537.36 (KHTML, like Geck", "port": 7474, "service": "neo4j-http", "service_label_fr": "NEO4J HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N960U) AppleWebKit\/537.36 (KHTML, like Geck", "attack_vector": "port scan syn \u00b7 via NEO4J HTTP:7474 \u00b7 (reconnaissance)", "target_port_label": "7474 \u00b7 NEO4J HTTP", "emulator_service": "neo4j-http", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via NEO4J HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 53, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 53, "risk_label": "Moyen", "service_name": "neo4j-http", "service_label_fr": "NEO4J HTTP", "dst_port": 7474, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-neo4j-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N960U) AppleWebKit\/537.36 (KHTML, like Geck", "port": 7474, "service": "neo4j-http", "service_label_fr": "NEO4J HTTP" }, "attack_vector": "port scan syn \u00b7 via NEO4J HTTP:7474 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7474\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-N960U) AppleWebKit\/537.36 (KHTML, like Geck", "target_port_label": "7474 \u00b7 NEO4J HTTP", "emulator_service": "neo4j-http", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "neo4j_http", "service_banner": "honeypot-neo4j-http", "service_os": "linux", "dst_port": "7474" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 39.89, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "http_get_probe", "mozi_pattern", "neo4j_http_emulated", "neo4j_http_payload", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	7575 · HTTP	http	Scan de ports port scan syn · via HTTP:7575 · (reconnaissance)	Élevée	Moyen · 64
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38… Émulateur HTTP WAF 24 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7575 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 64 Confiance : Confiance 100 % — 4 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38.0 Règles WAF lfi-14 rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7575 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38.0 Accept-Cha Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7575 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "ece89018f8e51dcdb25431bef4142f642a506f93", "http_host_hash": "4906f22e757962b4f9d1f873fa79ad166e47dfb9", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 185, "payload_entropy": 5.295743925043823, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 7575, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 64, "tag_count": 5, "anomaly_count": 0, "campaign_key": "7e3ea84fd101cab65ae4308a8a0cb4efad2ab038", "event_fingerprint": "788109c66083b0c5485df89f8b52e31de2965581", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 64, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "3ef775987e41dcc313d41d88786ef3b6", "payload_hash": "d1df7ed9a25792b36b0dd288ef31eef3", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 7575, "service": "http", "service_name": "http", "risk_score": 64 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7575\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0\r\nAccept-Cha", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7575\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7575\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0\r\nAccept-Cha", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7575\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7575\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0\r\nAccept-Cha", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d3a05381739d5e954563cc889e11b48abecc27de", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "port": 7575, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7575\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0\r\nAccept-Cha", "attack_vector": "port scan syn \u00b7 via HTTP:7575 \u00b7 (reconnaissance)", "target_port_label": "7575 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 64, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 64, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7575, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0", "port": 7575, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:7575 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7575\r\nUser-Agent: Mozilla\/5.0 (OS\/2; Warp 4.5; rv:38.0) Gecko\/20100101 Firefox\/38.0\r\nAccept-Cha", "target_port_label": "7575 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +23 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7575" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 39.65, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	7676 · HTTP	http	Scan de ports port scan syn · via HTTP:7676 · (reconnaissance)	Élevée	Moyen · 55
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7676 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3178.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7676 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7676 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3178.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "01b326db0c40500d584db9349c17954cd21e25ed", "http_host_hash": "5c1e690396f7390e656052e2bfaa7b6e36c15a7d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 231, "payload_entropy": 5.4361967174936145, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 7676, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2eb637f33e8cfde4034174843b58f7a38fc966fd", "event_fingerprint": "1fe075db521095c68eaae14809f23fa110b65814", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "537aecb83e5aee413afccc1ad56ed533", "payload_hash": "c6dae1d0fb782d1c51b4f85e6817e826", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 7676, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7676\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3178.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7676\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3178.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7676\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3178.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7676\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3178.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7676\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9646685857237d6278100fe5d61245bdfe5f22de", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3178.0 Safari\/537.36", "port": 7676, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7676\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "attack_vector": "port scan syn \u00b7 via HTTP:7676 \u00b7 (reconnaissance)", "target_port_label": "7676 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7676, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/62.0.3178.0 Safari\/537.36", "port": 7676, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:7676 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7676\r\nUser-Agent: Mozilla\/5.0 (X11; Fedora; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko", "target_port_label": "7676 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7676" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 39.57, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	7777 · GAME UNREAL	game-unreal	Scan de ports port scan syn · via GAME UNREAL:7777 · (reconnaissance)	Élevée	Moyen · 56
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur GAME-UNREAL WAF — Recommandation Investiguer Tags http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7777 Chemin / cible — Service GAME UNREAL Payload GET / HTTP/1.1 Host: 62.3.50.33:7777 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Geck Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7777 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Geck Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7777 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742067616d655f756e7265616c20726561647920706f72743d373737370d0a", "emulator_response_len": 42, "bytes_in": 234, "payload_entropy": 5.408271795713656, "port_category": "registered", "org": "Google LLC", "service": "game-unreal", "app_proto": "game-unreal", "asn": 396982, "country": "US", "dst_port": 7777, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 5.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15 }, "risk_score": 56, "tag_count": 3, "anomaly_count": 0, "campaign_key": "2a945066ffe7cd5b04470b7b4258a191527ccaa1", "event_fingerprint": "d1d5eef058c01dc28b25edac05bf96e96a6b749c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 56, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "game-unreal", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6fa5fe6191e05bc705c10bac50c026e9", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 7777, "service": "game-unreal", "service_name": "game-unreal", "risk_score": 56 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.157 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "94334c54967a3bde215a78f691e79eab1f1ad8e6", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "port": 7777, "service": "game-unreal", "service_label_fr": "GAME UNREAL" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "attack_vector": "port scan syn \u00b7 via GAME UNREAL:7777 \u00b7 (reconnaissance)", "target_port_label": "7777 \u00b7 GAME UNREAL", "emulator_service": "game-unreal", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via GAME UNREAL \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 56, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 56, "risk_label": "Moyen", "service_name": "game-unreal", "service_label_fr": "GAME UNREAL", "dst_port": 7777, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-game-unreal", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "port": 7777, "service": "game-unreal", "service_label_fr": "GAME UNREAL" }, "attack_vector": "port scan syn \u00b7 via GAME UNREAL:7777 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7777\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck", "target_port_label": "7777 \u00b7 GAME UNREAL", "emulator_service": "game-unreal", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "game_unreal", "service_banner": "honeypot-game-unreal", "service_os": "linux", "dst_port": "7777" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 39.5, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	7860 · HTTP	http	Scan de ports port scan syn · via HTTP:7860 · (reconnaissance)	Élevée	Moyen · 55
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KH… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7860 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7860 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTML, like Geck Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7860 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-G965F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "521eae25998e470859810ebe6a8a836051c1b2aa", "http_host_hash": "2c150a2d584bc4a893931e17fa43c152a5272207", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 241, "payload_entropy": 5.420291933861774, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 7860, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "fea1e8334e54feb6e0ca8490d22ac0ed9b866c5f", "event_fingerprint": "91081c8997858952c7d3a90fd26c5670be898e6a", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9b2ce34d57c38b17869871ab02145de0", "payload_hash": "707b37fe695451a3c3916797d672f8b0", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 7860, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7860\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Geck", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7860\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7860\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Geck", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7860\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7860\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Geck", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f98769d7fd121972cfc672c0af0b94bed1bd3cc6", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 7860, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7860\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Geck", "attack_vector": "port scan syn \u00b7 via HTTP:7860 \u00b7 (reconnaissance)", "target_port_label": "7860 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7860, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.\u2026", "port": 7860, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:7860 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7860\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-G965F) AppleWebKit\/537.36 (KHTML, like Geck", "target_port_label": "7860 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7860" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 39.41, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	7878 · HTTP	http	Scan de ports port scan syn · via HTTP:7878 · (reconnaissance)	Élevée	Moyen · 53
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Linux; Android 8.1.0; Redmi 6 Pro Build/OPM1.17101… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7878 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; Redmi 6 Pro Build/OPM1.171019.019; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/70.0.3538.110 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7878 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Redmi 6 Pro Build/OPM1.171019.019; wv) App Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7878 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Redmi 6 Pro Build/OPM1.171019.019; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/70.0.3538.110 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encodin Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "491bb2441868edf6daa60378caaa11c2d966652d", "http_host_hash": "f71b028a95e2bab2bb2d4ef8c81daaabd1bb6211", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 286, "payload_entropy": 5.443109725324762, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 7878, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 53, "tag_count": 4, "anomaly_count": 0, "campaign_key": "7e0df5fc575e3b93af5ecdb7c243645954a2bebc", "event_fingerprint": "656fdceeb094bf4b7de1441ad538ef72d80de96c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b2763d557d86b37fe9f11e8b69bcf118", "payload_hash": "e8d6f2fd9143b051d59f613f92ce39ab", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 7878, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7878\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6 Pro Build\/OPM1.171019.019; wv) App", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6 Pro Build\/OPM1.171019.019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/70.0.3538.110 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7878\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6 Pro Build\/OPM1.171019.019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/70.0.3538.110 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encodin", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7878\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6 Pro Build\/OPM1.171019.019; wv) App", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6 Pro Build\/OPM1.171019.019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/70.0.3538.110 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7878\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6 Pro Build\/OPM1.171019.019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/70.0.3538.110 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encodin", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7878\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6 Pro Build\/OPM1.171019.019; wv) App", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9507056f6cbb14bae849917e67a031d93940f5ae", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6 Pro Build\/OPM1.171019.019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Versio\u2026", "port": 7878, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7878\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6 Pro Build\/OPM1.171019.019; wv) App", "attack_vector": "port scan syn \u00b7 via HTTP:7878 \u00b7 (reconnaissance)", "target_port_label": "7878 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7878, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6 Pro Build\/OPM1.171019.019; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Versio\u2026", "port": 7878, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:7878 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7878\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 6 Pro Build\/OPM1.171019.019; wv) App", "target_port_label": "7878 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7878" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 39.33, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8001 · HTTP	http	Scan de ports port scan syn · via HTTP:8001 · (reconnaissance)	Élevée	Moyen · 53
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8001 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 53 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 YaBrowser/19.3.1.828 Yowser/2.5 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8001 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) C Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8001 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 YaBrowser/19.3.1.828 Yowser/2.5 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "d4fd643349e1d6526e7d0cab0c15dbb179c43a94", "http_host_hash": "29d114ae8a3567c5f1863f5bd79c5d398a432fe8", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 262, "payload_entropy": 5.432427218946786, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 8001, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 53, "tag_count": 4, "anomaly_count": 0, "campaign_key": "790ed635685d3e6b8b153cc5d590a54a3ac0b6ff", "event_fingerprint": "9d6a318ce652902314c6341b2bb6c2bcca4647fd", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ad79bbcc69575186f2ed0fd22d8f9f71", "payload_hash": "32641be00d0a3ccd285acc63f90769fb", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8001, "service": "http", "service_name": "http", "risk_score": 53 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) C", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 YaBrowser\/19.3.1.828 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 YaBrowser\/19.3.1.828 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) C", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 YaBrowser\/19.3.1.828 Yowser\/2.5 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 YaBrowser\/19.3.1.828 Yowser\/2.5 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) C", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4234a97194e7ff63026319416cccf746638e4190", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 YaBrowser\/19.3.1.828 Y\u2026", "port": 8001, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) C", "attack_vector": "port scan syn \u00b7 via HTTP:8001 \u00b7 (reconnaissance)", "target_port_label": "8001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 53, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 53, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8001, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/72.0.3626.121 YaBrowser\/19.3.1.828 Y\u2026", "port": 8001, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8001 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8001\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) C", "target_port_label": "8001 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 39.25, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8008 · HTTP	http	Scan de ports port scan syn · via HTTP:8008 · (reconnaissance)	Élevée	Moyen · 54
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Linux; Android 9; LM-V405) AppleWebKit/537.36 (KHT… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8008 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; LM-V405) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8008 User-Agent: Mozilla/5.0 (Linux; Android 9; LM-V405) AppleWebKit/537.36 (KHTML, like Gecko Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8008 User-Agent: Mozilla/5.0 (Linux; Android 9; LM-V405) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "fc9781c975d92c72d7fbdb574659c43840811169", "http_host_hash": "2f04469f58c087671b6a6ba85c59ddf7574837ab", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 240, "payload_entropy": 5.421502447924321, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 8008, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "028175db6d945589c98903eabeda8f84c18cd68f", "event_fingerprint": "185d7bb07616422554e1f926743ef961b5eb7000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b1203e067229de427efedba4a41e9c2d", "payload_hash": "82875dc2707409447666c374c13059d5", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8008, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "27de23309e5880fa9a4281466a59a1941c8c536c", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8008, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko", "attack_vector": "port scan syn \u00b7 via HTTP:8008 \u00b7 (reconnaissance)", "target_port_label": "8008 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8008, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "port": 8008, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8008 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8008\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; LM-V405) AppleWebKit\/537.36 (KHTML, like Gecko", "target_port_label": "8008 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8008" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 39.17, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8020 · HDFS NAMENODE	hdfs-namenode	Scan de ports port scan syn · via HDFS NAMENODE:8020 · (reconnaissance)	Élevée	Moyen · 56
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur HDFS-NAMENODE WAF — Recommandation Investiguer Tags hdfs_namenode_emulated hdfs_namenode_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8020 Chemin / cible — Service HDFS NAMENODE Payload GET / HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Ch Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Ch Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8020 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63", "emulator_response_len": 144, "bytes_in": 228, "payload_entropy": 5.39535975194526, "port_category": "registered", "org": "Google LLC", "service": "hdfs-namenode", "app_proto": "hdfs-namenode", "asn": 396982, "country": "US", "dst_port": 8020, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 56, "tag_count": 5, "anomaly_count": 0, "campaign_key": "25e80c7c0b4884fc729d9130b735ffc00ad5a6a9", "event_fingerprint": "004499a144c92e4455aac1722fd9719117630099", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 56, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "hdfs-namenode", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7a5e72bcb8ea6ff367e87e72b30956b0", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8020, "service": "hdfs-namenode", "service_name": "hdfs-namenode", "risk_score": 56 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bd03e3189845411f137a7185d76a01b3c5c184bc", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "attack_vector": "port scan syn \u00b7 via HDFS NAMENODE:8020 \u00b7 (reconnaissance)", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HDFS NAMENODE \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 56, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 56, "risk_label": "Moyen", "service_name": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE", "dst_port": 8020, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-hdfs-namenode", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "port": 8020, "service": "hdfs-namenode", "service_label_fr": "HDFS NAMENODE" }, "attack_vector": "port scan syn \u00b7 via HDFS NAMENODE:8020 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8020\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch", "target_port_label": "8020 \u00b7 HDFS NAMENODE", "emulator_service": "hdfs-namenode", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "hdfs_namenode", "service_banner": "honeypot-hdfs-namenode", "service_os": "linux", "dst_port": "8020" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 39.04, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "hdfs_namenode_emulated", "hdfs_namenode_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8010 · HTTP	http	Scan de ports port scan syn · via HTTP:8010 · (reconnaissance)	Élevée	Moyen · 54
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleW… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8010 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.0 Mobile/14G60 Safari/602.1 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8010 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8010 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.0 Mobile/14G60 Safari/602.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "4538a6f8042862ead20206ab7abac56f57342c56", "http_host_hash": "90199038884baa59455d3404a4ba05d942a7b0fe", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.334709586026875, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 8010, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.3, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "2d17a716ce3c36b7bf9cfc02dbcbc6ae82214dd5", "event_fingerprint": "9355c37cfd1654ec493b724c9c7954bfdb6efe18", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "22f61874de8090ba5a141b0168007756", "payload_hash": "8909af1022bb3d91397c1d00cd21b661", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8010, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8010\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit\/603.3.8 ", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.0 Mobile\/14G60 Safari\/602.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8010\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.0 Mobile\/14G60 Safari\/602.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8010\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit\/603.3.8", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.0 Mobile\/14G60 Safari\/602.1", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8010\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.0 Mobile\/14G60 Safari\/602.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8010\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit\/603.3.8", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8c705a1f4c1ab46d131b11f82f94beb44aa84fe3", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.0 Mobile\/14\u2026", "port": 8010, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8010\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit\/603.3.8", "attack_vector": "port scan syn \u00b7 via HTTP:8010 \u00b7 (reconnaissance)", "target_port_label": "8010 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8010, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit\/603.3.8 (KHTML, like Gecko) Version\/10.0 Mobile\/14\u2026", "port": 8010, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8010 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8010\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit\/603.3.8", "target_port_label": "8010 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8010" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 38.96, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8040 · HTTP	http	Scan de ports port scan syn · via HTTP:8040 · (reconnaissance)	Élevée	Moyen · 54
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8040 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8040 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8040 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "0001989e49924f8bae176d77792fbc0ba5d1ed5e", "http_host_hash": "536ef780c53aff4571829d7569317b48bd3c681f", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 241, "payload_entropy": 5.3843105117119014, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 8040, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9285788339758db42e7114db675dd4a4e64f13c1", "event_fingerprint": "6b48df12f748b1fa3e8f3ce127735f04dd41e370", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6f4a065b015211242b1682e970c56277", "payload_hash": "d5882c94f52205a82d37facceff0e73f", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8040, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5d8be366ad4ac5a049539cee44122aac9aa208d5", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.\u2026", "port": 8040, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "port scan syn \u00b7 via HTTP:8040 \u00b7 (reconnaissance)", "target_port_label": "8040 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8040, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.\u2026", "port": 8040, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8040 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8040\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "8040 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8040" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 38.69, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8030 · HTTP	http	Scan de ports port scan syn · via HTTP:8030 · (reconnaissance)	Élevée	Moyen · 62
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA UCWEB/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit/534.1 U3/3.0.0 M… Émulateur HTTP WAF 24 Recommandation Investiguer Tags 950318:lfi-14 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8030 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 62 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent UCWEB/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit/534.1 U3/3.0.0 Mobile Règles WAF lfi-14 rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8030 User-Agent: UCWEB/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit/534.1 U3/3.0.0 Mobile Accept- Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8030 User-Agent: UCWEB/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit/534.1 U3/3.0.0 Mobile Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "b60da48c4b08cf3b0e05e009cfe39067765db3c1", "http_host_hash": "f130243513b7300e0da1ac623a115de4e650e25b", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 188, "payload_entropy": 5.272781585665281, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 8030, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 1.9, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 62, "tag_count": 5, "anomaly_count": 0, "campaign_key": "ad9e4d75a38c22adf70cead4eb0f94f7b1dce654", "event_fingerprint": "ae785e8a1a041b0fc7e3f299c5038f3e5ef1195e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 62, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ff45ba6318f6995eca7d74c8a37b669f", "payload_hash": "89b52e0b3852d95fb158ce7c942f8978", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8030, "service": "http", "service_name": "http", "risk_score": 62 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8030\r\nUser-Agent: UCWEB\/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit\/534.1 U3\/3.0.0 Mobile\r\nAccept-", "method": "GET", "path": "\/", "user_agent": "UCWEB\/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit\/534.1 U3\/3.0.0 Mobile", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8030\r\nUser-Agent: UCWEB\/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit\/534.1 U3\/3.0.0 Mobile\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8030\r\nUser-Agent: UCWEB\/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit\/534.1 U3\/3.0.0 Mobile\r\nAccept-", "evidence": { "method": "GET", "path": "\/", "user_agent": "UCWEB\/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit\/534.1 U3\/3.0.0 Mobile", "waf_tags": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8030\r\nUser-Agent: UCWEB\/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit\/534.1 U3\/3.0.0 Mobile\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8030\r\nUser-Agent: UCWEB\/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit\/534.1 U3\/3.0.0 Mobile\r\nAccept-", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "949a6c6101b591e46cebe72c9d8d73eb67f35d37", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "UCWEB\/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit\/534.1 U3\/3.0.0 Mobile", "port": 8030, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8030\r\nUser-Agent: UCWEB\/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit\/534.1 U3\/3.0.0 Mobile\r\nAccept-", "attack_vector": "port scan syn \u00b7 via HTTP:8030 \u00b7 (reconnaissance)", "target_port_label": "8030 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 62, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 62, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8030, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "UCWEB\/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit\/534.1 U3\/3.0.0 Mobile", "port": 8030, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8030 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8030\r\nUser-Agent: UCWEB\/8.8 (iPhone; CPU OS_6; en-US)AppleWebKit\/534.1 U3\/3.0.0 Mobile\r\nAccept-", "target_port_label": "8030 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +23 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8030" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 38.61, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950318:lfi-14", "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8050 · HTTP	http	Scan de ports port scan syn · via HTTP:8050 · (reconnaissance)	Élevée	Moyen · 56
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit/537.36… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8050 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8050 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit/537.36 (KHTML, like Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8050 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "78b5ce573f8bf720549aba6289877bc57c1ff5e2", "http_host_hash": "c49aeadf9d5a86a39de7ce43de2bce97df248af9", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 245, "payload_entropy": 5.405141422185493, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 8050, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "d420c2ea38eac7c9f97691bd61433408c8e401e8", "event_fingerprint": "a28cd363d8fb8a4b9a5d13a05396328087159556", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "912d30cca638bf5acc269d96a2dbe209", "payload_hash": "2b23e85da42077c50687d075a09652e4", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8050, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8050\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like ", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8050\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8050\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8050\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8050\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "41b8e7888b62a1894b8630ff9664fd3eb817809d", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 8050, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8050\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like", "attack_vector": "port scan syn \u00b7 via HTTP:8050 \u00b7 (reconnaissance)", "target_port_label": "8050 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8050, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026", "port": 8050, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8050 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8050\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; SM-J530F) AppleWebKit\/537.36 (KHTML, like", "target_port_label": "8050 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8050" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 38.43, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8060 · HTTP	http	Scan de ports port scan syn · via HTTP:8060 · (reconnaissance)	Élevée	Moyen · 52
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8060 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 52 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8060 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8060 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "c32179a4376bc9078e02126279acaee4907236b7", "http_host_hash": "659aba210ed45d12732dc398ec420869b9d4d3d3", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 241, "payload_entropy": 5.4007343956124565, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 8060, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.4, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 52, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4df35ccf578303c719c85cd1a56f052a4720bfac", "event_fingerprint": "c23f87515f27820769452a8ddcf9254ae8426f08", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "b0217f7911a405b6c1ebedd2ca3aca33", "payload_hash": "7ad02afe0bfb84323f72ab0de465606e", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8060, "service": "http", "service_name": "http", "risk_score": 52 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8060\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8060\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8060\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8060\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8060\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fbf0dd4dbac1cfeac2e71f924fb124052299d61a", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.\u2026", "port": 8060, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8060\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "port scan syn \u00b7 via HTTP:8060 \u00b7 (reconnaissance)", "target_port_label": "8060 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 52, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 52, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8060, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.\u2026", "port": 8060, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8060 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8060\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "8060 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8060" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 38.19, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8080 · HTTP	http	Scan de ports port scan syn · via HTTP:8080 · (reconnaissance)	Élevée	Moyen · 56
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G950U Build/PPR1.1806… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G950U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/9.4 Chrome/67.0.3396.87 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G950U Build/PPR1.180610.011) AppleW Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8080 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G950U Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/9.4 Chrome/67.0.3396.87 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Enco Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "fc4a269fbdd10d30d1815e1ec2628e6dfa45adfb", "http_host_hash": "c9908f9a31aefa5902e21ee9fa132cbe056c536d", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 289, "payload_entropy": 5.51082057042112, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 8080, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.6, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "d91181e4d1521a4e084fc447029c34ebbc029bf9", "event_fingerprint": "c4a5ea58b3d2b0d9f787b32d70530d766cc70177", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "2033f96c32f9e7a32c72a9f0be492fee", "payload_hash": "b9f56c15732b43ecb3236fcfaa227dd7", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G950U Build\/PPR1.180610.011) AppleW", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G950U Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G950U Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Enco", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G950U Build\/PPR1.180610.011) AppleW", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G950U Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G950U Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Enco", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G950U Build\/PPR1.180610.011) AppleW", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f203804385ce8eb4f62eb6daa1cb0824ae587c8c", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G950U Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBr\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G950U Build\/PPR1.180610.011) AppleW", "attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G950U Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBr\u2026", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8080\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G950U Build\/PPR1.180610.011) AppleW", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 37.97, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8081 · HTTP	http	Scan de ports port scan syn · via HTTP:8081 · (reconnaissance)	Élevée	Moyen · 56
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8081 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8081 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8081 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "e6787b8d3a187a1be37edfc4fdc9e5da8e4861d4", "http_host_hash": "1994c0ff95f3f16c5fa9177d852edc4f1a4a8a24", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 241, "payload_entropy": 5.419673229292207, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 8081, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "99db176402abf1c46df931eb47c834f2c6c38abd", "event_fingerprint": "e655cce1d5fb43c4d97a30acd0b655feb29cad21", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "86b6e6c53374b91205e624c6014811fc", "payload_hash": "972a6a0673add53e5d048c721517302b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "86d11e0cef5244c3e229dccc67249e3d929e879a", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.\u2026", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "port scan syn \u00b7 via HTTP:8081 \u00b7 (reconnaissance)", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8081, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/69.0.3497.100 Safari\/537.\u2026", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8081 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8081\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 37.88, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8082 · HTTP	http	Scan de ports port scan syn · via HTTP:8082 · (reconnaissance)	Élevée	Élevé · 66
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleW… Émulateur HTTP WAF 23 Recommandation Investiguer Tags 950086:sqli-21 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8082 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Élevé · 66 Confiance : Confiance 100 % — 4 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.4(0x17000428) NetType/WIFI Language/zh_CN Règles WAF sqli-21 rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8082 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit/605.1.15 Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8082 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.4(0x17000428) NetType/WIFI Language/zh_CN Accept-Charset: utf-8 Accept-E Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "568852bf8c0500279360f3a7b83ee5202ffeed78", "http_host_hash": "7a8d0e6c280b76f893f1d973fb51ae53b8bb4673", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 292, "payload_entropy": 5.470913210403127, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 8082, "risk_waf": 100, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25 }, "risk_score": 66, "tag_count": 5, "anomaly_count": 0, "campaign_key": "f970ddc534b79ae6bf737d3178228faead75c880", "event_fingerprint": "24e45377946a33b2067be73083ee876944b91034", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 66, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0ab25fecd98477f618d10993a5d3118d", "payload_hash": "f6a428fe8b9718c7a1b1ba023aacf084", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8082, "service": "http", "service_name": "http", "risk_score": 66 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8082\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.4(0x17000428) NetType\/WIFI Language\/zh_CN", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8082\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.4(0x17000428) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: utf-8\r\nAccept-E", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8082\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.4(0x17000428) NetType\/WIFI Language\/zh_CN", "waf_tags": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "sqli-21", "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8082\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.4(0x17000428) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: utf-8\r\nAccept-E", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8082\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a204df11137a7f50aec2df6f593021f0efac7d56", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMe\u2026", "port": 8082, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8082\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15", "attack_vector": "port scan syn \u00b7 via HTTP:8082 \u00b7 (reconnaissance)", "target_port_label": "8082 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 66\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 100, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 25, "risk_score": 66, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 66, "risk_label": "\u00c9lev\u00e9", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8082, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMe\u2026", "port": 8082, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8082 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8082\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_3_1 like Mac OS X) AppleWebKit\/605.1.15", "target_port_label": "8082 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +23 \u00b7 4 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8082" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 37.72, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950086:sqli-21", "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8083 · HTTP	http	Scan de ports port scan syn · via HTTP:8083 · (reconnaissance)	Élevée	Moyen · 56
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Linux; Android 7.1.1; Moto E (4) Plus) AppleWebKit… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8083 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Linux; Android 7.1.1; Moto E (4) Plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8083 User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Moto E (4) Plus) AppleWebKit/537.36 (KHTML Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8083 User-Agent: Mozilla/5.0 (Linux; Android 7.1.1; Moto E (4) Plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "5dcf21c60d3b576e1bedbc3f1c3b5330ee0542f5", "http_host_hash": "21e69ce58b85e5f3297487d2897913a40772a115", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 252, "payload_entropy": 5.38055689404718, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 8083, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "fd66e9b57d3a6ecf1287316d869f964e299c0f1e", "event_fingerprint": "4c1203a7b387ab4b56d9c5f8a71136068887d5c8", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "74102f0057236ff01cf1a6c8c10c787d", "payload_hash": "4d67023a88db8c3b61180b8e0edd00a5", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8083, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Moto E (4) Plus) AppleWebKit\/537.36 (KHTML", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; Moto E (4) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Moto E (4) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Moto E (4) Plus) AppleWebKit\/537.36 (KHTML", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; Moto E (4) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Moto E (4) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Moto E (4) Plus) AppleWebKit\/537.36 (KHTML", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9a4b1abf78cc2f17ed0236844e6e37732140778d", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; Moto E (4) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile \u2026", "port": 8083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Moto E (4) Plus) AppleWebKit\/537.36 (KHTML", "attack_vector": "port scan syn \u00b7 via HTTP:8083 \u00b7 (reconnaissance)", "target_port_label": "8083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Linux; Android 7.1.1; Moto E (4) Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile \u2026", "port": 8083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8083 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8083\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.1.1; Moto E (4) Plus) AppleWebKit\/537.36 (KHTML", "target_port_label": "8083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 37.63, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	7000 · CASSANDRA JMX	cassandra-jmx	Scan de ports port scan syn · via CASSANDRA JMX:7000 · (reconnaissance)	Élevée	Moyen · 56
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur CASSANDRA-JMX WAF — Recommandation Investiguer Tags cassandra_emulated http_get_probe mozi_pattern net_flood Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7000 Chemin / cible — Service CASSANDRA JMX Payload GET / HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-M205FN) AppleWebKit/537.36 (KHTML, like Gec Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-M205FN) AppleWebKit/537.36 (KHTML, like Gec Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7000 User-Agent: Mozilla/5.0 (Linux; Android 9; SM-M205FN) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "4f4b0d0a", "emulator_response_len": 4, "bytes_in": 242, "payload_entropy": 5.427369284960896, "port_category": "registered", "org": "Google LLC", "service": "cassandra-jmx", "app_proto": "cassandra-jmx", "asn": 396982, "country": "US", "dst_port": 7000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 15, "risk_boost": 20, "risk_granularity": 5.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a8493505317994966bd4cf32ea808d809f85f862", "event_fingerprint": "0c69b3edfad1fd34f7b447e7480ba1b6050084c0", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 56, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "cassandra-jmx", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d4f54923d70b2879ba76023090db2b4b", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 7000, "service": "cassandra-jmx", "service_name": "cassandra-jmx", "risk_score": 56 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-M205FN) AppleWebKit\/537.36 (KHTML, like Gec", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-M205FN) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-M205FN) AppleWebKit\/537.36 (KHTML, like Gec", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-M205FN) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-M205FN) AppleWebKit\/537.36 (KHTML, like Gec", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f43d8edd914561149c7024f07bb5c4779b8453d6", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-M205FN) AppleWebKit\/537.36 (KHTML, like Gec", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-M205FN) AppleWebKit\/537.36 (KHTML, like Gec", "attack_vector": "port scan syn \u00b7 via CASSANDRA JMX:7000 \u00b7 (reconnaissance)", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CASSANDRA JMX \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 15, "risk_score": 56, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 56, "risk_label": "Moyen", "service_name": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX", "dst_port": 7000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cassandra-jmx", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-M205FN) AppleWebKit\/537.36 (KHTML, like Gec", "port": 7000, "service": "cassandra-jmx", "service_label_fr": "CASSANDRA JMX" }, "attack_vector": "port scan syn \u00b7 via CASSANDRA JMX:7000 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7000\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SM-M205FN) AppleWebKit\/537.36 (KHTML, like Gec", "target_port_label": "7000 \u00b7 CASSANDRA JMX", "emulator_service": "cassandra-jmx", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cassandra_jmx", "service_banner": "honeypot-cassandra-jmx", "service_os": "linux", "dst_port": "7000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 37.05, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "cassandra_emulated", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8089 · HTTP	http	Scan de ports port scan syn · via HTTP:8089 · (reconnaissance)	Élevée	Moyen · 57
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8089 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8089 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, li Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8089 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "c3708ddffda158b60c7af1a91573c085b9df8a5f", "http_host_hash": "6e7855f9d1ec5b350040e6a7fa2c7046d35c68a6", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 240, "payload_entropy": 5.409751167326416, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 8089, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 6, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "fd02a86dc7fd80e5fef07718bdbfa9fa5f8b8557", "event_fingerprint": "de936a6432fb89a855da618305ffe2db3df65c5f", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ac5763ea881ba74e1ca97ecfe525f218", "payload_hash": "aab1440792a446aeb5186271b6a68e65", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8089, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8089\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, li", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8089\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8089\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, li", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8089\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8089\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, li", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "41a548f85a1c67fcbaa03409908e977d91a14e2b", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "port": 8089, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8089\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, li", "attack_vector": "port scan syn \u00b7 via HTTP:8089 \u00b7 (reconnaissance)", "target_port_label": "8089 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8089, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36", "port": 8089, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8089 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8089\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit\/537.36 (KHTML, li", "target_port_label": "8089 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8089" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 36.97, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8090 · HTTP	http	Scan de ports port scan syn · via HTTP:8090 · (reconnaissance)	Élevée	Moyen · 57
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8090 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3889.0 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8090 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3889.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "e982d91b0f50d80f0f3ba493fdaaceb5286071d2", "http_host_hash": "112b403ea5b0e3a7d0d331ab96d728785c3ab96b", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 223, "payload_entropy": 5.437308618440441, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 8090, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "3e825c7e939130a7e44d9ff88c0aeaa8e066c71c", "event_fingerprint": "23cc214f3320bd3cf21c7c992c60f2e82b1b2b5f", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "6de29d4d4ac426bc6dcee957ec7e28a4", "payload_hash": "ce71a60be72ebe2f5c8d47ed63083e58", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8090, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3889.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3889.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3889.0 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3889.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3c31899e7b633776932d468ca1ea702f07994f52", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3889.0 Safari\/537.36", "port": 8090, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome", "attack_vector": "port scan syn \u00b7 via HTTP:8090 \u00b7 (reconnaissance)", "target_port_label": "8090 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8090, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3889.0 Safari\/537.36", "port": 8090, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8090 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8090\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome", "target_port_label": "8090 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 36.89, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	81 · HTTP	http	Scan de ports port scan syn · via HTTP:81 · (reconnaissance)	Élevée	Moyen · 55
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.22 (KHTML like Ge… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.22 (KHTML like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.22 (KHTML like Gecko) Ubuntu Chro Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:81 User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.22 (KHTML like Gecko) Ubuntu Chromium/25.0.1364.160 Chrome/25.0.1364.160 Safari/537.22 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "5e5ba17d77c75e49d0c2a6cef9c8b04518ff8f65", "http_host_hash": "f257870e26046e30cbd03e9d5726ca53aa58b86f", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 250, "payload_entropy": 5.391214670637169, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 81, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "48dcc8371c159f9b4755dfe9aa990f01a0511734", "event_fingerprint": "ea594d22610095fdc4d5a1f374bfd407e5255a96", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a45efd27e7e14ef0d843c4e4e37c416b", "payload_hash": "d6ec29dc03529d128df50741c0fa2984", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.22 (KHTML like Gecko) Ubuntu Chro", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.22 (KHTML like Gecko) Ubuntu Chromium\/25.0.1364.160 Chrome\/25.0.1364.160 Safari\/537.22", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.22 (KHTML like Gecko) Ubuntu Chromium\/25.0.1364.160 Chrome\/25.0.1364.160 Safari\/537.22\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.22 (KHTML like Gecko) Ubuntu Chro", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.22 (KHTML like Gecko) Ubuntu Chromium\/25.0.1364.160 Chrome\/25.0.1364.160 Safari\/537.22", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.22 (KHTML like Gecko) Ubuntu Chromium\/25.0.1364.160 Chrome\/25.0.1364.160 Safari\/537.22\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.22 (KHTML like Gecko) Ubuntu Chro", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "177e903bdb45f30019712c61e8e63d5c644178b9", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.22 (KHTML like Gecko) Ubuntu Chromium\/25.0.1364.160 Chrome\/25.0.1364.160 \u2026", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.22 (KHTML like Gecko) Ubuntu Chro", "attack_vector": "port scan syn \u00b7 via HTTP:81 \u00b7 (reconnaissance)", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.22 (KHTML like Gecko) Ubuntu Chromium\/25.0.1364.160 Chrome\/25.0.1364.160 \u2026", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:81 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:81\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686) AppleWebKit\/537.22 (KHTML like Gecko) Ubuntu Chro", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 36.73, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8099 · HTTP	http	Scan de ports port scan syn · via HTTP:8099 · (reconnaissance)	Élevée	Moyen · 54
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Konqueror/3.0-rc4; (Konqueror/3.0-rc4; i686 Linux;;datecode) Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8099 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Konqueror/3.0-rc4; (Konqueror/3.0-rc4; i686 Linux;;datecode) Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8099 User-Agent: Konqueror/3.0-rc4; (Konqueror/3.0-rc4; i686 Linux;;datecode) Accept-Charset: Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8099 User-Agent: Konqueror/3.0-rc4; (Konqueror/3.0-rc4; i686 Linux;;datecode) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "4ed0d63bf1d6ec6fd866594fd70daab7ecc11510", "http_host_hash": "611196ff5d5ba8288e3fb0ff9b6947637bff1fee", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 180, "payload_entropy": 5.18864919049402, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 8099, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "fdcef0b90b74dd5560ab6e20694a5b7539713d55", "event_fingerprint": "3b7a33d80c2eef24d6c407cf752d20c697cf3ac4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "d52223bb5389281eb4cd370e619fa65d", "payload_hash": "afacc8e6d3721fcb47e4fbe8990f779e", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8099, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)\r\nAccept-Charset:", "method": "GET", "path": "\/", "user_agent": "Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)\r\nAccept-Charset:", "evidence": { "method": "GET", "path": "\/", "user_agent": "Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)\r\nAccept-Charset:", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ae18937f0e77198f37a899a19f6de4b133b0d022", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)", "port": 8099, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)\r\nAccept-Charset:", "attack_vector": "port scan syn \u00b7 via HTTP:8099 \u00b7 (reconnaissance)", "target_port_label": "8099 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8099, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)", "port": 8099, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8099 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8099\r\nUser-Agent: Konqueror\/3.0-rc4; (Konqueror\/3.0-rc4; i686 Linux;;datecode)\r\nAccept-Charset:", "target_port_label": "8099 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8099" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 36.66, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8088 · HTTP	http	Scan de ports port scan syn · via HTTP:8088 · (reconnaissance)	Élevée	Moyen · 57
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Opera/9.80 (Macintosh; Intel Mac OS X; U; en) Presto/2.6.30 Ver… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8088 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 57 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Opera/9.80 (Macintosh; Intel Mac OS X; U; en) Presto/2.6.30 Version/10.61 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8088 User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X; U; en) Presto/2.6.30 Version/10.61 Ac Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8088 User-Agent: Opera/9.80 (Macintosh; Intel Mac OS X; U; en) Presto/2.6.30 Version/10.61 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "e07e5e0da8ee474065a0824c0538566a07f94a33", "http_host_hash": "5af561107125d8ccc4aac442a3b8b5dee6769a85", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 193, "payload_entropy": 5.176527994936885, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 8088, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 57, "tag_count": 4, "anomaly_count": 0, "campaign_key": "95ce2f5bc2fbd11ee54b970f11bd51dadfdd6800", "event_fingerprint": "37d96fce8f60b477529ee3ee20f66ccf08b6b641", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ac5aa9af717e5c4a95e1429b0f472fc1", "payload_hash": "8a3e3eca640358dc53a8fc8f5719bade", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8088, "service": "http", "service_name": "http", "risk_score": 57 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X; U; en) Presto\/2.6.30 Version\/10.61\r\nAc", "method": "GET", "path": "\/", "user_agent": "Opera\/9.80 (Macintosh; Intel Mac OS X; U; en) Presto\/2.6.30 Version\/10.61", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X; U; en) Presto\/2.6.30 Version\/10.61\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X; U; en) Presto\/2.6.30 Version\/10.61\r\nAc", "evidence": { "method": "GET", "path": "\/", "user_agent": "Opera\/9.80 (Macintosh; Intel Mac OS X; U; en) Presto\/2.6.30 Version\/10.61", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X; U; en) Presto\/2.6.30 Version\/10.61\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X; U; en) Presto\/2.6.30 Version\/10.61\r\nAc", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "28f66dfb439afbb3d3b36ffd4600e3ecf495af51", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Macintosh; Intel Mac OS X; U; en) Presto\/2.6.30 Version\/10.61", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X; U; en) Presto\/2.6.30 Version\/10.61\r\nAc", "attack_vector": "port scan syn \u00b7 via HTTP:8088 \u00b7 (reconnaissance)", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 57, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 57, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8088, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Opera\/9.80 (Macintosh; Intel Mac OS X; U; en) Presto\/2.6.30 Version\/10.61", "port": 8088, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8088 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8088\r\nUser-Agent: Opera\/9.80 (Macintosh; Intel Mac OS X; U; en) Presto\/2.6.30 Version\/10.61\r\nAc", "target_port_label": "8088 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8088" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 36.58, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8091 · COUCHBASE	couchbase	Scan de ports port scan syn · via COUCHBASE:8091 · (reconnaissance)	Élevée	Moyen · 52
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole Émulateur COUCHBASE WAF — Recommandation Investiguer Tags couchbase_emulated couchbase_payload http_get_probe mozi_pattern Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8091 Chemin / cible — Service COUCHBASE Payload GET / HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit/537.36 (KHTML, like Gec Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 52 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit/537.36 (KHTML, like Gec Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8091 User-Agent: Mozilla/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f7420636f7563686261736520726561647920706f72743d383039310d0a", "emulator_response_len": 40, "bytes_in": 242, "payload_entropy": 5.415924924258971, "port_category": "registered", "org": "Google LLC", "service": "couchbase", "app_proto": "couchbase", "asn": 396982, "country": "US", "dst_port": 8091, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 40, "risk_novelty": 25, "risk_boost": 20, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25 }, "risk_score": 52, "tag_count": 5, "anomaly_count": 0, "campaign_key": "74d5be11cec774a8f369d9fd773352f2b7922af7", "event_fingerprint": "a032868a84f756125902e980581e4d9d67e60d5a", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 52, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "couchbase", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c969073b03b30929a94df4aa92e3d6db", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9" }, "target_context": { "dst_port": 8091, "service": "couchbase", "service_name": "couchbase", "risk_score": 52 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML, like Gec", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML, like Gec", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML, like Gec", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "eb0d6fe894d3a7c00e1fce1c1e535f5d0965c4e1", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML, like Gec", "port": 8091, "service": "couchbase", "service_label_fr": "COUCHBASE" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML, like Gec", "attack_vector": "port scan syn \u00b7 via COUCHBASE:8091 \u00b7 (reconnaissance)", "target_port_label": "8091 \u00b7 COUCHBASE", "emulator_service": "couchbase", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via COUCHBASE \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 40, "novelty": 25, "risk_score": 52, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 52, "risk_label": "Moyen", "service_name": "couchbase", "service_label_fr": "COUCHBASE", "dst_port": 8091, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-couchbase", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML, like Gec", "port": 8091, "service": "couchbase", "service_label_fr": "COUCHBASE" }, "attack_vector": "port scan syn \u00b7 via COUCHBASE:8091 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8091\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Mi MIX 2S) AppleWebKit\/537.36 (KHTML, like Gec", "target_port_label": "8091 \u00b7 COUCHBASE", "emulator_service": "couchbase", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "couchbase", "service_banner": "honeypot-couchbase", "service_os": "linux", "dst_port": "8091" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 36.5, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "couchbase_emulated", "couchbase_payload", "http_get_probe", "mozi_pattern", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8084 · HTTP	http	Scan de ports port scan syn · via HTTP:8084 · (reconnaissance)	Élevée	Moyen · 56
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; MDA Pro/1.… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8084 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 56 Confiance : Confiance 100 % — 3 tag(s) WAF Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; MDA Pro/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1) Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8084 User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; MDA Pro/1.0 Profile/MIDP Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8084 User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPC; MDA Pro/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "8599b583d1d30e65e110378685d355bc06a31ce8", "http_host_hash": "52139ff216422f6e734a2f69155b92f0ec67e9f8", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 225, "payload_entropy": 5.313672776993583, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 8084, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.2, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 56, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8fb16438a5b2d4c44a77a37a55532430d6d15ecc", "event_fingerprint": "ebc906b0f0074f27e2e4f93dcdc76e075f5acfe4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "59dc15e59386dee200215d2b6d9f17b1", "payload_hash": "0c9030fae93b4cf5c2837584ea829b0f", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8084, "service": "http", "service_name": "http", "risk_score": 56 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8084\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; PPC; MDA Pro\/1.0 Profile\/MIDP", "method": "GET", "path": "\/", "user_agent": "Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; PPC; MDA Pro\/1.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8084\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; PPC; MDA Pro\/1.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8084\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; PPC; MDA Pro\/1.0 Profile\/MIDP", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; PPC; MDA Pro\/1.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1)", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8084\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; PPC; MDA Pro\/1.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8084\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; PPC; MDA Pro\/1.0 Profile\/MIDP", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "23c8800dd0cfc13f45af4d900b9565d143178893", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; PPC; MDA Pro\/1.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1)", "port": 8084, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8084\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; PPC; MDA Pro\/1.0 Profile\/MIDP", "attack_vector": "port scan syn \u00b7 via HTTP:8084 \u00b7 (reconnaissance)", "target_port_label": "8084 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 56, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 56, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8084, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; PPC; MDA Pro\/1.0 Profile\/MIDP-2.0 Configuration\/CLDC-1.1)", "port": 8084, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8084 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8084\r\nUser-Agent: Mozilla\/4.0 (compatible; MSIE 4.01; Windows CE; PPC; MDA Pro\/1.0 Profile\/MIDP", "target_port_label": "8084 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8084" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 36.37, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8100 · HTTP	http	Scan de ports port scan syn · via HTTP:8100 · (reconnaissance)	Élevée	Moyen · 54
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like… Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8100 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 54 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/76.0.3809.100 Chrome/76.0.3809.100 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8100 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8100 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/76.0.3809.100 Chrome/76.0.3809.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "30b58e96275c900437bd1f3094408c62741a5ff9", "http_host_hash": "6eae026ce138d6d2c762facfcf5ef15124599371", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 255, "payload_entropy": 5.429036903179614, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 8100, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 54, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c9d72ba62517e7cc1b401f74c86e1151ca218120", "event_fingerprint": "a7d3c1099a07af581001ec3c833a1c6c559db5b9", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5375c656c4ef272e50ec4b6236a30a31", "payload_hash": "7054341a677d740a44f4212ec6c1d12b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8100, "service": "http", "service_name": "http", "risk_score": 54 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8100\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/76.0.3809.100 Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8100\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/76.0.3809.100 Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8100\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/76.0.3809.100 Chrome\/76.0.3809.100 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8100\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/76.0.3809.100 Chrome\/76.0.3809.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8100\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3e55dcf85fe7afb202bba9e92fbafadf03b37c7e", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/76.0.3809.100 Chrome\/76.0.3809.1\u2026", "port": 8100, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8100\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu", "attack_vector": "port scan syn \u00b7 via HTTP:8100 \u00b7 (reconnaissance)", "target_port_label": "8100 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 54, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 54, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8100, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/76.0.3809.100 Chrome\/76.0.3809.1\u2026", "port": 8100, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8100 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8100\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu", "target_port_label": "8100 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8100" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 36.22, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }
13/06/2026 19:19:59 UTC	TCP	8110 · HTTP	http	Scan de ports port scan syn · via HTTP:8110 · (reconnaissance)	Élevée	Moyen · 55
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole GET / UA Mozilla/5.0 (Windows; U; ; en-NZ) AppleWebKit/527 (KHTML, like … Émulateur HTTP WAF 16 Recommandation Investiguer Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path net_flood Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8110 Chemin / cible / Service HTTP Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 55 Confiance : Confiance 100 % — 3 tag(s) WAF Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows; U; ; en-NZ) AppleWebKit/527 (KHTML, like Gecko, Safari/419.3) Arora/0.8.0 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8110 User-Agent: Mozilla/5.0 (Windows; U; ; en-NZ) AppleWebKit/527 (KHTML, like Gecko, Safari Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:8110 User-Agent: Mozilla/5.0 (Windows; U; ; en-NZ) AppleWebKit/527 (KHTML, like Gecko, Safari/419.3) Arora/0.8.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 5, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "475f9ece62a7dcdd67805664bfc891d7a6ee6cc5", "http_host_hash": "64f7ccc93e073223dc1e2185c2d348fbb3aa9026", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 216, "payload_entropy": 5.388261364451404, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 8110, "risk_waf": 72, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 55, "tag_count": 4, "anomaly_count": 0, "campaign_key": "47a518eb7d73425dcb8e7bdca9129203f7128552", "event_fingerprint": "d1b2f1f372d4e409b9452e5d91206ce8f29efc9a", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 293, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "5ce0ceb4be04b725af2f4dcab1b60b6b", "payload_hash": "eb342fa0c621a81d3ce41a5b05cbc50f", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8110, "service": "http", "service_name": "http", "risk_score": 55 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8110\r\nUser-Agent: Mozilla\/5.0 (Windows; U; ; en-NZ) AppleWebKit\/527 (KHTML, like Gecko, Safari", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows; U; ; en-NZ) AppleWebKit\/527 (KHTML, like Gecko, Safari\/419.3) Arora\/0.8.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8110\r\nUser-Agent: Mozilla\/5.0 (Windows; U; ; en-NZ) AppleWebKit\/527 (KHTML, like Gecko, Safari\/419.3) Arora\/0.8.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8110\r\nUser-Agent: Mozilla\/5.0 (Windows; U; ; en-NZ) AppleWebKit\/527 (KHTML, like Gecko, Safari", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows; U; ; en-NZ) AppleWebKit\/527 (KHTML, like Gecko, Safari\/419.3) Arora\/0.8.0", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8110\r\nUser-Agent: Mozilla\/5.0 (Windows; U; ; en-NZ) AppleWebKit\/527 (KHTML, like Gecko, Safari\/419.3) Arora\/0.8.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8110\r\nUser-Agent: Mozilla\/5.0 (Windows; U; ; en-NZ) AppleWebKit\/527 (KHTML, like Gecko, Safari", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "investigate", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d22b9d16c461fcb39b839704405c804581657f26", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; ; en-NZ) AppleWebKit\/527 (KHTML, like Gecko, Safari\/419.3) Arora\/0.8.0", "port": 8110, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8110\r\nUser-Agent: Mozilla\/5.0 (Windows; U; ; en-NZ) AppleWebKit\/527 (KHTML, like Gecko, Safari", "attack_vector": "port scan syn \u00b7 via HTTP:8110 \u00b7 (reconnaissance)", "target_port_label": "8110 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 72, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 55, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 55, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8110, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "investigate", "recommended_action_label": "Investiguer", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Windows; U; ; en-NZ) AppleWebKit\/527 (KHTML, like Gecko, Safari\/419.3) Arora\/0.8.0", "port": 8110, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port scan syn \u00b7 via HTTP:8110 \u00b7 (reconnaissance)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8110\r\nUser-Agent: Mozilla\/5.0 (Windows; U; ; en-NZ) AppleWebKit\/527 (KHTML, like Gecko, Safari", "target_port_label": "8110 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8110" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 161, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 161, "scan_velocity_ports_per_s": 36.14, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 78, "multi_protocol_sample": [ "activemq-console", "admin-alt", "aws-ecs-agent", "cassandra", "cassandra-jmx", "clickhouse-native", "consul-server", "consul-wan" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "matched_patterns": [], "ban_policy": "advisory_investigate", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path", "net_flood" ], "asn_dc_heuristic": true }

136.112.73.222

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence