13/06/2026 19:19:59 UTC
TCP
8150 · HTTP
Scan de ports
port scan syn · via HTTP:8150 · (reconnaissance)
Élevée
Moyen · 57
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Linux; U; Android 2.0; en-us; Milestone Build/ SHO…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8150
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 57
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; U; Android 2.0; en-us; Milestone Build/ SHOLS_U2_01.03.1) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8150
User-Agent: Mozilla/5.0 (Linux; U; Android 2.0; en-us; Milestone Build/ SHOLS_U2_01.03.1)
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8150 User-Agent: Mozilla/5.0 (Linux; U; Android 2.0; en-us; Milestone Build/ SHOLS_U2_01.03.1) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Accept-Charset: utf-8 Accept-Encoding: gzip Connecti
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "6e8b07bac497fa9f2707570ce9fcb06b711c04ec",
"http_host_hash": "fe17425bbcca8fd24d472521d0819811358fe34f",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 269,
"payload_entropy": 5.385467130026812,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8150,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 57,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "e453db0846a4de1c9feac36eedf4b5d063ae5708",
"event_fingerprint": "a80bd5bf78a1a3b0ca78469981a73a90b6293e3d",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 57,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "afc464e3d0de0b12e5ffcb4570ea9a68",
"payload_hash": "493354e1002dffa9fa592f5102d76609",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8150,
"service": "http",
"service_name": "http",
"risk_score": 57
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Build\/ SHOLS_U2_01.03.1)",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Build\/ SHOLS_U2_01.03.1) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Build\/ SHOLS_U2_01.03.1) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Build\/ SHOLS_U2_01.03.1)",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Build\/ SHOLS_U2_01.03.1) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Build\/ SHOLS_U2_01.03.1) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Build\/ SHOLS_U2_01.03.1)",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "365d2945829689085f64c7128a3c4361dc4ed759",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Build\/ SHOLS_U2_01.03.1) AppleWebKit\/530.17 (KHTML, like Gecko) Ve\u2026",
"port": 8150,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Build\/ SHOLS_U2_01.03.1)",
"attack_vector": "port scan syn \u00b7 via HTTP:8150 \u00b7 (reconnaissance)",
"target_port_label": "8150 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 57,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 57,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8150,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Build\/ SHOLS_U2_01.03.1) AppleWebKit\/530.17 (KHTML, like Gecko) Ve\u2026",
"port": 8150,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8150 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8150\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0; en-us; Milestone Build\/ SHOLS_U2_01.03.1)",
"target_port_label": "8150 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8150"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 36.05,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8160 · HTTP
Scan de ports
port scan syn · via HTTP:8160 · (reconnaissance)
Élevée
Moyen · 54
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit/537.36…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8160
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 54
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8160
User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit/537.36 (KHTML, like
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8160 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "b3a96afeae4b6ab9fcb5170be19f4a12892285f6",
"http_host_hash": "1732488e35cb537e17a750aab8f630d06ca30f24",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 244,
"payload_entropy": 5.4007661305438575,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8160,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 54,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "0cbbf1e725e6dc5c3543f422509cf17e99b8cbc7",
"event_fingerprint": "60045e6f88f119fed8073e0aea0a26058b98effe",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 54,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "25f672c9d3583e5b7f4ad296c1f6db00",
"payload_hash": "0ade6d0da9d52289d4eb4f412afeabfd",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8160,
"service": "http",
"service_name": "http",
"risk_score": 54
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8160\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like ",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8160\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8160\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8160\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8160\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "63c3f4f7fdd220fea00a68a8c9e9c6eab5646123",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026",
"port": 8160,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8160\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like",
"attack_vector": "port scan syn \u00b7 via HTTP:8160 \u00b7 (reconnaissance)",
"target_port_label": "8160 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 54,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 54,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8160,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/5\u2026",
"port": 8160,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8160 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8160\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G965U) AppleWebKit\/537.36 (KHTML, like",
"target_port_label": "8160 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8160"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 35.9,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8120 · HTTP
Scan de ports
port scan syn · via HTTP:8120 · (reconnaissance)
Élevée
Moyen · 57
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit/537.36…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8120
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 57
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8120
User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit/537.36 (KHTML, like
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8120 User-Agent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "f5afc8d7c4957c93e4a79f6871fdbcfa35f49089",
"http_host_hash": "af2dcc38887367bbe1d5bf520253fabddac9e2af",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 245,
"payload_entropy": 5.408222595663711,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8120,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 57,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "5cdd4abcd328cafa924b5a0c075a1eaabde8ccc9",
"event_fingerprint": "ea9b2eba31620a886ee10f2d31be516e737eeb83",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 57,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "610f4c517af8d56f9097a351a06686d5",
"payload_hash": "921ac88d7e39f72b7310495c459f67d8",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8120,
"service": "http",
"service_name": "http",
"risk_score": 57
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like ",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1ae42d5c536380ec7600ac0d8ec2741400542b1e",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026",
"port": 8120,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like",
"attack_vector": "port scan syn \u00b7 via HTTP:8120 \u00b7 (reconnaissance)",
"target_port_label": "8120 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 57,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 57,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8120,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/\u2026",
"port": 8120,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8120 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8120\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit\/537.36 (KHTML, like",
"target_port_label": "8120 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8120"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 35.82,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8190 · HTTP
Scan de ports
port scan syn · via HTTP:8190 · (reconnaissance)
Élevée
Moyen · 53
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8190
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 53
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3876.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8190
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8190 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3876.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "32327fff8b51993e2a11eaa1f03a55f19f9a3e6a",
"http_host_hash": "b9e7f18e086476e2ceaf3b18c5718252ebc35842",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 223,
"payload_entropy": 5.433027818250381,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.4,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 53,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "3e832a0b3cbe4baf51d7fa35851064d433c49742",
"event_fingerprint": "97c3360a168712c0694c675a3717f642016f05be",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 53,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "374e594fff7d90fcc3f4c27b624d5da4",
"payload_hash": "d261047029e5d25b74b73bffd199d88e",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8190,
"service": "http",
"service_name": "http",
"risk_score": 53
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "15b780c7c29d26fe2e3765e89ed154dea0b87302",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome",
"attack_vector": "port scan syn \u00b7 via HTTP:8190 \u00b7 (reconnaissance)",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 53,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 53,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3876.0 Safari\/537.36",
"port": 8190,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8190 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8190\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome",
"target_port_label": "8190 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 35.75,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8170 · HTTP
Scan de ports
port scan syn · via HTTP:8170 · (reconnaissance)
Élevée
Élevé · 65
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWeb…
Émulateur
HTTP
WAF
23
Recommandation
Investiguer
Tags
950086:sqli-21
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8170
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Élevé
· 65
Confiance : Confiance 100 % — 4 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.5(0x17000523) NetType/WIFI Language/zh_CN
Règles WAF
sqli-21
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8170
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8170 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.5(0x17000523) NetType/WIFI Language/zh_CN Accept-Charset: utf-8 Accept-Enc
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "e981751fedf6ee8e46cd214a09719ba1b0461ffc",
"http_host_hash": "436b396986e0763bf4221c1d50b5d123713fc75e",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 290,
"payload_entropy": 5.454549375322585,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8170,
"risk_waf": 100,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4.5,
"risk_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 25
},
"risk_score": 65,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "f1cf8ef74fb66523879af9ff7f5f6ae18d84cf6e",
"event_fingerprint": "91f72057d0c250413363b39379f25e0e87ea25a6",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 25,
"risk_score": 65,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "82d16bb3eefbe3c997ad54f873619a62",
"payload_hash": "d4b8e7fb37066e516be05ad3643f07d0",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8170,
"service": "http",
"service_name": "http",
"risk_score": 65
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8170\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit\/605.1.15 (",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.5(0x17000523) NetType\/WIFI Language\/zh_CN",
"waf_tags": [
"950086:sqli-21",
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"sqli-21",
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8170\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.5(0x17000523) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: utf-8\r\nAccept-Enc",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8170\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit\/605.1.15 (",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.5(0x17000523) NetType\/WIFI Language\/zh_CN",
"waf_tags": [
"950086:sqli-21",
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"sqli-21",
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8170\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMessenger\/7.0.5(0x17000523) NetType\/WIFI Language\/zh_CN\r\nAccept-Charset: utf-8\r\nAccept-Enc",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8170\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit\/605.1.15 (",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "86dbcf684ba1df510c76bfbcc7905552297ebdf3",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMess\u2026",
"port": 8170,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8170\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit\/605.1.15 (",
"attack_vector": "port scan syn \u00b7 via HTTP:8170 \u00b7 (reconnaissance)",
"target_port_label": "8170 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 65\/100 (\u00c9lev\u00e9) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 25,
"risk_score": 65,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 65,
"risk_label": "\u00c9lev\u00e9",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8170,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/15E148 MicroMess\u2026",
"port": 8170,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8170 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8170\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit\/605.1.15 (",
"target_port_label": "8170 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +23 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8170"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 35.68,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950086:sqli-21",
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8161 · HTTP
Scan de ports
port scan syn · via HTTP:8161 · (reconnaissance)
Élevée
Moyen · 54
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8161
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 54
Confiance : Confiance 100 % — 3 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8161
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, li
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8161 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204a657474792f392e34204163746976654d512f352e31380d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2034390d0a0d0a3c68746d6c3e3c626f64793e417061636865204163746976654d5120436f6e",
"emulator_response_len": 146,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "5014d4114c4cbabd19d9fd2da5d287ad27a6f544",
"http_host_hash": "66eb19834a7c23530413a6e482ea0316c4442029",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 241,
"payload_entropy": 5.425523476322153,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8161,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 54,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "5dee48755a84388881c9d8f9b3b4d0b24c181228",
"event_fingerprint": "9a1ecb9e558b64525dd467e4fa3aa733e66a8987",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 54,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "b0ae87eff6920e57eb3c45e71d20538f",
"payload_hash": "399e74ffbbc380acc53826c74bd6a8cf",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8161,
"service": "http",
"service_name": "http",
"risk_score": 54
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8161\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8161\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8161\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8161\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8161\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3d58736fe100b1644e1f94da69ef555428e26483",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.\u2026",
"port": 8161,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8161\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li",
"attack_vector": "port scan syn \u00b7 via HTTP:8161 \u00b7 (reconnaissance)",
"target_port_label": "8161 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 54,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 54,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8161,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.169 Safari\/537.\u2026",
"port": 8161,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8161 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8161\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit\/537.36 (KHTML, li",
"target_port_label": "8161 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8161"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 35.59,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8230 · HTTP
Scan de ports
port scan syn · via HTTP:8230 · (reconnaissance)
Élevée
Moyen · 55
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Linux; Android 9; ELE-L09) AppleWebKit/537.36 (KHT…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8230
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 55
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; ELE-L09) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8230
User-Agent: Mozilla/5.0 (Linux; Android 9; ELE-L09) AppleWebKit/537.36 (KHTML, like Gecko
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8230 User-Agent: Mozilla/5.0 (Linux; Android 9; ELE-L09) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d4213e87f50f2b1ff1f423219d60cd9df84a9cee",
"http_host_hash": "163186b619b93ddd14a0ff101fbe35a451f16069",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 240,
"payload_entropy": 5.403636822537676,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8230,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 55,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "900600d17c81f246912127b88e17627c41944945",
"event_fingerprint": "26a6021bb0ef6e5479b45cf011aa9d865890bd85",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f8e440f448c37585e3d439a7ebcaf6f8",
"payload_hash": "8cb859e2a67855a7e78cfc8dc3fe30e0",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8230,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8230\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8230\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8230\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8230\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8230\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "86b7730f7d243897d03b07580e1c80ce4f8351c3",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"port": 8230,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8230\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko",
"attack_vector": "port scan syn \u00b7 via HTTP:8230 \u00b7 (reconnaissance)",
"target_port_label": "8230 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8230,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"port": 8230,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8230 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8230\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; ELE-L09) AppleWebKit\/537.36 (KHTML, like Gecko",
"target_port_label": "8230 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8230"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 35.38,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
82 · HTTP
Scan de ports
port scan syn · via HTTP:82 · (reconnaissance)
Élevée
Moyen · 56
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
82
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 56
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.19 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:82
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:82 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.19 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "db6deb7ef6a82c1e4be54ac4070c6ce34533a2c9",
"http_host_hash": "b00c56701bd04898edc8a488547d32d613363649",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 238,
"payload_entropy": 5.396088600396351,
"port_category": "well_known",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 82,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 56,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "899452c7639f0647633475b56c265f4d0162b466",
"event_fingerprint": "99d1fa91829a98776d27b93154df102b814f8f2d",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "69569121d784b2495a4e49f811f9eceb",
"payload_hash": "26de4f5fbb999ecb39352e08396f13af",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 82,
"service": "http",
"service_name": "http",
"risk_score": 56
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "adac0c3ab7e62bded39f1b1322f0bd46dc3e309c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36",
"port": 82,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like",
"attack_vector": "port scan syn \u00b7 via HTTP:82 \u00b7 (reconnaissance)",
"target_port_label": "82 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 56,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 82,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/77.0.3865.19 Safari\/537.36",
"port": 82,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:82 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:82\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit\/537.36 (KHTML, like",
"target_port_label": "82 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "82"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 35.27,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8240 · HTTP
Scan de ports
port scan syn · via HTTP:8240 · (reconnaissance)
Élevée
Moyen · 56
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit/53…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8240
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 56
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8240
User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit/537.36 (KHTML, l
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8240 User-Agent: Mozilla/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "67cd2aa88754575f856c2edf38d4b5159963a959",
"http_host_hash": "0be3bca742505f7e8dcd8a1961ce4d873b4a0456",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 249,
"payload_entropy": 5.407370645583046,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8240,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 56,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "fa407f6b275098696084f2867c3f4396e5158732",
"event_fingerprint": "dc058b368f9c59def3bf9839be64437a854d022e",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "57322d07efe3c4afc6e4b5dae3823bbb",
"payload_hash": "b69cdf2e7de87faae5af7ffea5121a39",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8240,
"service": "http",
"service_name": "http",
"risk_score": 56
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8240\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, l",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8240\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8240\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, l",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8240\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8240\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, l",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e899f956b4e155ed697d5dea47909641e83150ab",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Saf\u2026",
"port": 8240,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8240\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, l",
"attack_vector": "port scan syn \u00b7 via HTTP:8240 \u00b7 (reconnaissance)",
"target_port_label": "8240 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 56,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8240,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Saf\u2026",
"port": 8240,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8240 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8240\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 8.1.0; Redmi 5 Plus) AppleWebKit\/537.36 (KHTML, l",
"target_port_label": "8240 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8240"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 35.2,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8250 · HTTP
Scan de ports
port scan syn · via HTTP:8250 · (reconnaissance)
Élevée
Moyen · 63
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleW…
Émulateur
HTTP
WAF
23
Recommandation
Investiguer
Tags
950086:sqli-21
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8250
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 63
Confiance : Confiance 100 % — 4 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/16C104 MicroMessenger/7.0.5(0x17000523) NetType/4G Language/zh_CN
Règles WAF
sqli-21
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8250
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit/605.1.15
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8250 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/16C104 MicroMessenger/7.0.5(0x17000523) NetType/4G Language/zh_CN Accept-Charset: utf-8 Accept-Enc
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "4af7bc39912e902dac64ddc9ebcef81f82909553",
"http_host_hash": "00fbe0b3d64179f8fe1607e2da1925ebc286b5fa",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 290,
"payload_entropy": 5.420379592961321,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8250,
"risk_waf": 100,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.4,
"risk_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 25
},
"risk_score": 63,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "d23df720f66300107dc631b25bc234866ddd94cb",
"event_fingerprint": "b0c947ff253894acc6697f0b1d6e94efd41e0391",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 25,
"risk_score": 63,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "983f8800255038b3da137fa504c1ce5c",
"payload_hash": "8ebf0d179e7036ec31a2ded936b95012",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8250,
"service": "http",
"service_name": "http",
"risk_score": 63
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8250\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16C104 MicroMessenger\/7.0.5(0x17000523) NetType\/4G Language\/zh_CN",
"waf_tags": [
"950086:sqli-21",
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"sqli-21",
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8250\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16C104 MicroMessenger\/7.0.5(0x17000523) NetType\/4G Language\/zh_CN\r\nAccept-Charset: utf-8\r\nAccept-Enc",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8250\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16C104 MicroMessenger\/7.0.5(0x17000523) NetType\/4G Language\/zh_CN",
"waf_tags": [
"950086:sqli-21",
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"sqli-21",
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8250\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16C104 MicroMessenger\/7.0.5(0x17000523) NetType\/4G Language\/zh_CN\r\nAccept-Charset: utf-8\r\nAccept-Enc",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8250\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1813eb75189f63a0096d8ac8b626d673351782d2",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16C104 MicroMe\u2026",
"port": 8250,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8250\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15",
"attack_vector": "port scan syn \u00b7 via HTTP:8250 \u00b7 (reconnaissance)",
"target_port_label": "8250 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 25,
"risk_score": 63,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 63,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8250,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15 (KHTML, like Gecko) Mobile\/16C104 MicroMe\u2026",
"port": 8250,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8250 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8250\r\nUser-Agent: Mozilla\/5.0 (iPhone; CPU iPhone OS 12_1_2 like Mac OS X) AppleWebKit\/605.1.15",
"target_port_label": "8250 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +23 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8250"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 35.12,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950086:sqli-21",
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8220 · HTTP
Scan de ports
port scan syn · via HTTP:8220 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Googlebot-Video/1.0
Émulateur
HTTP
WAF
3
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8220
Chemin / cible
/
Pourquoi cette classification : Tags WAF: sap-sapcontrol-path · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 1 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Googlebot-Video/1.0
Règles WAF
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8220
User-Agent: Googlebot-Video/1.0
Accept-Charset: utf-8
Accept-Encoding: gzip
Connection
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8220 User-Agent: Googlebot-Video/1.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "3580c3e0bbd27c88a84060337cc1c6ff2496b3f9",
"http_host_hash": "1fbbb3aef4711ab64e3a1d80063f93db64002981",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 139,
"payload_entropy": 5.0186351819435835,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8220,
"risk_waf": 20,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.5,
"risk_breakdown": {
"waf": 20,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "7373ba0beaa5df501be919e817be2e4b5169ad8b",
"event_fingerprint": "c3c7e72b759d1df8ee549ab195e7a9479092095b",
"classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 20,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "264516773b1a82d816f3a0ab5476d704",
"payload_hash": "dd6f05ec8126319433e8841f9f89eec1",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8220,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection",
"method": "GET",
"path": "\/",
"user_agent": "Googlebot-Video\/1.0",
"waf_tags": [
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Googlebot-Video\/1.0",
"waf_tags": [
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection",
"classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "bda758fb484d7be231f0a5a09a169171bcd9c8ac",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Googlebot-Video\/1.0",
"port": 8220,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection",
"attack_vector": "port scan syn \u00b7 via HTTP:8220 \u00b7 (reconnaissance)",
"target_port_label": "8220 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%",
"classification_reason_label_fr": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 20,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8220,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Googlebot-Video\/1.0",
"port": 8220,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8220 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8220\r\nUser-Agent: Googlebot-Video\/1.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection",
"target_port_label": "8220 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +23 \u00b7 1 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8220"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 35.04,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8260 · HTTP
Scan de ports
port scan syn · via HTTP:8260 · (reconnaissance)
Élevée
Moyen · 55
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8260
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 55
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8260
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept-C
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8260 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "df352d7e1fe4a2c9e445f4d5a9564a20ec28f76f",
"http_host_hash": "0761dd68e976ddfa28100121d9dcefa020fb01d1",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 187,
"payload_entropy": 5.234441114637112,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8260,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 55,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "2d128717cad9c1b7bfd5c6912dfdf5160129b6a1",
"event_fingerprint": "bac5478c7e1fcc62f70796255ee5e305f6647a6a",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "70c360f954831111403641c586d1b0f5",
"payload_hash": "976a273b7cb24d991660f342bdf99a49",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8260,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-C",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-C",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-C",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "74c7c0e503ee43fce65fee7626e89c40964f9ee2",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-C",
"attack_vector": "port scan syn \u00b7 via HTTP:8260 \u00b7 (reconnaissance)",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1",
"port": 8260,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8260 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8260\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; rv:2.0.1) Gecko\/20100101 Firefox\/4.0.1\r\nAccept-C",
"target_port_label": "8260 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 34.61,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8270 · HTTP
Scan de ports
port scan syn · via HTTP:8270 · (reconnaissance)
Élevée
Moyen · 56
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Linux; U; Android 2.0.1; de-de; Milestone Build/SH…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8270
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 56
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; U; Android 2.0.1; de-de; Milestone Build/SHOLS_U2_01.14.0) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8270
User-Agent: Mozilla/5.0 (Linux; U; Android 2.0.1; de-de; Milestone Build/SHOLS_U2_01.14.0
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8270 User-Agent: Mozilla/5.0 (Linux; U; Android 2.0.1; de-de; Milestone Build/SHOLS_U2_01.14.0) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 Accept-Charset: utf-8 Accept-Encoding: gzip Connect
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "70744f52ffc4fbbd21555ebcded90ba858af0058",
"http_host_hash": "78915ee80b97104c685a823088fbb60cfcb9734a",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 270,
"payload_entropy": 5.399425709940827,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8270,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 56,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "4b743b55e25f35eea2bdb83eda99ebc239586d82",
"event_fingerprint": "b82f761dccf29af8084b5e95b4cae8345aba1fe5",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "563ba6ae53e430e3e704d26d9387d4d9",
"payload_hash": "f878c893bd564cd5e1dfb88b4df9e1eb",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8270,
"service": "http",
"service_name": "http",
"risk_score": 56
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8270\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0.1; de-de; Milestone Build\/SHOLS_U2_01.14.0",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0.1; de-de; Milestone Build\/SHOLS_U2_01.14.0) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8270\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0.1; de-de; Milestone Build\/SHOLS_U2_01.14.0) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8270\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0.1; de-de; Milestone Build\/SHOLS_U2_01.14.0",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0.1; de-de; Milestone Build\/SHOLS_U2_01.14.0) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8270\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0.1; de-de; Milestone Build\/SHOLS_U2_01.14.0) AppleWebKit\/530.17 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/530.17\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnect",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8270\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0.1; de-de; Milestone Build\/SHOLS_U2_01.14.0",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b91fdef5367d37930ed705b886d0e424c70b4abd",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0.1; de-de; Milestone Build\/SHOLS_U2_01.14.0) AppleWebKit\/530.17 (KHTML, like Gecko) V\u2026",
"port": 8270,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8270\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0.1; de-de; Milestone Build\/SHOLS_U2_01.14.0",
"attack_vector": "port scan syn \u00b7 via HTTP:8270 \u00b7 (reconnaissance)",
"target_port_label": "8270 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 56,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8270,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.0.1; de-de; Milestone Build\/SHOLS_U2_01.14.0) AppleWebKit\/530.17 (KHTML, like Gecko) V\u2026",
"port": 8270,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8270 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8270\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.0.1; de-de; Milestone Build\/SHOLS_U2_01.14.0",
"target_port_label": "8270 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8270"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 34.52,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8280 · HTTP
Scan de ports
port scan syn · via HTTP:8280 · (reconnaissance)
Élevée
Moyen · 53
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (compatible; Konqueror/4.4; Linux 2.6.32-22-generic…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8280
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 53
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (compatible; Konqueror/4.4; Linux 2.6.32-22-generic; X11; en_US) KHTML/4.4.3 (like Gecko) Kubuntu
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8280
User-Agent: Mozilla/5.0 (compatible; Konqueror/4.4; Linux 2.6.32-22-generic; X11; en_US)
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8280 User-Agent: Mozilla/5.0 (compatible; Konqueror/4.4; Linux 2.6.32-22-generic; X11; en_US) KHTML/4.4.3 (like Gecko) Kubuntu Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "96b49e406c596f130017a1a27443df1d36fc0003",
"http_host_hash": "1d1dc479d2c499aeed3255f6c530b929b8511185",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 229,
"payload_entropy": 5.344266195470234,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8280,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.9,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 53,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "d058f221b62a8b978465dd0ad4308e5e0f87ae5d",
"event_fingerprint": "e00de36c1077ee0f84a43cd92aa36353c92d1d1b",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 53,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "7a2d9889bcdfe826b39fb76b7851f88e",
"payload_hash": "4314ab0b66e99ea65ad9c86eda47c9ee",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8280,
"service": "http",
"service_name": "http",
"risk_score": 53
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8280\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.4; Linux 2.6.32-22-generic; X11; en_US) ",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.4; Linux 2.6.32-22-generic; X11; en_US) KHTML\/4.4.3 (like Gecko) Kubuntu",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8280\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.4; Linux 2.6.32-22-generic; X11; en_US) KHTML\/4.4.3 (like Gecko) Kubuntu\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8280\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.4; Linux 2.6.32-22-generic; X11; en_US)",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.4; Linux 2.6.32-22-generic; X11; en_US) KHTML\/4.4.3 (like Gecko) Kubuntu",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8280\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.4; Linux 2.6.32-22-generic; X11; en_US) KHTML\/4.4.3 (like Gecko) Kubuntu\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8280\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.4; Linux 2.6.32-22-generic; X11; en_US)",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "fda05f6b72482e64ebc83049da5aaa1966f3fb3c",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.4; Linux 2.6.32-22-generic; X11; en_US) KHTML\/4.4.3 (like Gecko) Kubuntu",
"port": 8280,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8280\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.4; Linux 2.6.32-22-generic; X11; en_US)",
"attack_vector": "port scan syn \u00b7 via HTTP:8280 \u00b7 (reconnaissance)",
"target_port_label": "8280 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 53,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 53,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8280,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (compatible; Konqueror\/4.4; Linux 2.6.32-22-generic; X11; en_US) KHTML\/4.4.3 (like Gecko) Kubuntu",
"port": 8280,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8280 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8280\r\nUser-Agent: Mozilla\/5.0 (compatible; Konqueror\/4.4; Linux 2.6.32-22-generic; X11; en_US)",
"target_port_label": "8280 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8280"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 34.44,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8282 · HTTP
Scan de ports
port scan syn · via HTTP:8282 · (reconnaissance)
Élevée
Moyen · 53
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, …
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8282
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 53
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8282
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Ch
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8282 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "4e7e349db3b5dc1241aed6a22bd9f5c8cc25b7c2",
"http_host_hash": "af34772c983fda5085f04d903792846449a0d631",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 228,
"payload_entropy": 5.427644797554689,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8282,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 53,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "2653030c89c5606de6221c30c96f99e0abbe4b0f",
"event_fingerprint": "12bae1a2d7cd604d7b7ebe3bc6f4fedf3a6c4d25",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 53,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "8058a8cfabac3adfc683f14433036a92",
"payload_hash": "90f139f242c57c1591b1d4b7a3842c5c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8282,
"service": "http",
"service_name": "http",
"risk_score": 53
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8282\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8282\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8282\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8282\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8282\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ac09267e4f4f6de3b50b6c591a06e602cf483e36",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36",
"port": 8282,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8282\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch",
"attack_vector": "port scan syn \u00b7 via HTTP:8282 \u00b7 (reconnaissance)",
"target_port_label": "8282 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 53,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 53,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8282,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.87 Safari\/537.36",
"port": 8282,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8282 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8282\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch",
"target_port_label": "8282 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8282"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 34.32,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
83 · HTTP
Scan de ports
port scan syn · via HTTP:83 · (reconnaissance)
Élevée
Moyen · 56
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWeb…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
83
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 56
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8F190 Safari/6533.18.5
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:83
User-Agent: Mozilla/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KH
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:83 User-Agent: Mozilla/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8F190 Safari/6533.18.5 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bfe337f65b96ab2d85f1b043e52e4d4dbcabeb8e",
"http_host_hash": "694048aafc409256f88bc22a99ef68d4a126a60b",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 257,
"payload_entropy": 5.40698256913187,
"port_category": "well_known",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 83,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.8,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 56,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "fe69d430c2bec19d8c73cd6b9f3a8541cd43902c",
"event_fingerprint": "3e93ac27e27b651526bf414bb288df0a0f93c160",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "191b84648989c0b55455be235ffc5e52",
"payload_hash": "95966a21115cea94b20839a005d6a5d1",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 83,
"service": "http",
"service_name": "http",
"risk_score": 56
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:83\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/533.17.9 (KH",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/533.17.9 (KHTML, like Gecko) Version\/5.0.2 Mobile\/8F190 Safari\/6533.18.5",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:83\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/533.17.9 (KHTML, like Gecko) Version\/5.0.2 Mobile\/8F190 Safari\/6533.18.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:83\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/533.17.9 (KH",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/533.17.9 (KHTML, like Gecko) Version\/5.0.2 Mobile\/8F190 Safari\/6533.18.5",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:83\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/533.17.9 (KHTML, like Gecko) Version\/5.0.2 Mobile\/8F190 Safari\/6533.18.5\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:83\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/533.17.9 (KH",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b88ec0e83629258a58bc40b5f0d5130f93b76461",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/533.17.9 (KHTML, like Gecko) Version\/5.0.2 Mobile\/8F\u2026",
"port": 83,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:83\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/533.17.9 (KH",
"attack_vector": "port scan syn \u00b7 via HTTP:83 \u00b7 (reconnaissance)",
"target_port_label": "83 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 56,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 83,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/533.17.9 (KHTML, like Gecko) Version\/5.0.2 Mobile\/8F\u2026",
"port": 83,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:83 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:83\r\nUser-Agent: Mozilla\/5.0 (iPad; U; CPU OS 4_3 like Mac OS X; en-us) AppleWebKit\/533.17.9 (KH",
"target_port_label": "83 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "83"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 34.23,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8290 · HTTP
Scan de ports
port scan syn · via HTTP:8290 · (reconnaissance)
Élevée
Moyen · 55
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8290
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 55
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8290
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Geck
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8290 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "e65381e09416f9f44e15da480f747a5f92effc5c",
"http_host_hash": "61a7b1773527c921928661190ee842dd18f42619",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 234,
"payload_entropy": 5.420143484125912,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8290,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 55,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "c93f4215bd81f8c4eff2bbec88cccdc6bfb9f37e",
"event_fingerprint": "3ae805334d7625be001c1b0e91dd27cd4efefe58",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "c937486453a28bce9489cfffbedb5491",
"payload_hash": "1ca65f7b819940381fe517a76cef21d1",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8290,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2035748a3b436b3d09a31a7ff64791503dc520e8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36",
"port": 8290,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"attack_vector": "port scan syn \u00b7 via HTTP:8290 \u00b7 (reconnaissance)",
"target_port_label": "8290 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8290,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.100 Safari\/537.36",
"port": 8290,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8290 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8290\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"target_port_label": "8290 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8290"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 34.16,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8300 · HTTP
Scan de ports
port scan syn · via HTTP:8300 · (reconnaissance)
Élevée
Moyen · 48
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Opera/9.25 (Windows NT 6.0; U; en)
Émulateur
HTTP
WAF
10
Recommandation
Surveiller
Tags
950326:rce-0
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8300
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 48
Confiance : Confiance 100 % — 2 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Opera/9.25 (Windows NT 6.0; U; en)
Règles WAF
rce-0
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8300
User-Agent: Opera/9.25 (Windows NT 6.0; U; en)
Accept-Charset: utf-8
Accept-Encoding: g
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8300 User-Agent: Opera/9.25 (Windows NT 6.0; U; en) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "2fce8a3a0314347c891e16aa119f6cca5d540742",
"http_host_hash": "372950b7e517660af40b2015a2d8c9118c97a68c",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 154,
"payload_entropy": 5.167349343712311,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8300,
"risk_waf": 48,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.7,
"risk_breakdown": {
"waf": 48,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "f5d494d12c5818db8f75aedd20511dbc99abe844",
"event_fingerprint": "9a077907caab4a497af1233b2fd2c59f903dedf1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 48,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 48,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f93269a78e8633bcd4a212b118d04e7a",
"payload_hash": "e2a1ad2b9690140bcef661d40aab859d",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8300,
"service": "http",
"service_name": "http",
"risk_score": 48
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Opera\/9.25 (Windows NT 6.0; U; en)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g",
"method": "GET",
"path": "\/",
"user_agent": "Opera\/9.25 (Windows NT 6.0; U; en)",
"waf_tags": [
"950326:rce-0",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Opera\/9.25 (Windows NT 6.0; U; en)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Opera\/9.25 (Windows NT 6.0; U; en)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Opera\/9.25 (Windows NT 6.0; U; en)",
"waf_tags": [
"950326:rce-0",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Opera\/9.25 (Windows NT 6.0; U; en)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Opera\/9.25 (Windows NT 6.0; U; en)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "06a23b6293d89a3ec665096a41f8a9d831581b39",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Opera\/9.25 (Windows NT 6.0; U; en)",
"port": 8300,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Opera\/9.25 (Windows NT 6.0; U; en)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g",
"attack_vector": "port scan syn \u00b7 via HTTP:8300 \u00b7 (reconnaissance)",
"target_port_label": "8300 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 48\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 48,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 48,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8300,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Opera\/9.25 (Windows NT 6.0; U; en)",
"port": 8300,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8300 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8300\r\nUser-Agent: Opera\/9.25 (Windows NT 6.0; U; en)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: g",
"target_port_label": "8300 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 48 \u00b7 Bonus corr\u00e9lation +23 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8300"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 34.1,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950326:rce-0",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8443 · HTTPS
Scan de ports
port scan syn · via HTTPS:8443 · (reconnaissance)
Élevée
Moyen · 53
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
HTTPS
WAF
—
Recommandation
Investiguer
Tags
http_alt_port
http_get_probe
mozi_pattern
net_flood
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
8443
Chemin / cible
—
Service
HTTPS
Payload
GET / HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit/537.36 (KHTML, like
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 53
Confiance : Confiance 100 % — 4 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8443
User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit/537.36 (KHTML, like
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8443 User-Agent: Mozilla/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.89 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 244,
"payload_entropy": 5.406708647920894,
"port_category": "registered",
"org": "Google LLC",
"service": "https",
"app_proto": "https",
"asn": 396982,
"country": "US",
"dst_port": 8443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 20,
"risk_granularity": 3.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 53,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "13e8a700c83a292ed9355de29b1ea8c49a19540d",
"event_fingerprint": "1268b50d410d1cdd8232ddd7c8594924aae881d7",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 53,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "https",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d9674e01330f58b5902611342430acc8",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 8443,
"service": "https",
"service_name": "https",
"risk_score": 53
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like ",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.89 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "19bc69fd13bf8a61a3fe5554bb65b9fbb5d54d35",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like",
"port": 8443,
"service": "https",
"service_label_fr": "HTTPS"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like",
"attack_vector": "port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)",
"target_port_label": "8443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTPS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 53,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 53,
"risk_label": "Moyen",
"service_name": "https",
"service_label_fr": "HTTPS",
"dst_port": 8443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-https",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like",
"port": 8443,
"service": "https",
"service_label_fr": "HTTPS"
},
"attack_vector": "port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8443\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; Redmi Note 7) AppleWebKit\/537.36 (KHTML, like",
"target_port_label": "8443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "https",
"service_banner": "honeypot-https",
"service_os": "linux",
"dst_port": "8443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 33.73,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"http_alt_port",
"http_get_probe",
"mozi_pattern",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8383 · HTTP
Scan de ports
port scan syn · via HTTP:8383 · (reconnaissance)
Élevée
Moyen · 55
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; …
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8383
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 55
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Geckoo
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8383
User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; NOK
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8383 User-Agent: Mozilla/5.0 (Windows NT 6.2; ARM; Trident/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Geckoo Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "7d357200e0a27154fabbb6a6c0c0765d966df0a9",
"http_host_hash": "1c1fc1527371abdd72703cf5987bce1243e5f443",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 223,
"payload_entropy": 5.373351338043843,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8383,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 55,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "96a9d456d81a0158b1472ff0a4e74af07d9ecacc",
"event_fingerprint": "5ba6b36b0373816961d5e7e3238c6b8152ac85de",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f0c61ab08aa09c42d55b997d0990ada2",
"payload_hash": "5d63d25950cb636d8a2097a5ba584a1e",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8383,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8383\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; ARM; Trident\/7.0; Touch; rv:11.0; WPDesktop; NOK",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 6.2; ARM; Trident\/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Geckoo",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8383\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; ARM; Trident\/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Geckoo\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8383\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; ARM; Trident\/7.0; Touch; rv:11.0; WPDesktop; NOK",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 6.2; ARM; Trident\/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Geckoo",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8383\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; ARM; Trident\/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Geckoo\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8383\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; ARM; Trident\/7.0; Touch; rv:11.0; WPDesktop; NOK",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a16b568f6a20131ed6d939233bfe481db9a07c18",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.2; ARM; Trident\/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Geckoo",
"port": 8383,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8383\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; ARM; Trident\/7.0; Touch; rv:11.0; WPDesktop; NOK",
"attack_vector": "port scan syn \u00b7 via HTTP:8383 \u00b7 (reconnaissance)",
"target_port_label": "8383 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8383,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.2; ARM; Trident\/7.0; Touch; rv:11.0; WPDesktop; NOKIA; Lumia 920) like Geckoo",
"port": 8383,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8383 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8383\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.2; ARM; Trident\/7.0; Touch; rv:11.0; WPDesktop; NOK",
"target_port_label": "8383 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8383"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 33.64,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8400 · HTTP
Scan de ports
port scan syn · via HTTP:8400 · (reconnaissance)
Élevée
Moyen · 57
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KH…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8400
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 57
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8400
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Geck
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8400 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "dc26a822234d8444520a670d15349f3473e10df1",
"http_host_hash": "dfdaa3207ac68bb4b6b6c72a3332aa48ae8d5e9f",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 233,
"payload_entropy": 5.391804974614585,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8400,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 6.2,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 57,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "a0594e5d0eae3d017125af7650349d9987e23e33",
"event_fingerprint": "cbb0ba7b77b3cd8e9cb8795b13c432fbd416297d",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 57,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "1f5104674a2704b98aacd96ca6c3783c",
"payload_hash": "080aac5835f82e7a3665093b327f887f",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8400,
"service": "http",
"service_name": "http",
"risk_score": 57
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8400\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8400\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8400\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8400\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8400\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "82f99296956c6db26b75901dd1fcfe26d6fe60ab",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36",
"port": 8400,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8400\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"attack_vector": "port scan syn \u00b7 via HTTP:8400 \u00b7 (reconnaissance)",
"target_port_label": "8400 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 57,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 57,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8400,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/73.0.3683.86 Safari\/537.36",
"port": 8400,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8400 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8400\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Geck",
"target_port_label": "8400 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8400"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 33.51,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
84 · HTTP
Scan de ports
port scan syn · via HTTP:84 · (reconnaissance)
Élevée
Moyen · 56
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
84
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 56
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3872.0 Safari/537.36 Edg/78.0.244.0
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:84
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:84 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3872.0 Safari/537.36 Edg/78.0.244.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0fbe053a07a324f5130bdcd7b1d5a98e1dac3c93",
"http_host_hash": "de907e50aa859065aaba4f80e4cfc6d5e637955d",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 252,
"payload_entropy": 5.4178904642963355,
"port_category": "well_known",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 84,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 56,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "9fb993ffcf83705beb8b95c4c861974f1975d96a",
"event_fingerprint": "4a5b296d98a06ba8c427b3e907854ab74a0f3130",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "cd3df6cecfd1ad01ce65fd62291ae84f",
"payload_hash": "a07dd189fd88126fbf8722843bd13b6d",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 84,
"service": "http",
"service_name": "http",
"risk_score": 56
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:84\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3872.0 Safari\/537.36 Edg\/78.0.244.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:84\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3872.0 Safari\/537.36 Edg\/78.0.244.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:84\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3872.0 Safari\/537.36 Edg\/78.0.244.0",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:84\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3872.0 Safari\/537.36 Edg\/78.0.244.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:84\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9fcf4f2c2b901ca14cd5a3e7d146ec632d639036",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3872.0 Safari\/537.36\u2026",
"port": 84,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:84\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like",
"attack_vector": "port scan syn \u00b7 via HTTP:84 \u00b7 (reconnaissance)",
"target_port_label": "84 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 56,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 84,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3872.0 Safari\/537.36\u2026",
"port": 84,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:84 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:84\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/537.36 (KHTML, like",
"target_port_label": "84 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "84"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 33.23,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8484 · HTTP
Scan de ports
port scan syn · via HTTP:8484 · (reconnaissance)
Élevée
Moyen · 56
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Linux; U; Android 2.3.3; ko-kr; SHW-M250S Build/GI…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8484
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 56
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; U; Android 2.3.3; ko-kr; SHW-M250S Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8484
User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.3; ko-kr; SHW-M250S Build/GINGERBREAD) App
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8484 User-Agent: Mozilla/5.0 (Linux; U; Android 2.3.3; ko-kr; SHW-M250S Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: cl
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "61dbed70d007c0d32cf7c2124e13335ae0923850",
"http_host_hash": "19917df390766f7ab8cb41243766e82c486bec9f",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 263,
"payload_entropy": 5.469721668859228,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8484,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.8,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 56,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "206089698f06bfed37574dbf54ae84f64d93960f",
"event_fingerprint": "ccc02ffe76f1d062b541c43e406d29535790636e",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "5acdde29da57c3be2f0d7b7ed6cacb40",
"payload_hash": "fdd0fd56d3f353b0f1feac4f699f094b",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8484,
"service": "http",
"service_name": "http",
"risk_score": 56
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8484\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.3.3; ko-kr; SHW-M250S Build\/GINGERBREAD) App",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; U; Android 2.3.3; ko-kr; SHW-M250S Build\/GINGERBREAD) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8484\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.3.3; ko-kr; SHW-M250S Build\/GINGERBREAD) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8484\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.3.3; ko-kr; SHW-M250S Build\/GINGERBREAD) App",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; U; Android 2.3.3; ko-kr; SHW-M250S Build\/GINGERBREAD) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8484\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.3.3; ko-kr; SHW-M250S Build\/GINGERBREAD) AppleWebKit\/533.1 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/533.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: cl",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8484\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.3.3; ko-kr; SHW-M250S Build\/GINGERBREAD) App",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8d6a9cbabe067fb5ffce7a6b62531760b09fed85",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.3.3; ko-kr; SHW-M250S Build\/GINGERBREAD) AppleWebKit\/533.1 (KHTML, like Gecko) Version\u2026",
"port": 8484,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8484\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.3.3; ko-kr; SHW-M250S Build\/GINGERBREAD) App",
"attack_vector": "port scan syn \u00b7 via HTTP:8484 \u00b7 (reconnaissance)",
"target_port_label": "8484 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 56,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8484,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; U; Android 2.3.3; ko-kr; SHW-M250S Build\/GINGERBREAD) AppleWebKit\/533.1 (KHTML, like Gecko) Version\u2026",
"port": 8484,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8484 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8484\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 2.3.3; ko-kr; SHW-M250S Build\/GINGERBREAD) App",
"target_port_label": "8484 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8484"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 33.17,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8445 · HTTP
Scan de ports
port scan syn · via HTTP:8445 · (reconnaissance)
Élevée
Moyen · 55
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (X11; Linux i686; rv:6.0a2) Gecko/20110615 Firefox/…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8445
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 55
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (X11; Linux i686; rv:6.0a2) Gecko/20110615 Firefox/6.0a2 Iceweasel/6.0a2
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8445
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0a2) Gecko/20110615 Firefox/6.0a2 Icewease
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8445 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0a2) Gecko/20110615 Firefox/6.0a2 Iceweasel/6.0a2 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "3e5c7a2f6691371d187a6a1239d32a7286498a40",
"http_host_hash": "cb02367c77f38075a2cc9013ee32fc8b1cbdd795",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 204,
"payload_entropy": 5.297506910645132,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8445,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 55,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "39e67b75fefaad50e6db21e14a8057cb8a7ada57",
"event_fingerprint": "607df22eab72bd97cea29dc8cc54f6d79cad734b",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "d3dab9e594b4c00537cbac1864d5e975",
"payload_hash": "2e7431317d7f90d83a2a19d62a7ed30f",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8445,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8445\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firefox\/6.0a2 Icewease",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firefox\/6.0a2 Iceweasel\/6.0a2",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8445\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firefox\/6.0a2 Iceweasel\/6.0a2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8445\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firefox\/6.0a2 Icewease",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firefox\/6.0a2 Iceweasel\/6.0a2",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8445\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firefox\/6.0a2 Iceweasel\/6.0a2\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8445\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firefox\/6.0a2 Icewease",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6f5d5d511f65c66f50ded30a77566b5c759f4ba5",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firefox\/6.0a2 Iceweasel\/6.0a2",
"port": 8445,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8445\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firefox\/6.0a2 Icewease",
"attack_vector": "port scan syn \u00b7 via HTTP:8445 \u00b7 (reconnaissance)",
"target_port_label": "8445 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8445,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firefox\/6.0a2 Iceweasel\/6.0a2",
"port": 8445,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8445 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8445\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:6.0a2) Gecko\/20110615 Firefox\/6.0a2 Icewease",
"target_port_label": "8445 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8445"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 33.11,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
85 · HTTP
Scan de ports
port scan syn · via HTTP:85 · (reconnaissance)
Élevée
Moyen · 56
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (SymbianOS/9.1; U; de) AppleWebKit/413 (KHTML, like…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
85
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 56
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (SymbianOS/9.1; U; de) AppleWebKit/413 (KHTML, like Gecko) Safari/413
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:85
User-Agent: Mozilla/5.0 (SymbianOS/9.1; U; de) AppleWebKit/413 (KHTML, like Gecko) Safari/4
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:85 User-Agent: Mozilla/5.0 (SymbianOS/9.1; U; de) AppleWebKit/413 (KHTML, like Gecko) Safari/413 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "a178d1ad304a2c1c03f0710b15e57c19414c53ff",
"http_host_hash": "29631142709d39bee607e41cbb81ae54d3741f51",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 199,
"payload_entropy": 5.392499938853316,
"port_category": "well_known",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 85,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 56,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "8dafc4025d61604e248ce8ee8a5b724a37922dc7",
"event_fingerprint": "ea5e21d2efaa0f434d9ef1e584c6ff6aec043051",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "539f85876cba5fa19c49ef4b6d59c4fc",
"payload_hash": "ab85f421dc6b94ef091b4d3e85f18d5b",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 85,
"service": "http",
"service_name": "http",
"risk_score": 56
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:85\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML, like Gecko) Safari\/4",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:85\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:85\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML, like Gecko) Safari\/4",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:85\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:85\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML, like Gecko) Safari\/4",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3823b0774a2ffe09281a00978613cf4df59ba48e",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413",
"port": 85,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:85\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML, like Gecko) Safari\/4",
"attack_vector": "port scan syn \u00b7 via HTTP:85 \u00b7 (reconnaissance)",
"target_port_label": "85 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 56,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 85,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML, like Gecko) Safari\/413",
"port": 85,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:85 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:85\r\nUser-Agent: Mozilla\/5.0 (SymbianOS\/9.1; U; de) AppleWebKit\/413 (KHTML, like Gecko) Safari\/4",
"target_port_label": "85 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "85"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 33.07,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8448 · HTTP
Scan de ports
port scan syn · via HTTP:8448 · (reconnaissance)
Élevée
Moyen · 55
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8448
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 55
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/GRJ22) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8448
User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/GRJ22) AppleWe
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8448 User-Agent: Mozilla/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build/GRJ22) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clos
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "d7c60473ca507d0f267a16bb2c90d1bcbbc70259",
"http_host_hash": "9ceba0ad33f2ddfa0dc45044e19b48ed519875d5",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 261,
"payload_entropy": 5.415976584260189,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8448,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 55,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "a636e1b5bc49ed3687be3bdb7f3054582d7afa5e",
"event_fingerprint": "ca2677ad7c9c9845e7c6461ebe68198eca4b03c4",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "1104c74dd435280ff2b2099a808bc6c8",
"payload_hash": "80a960ad4d8a286a2d45e735d5b65ec4",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8448,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8448\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWe",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8448\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8448\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWe",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8448\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.0 Mobile Safari\/534.30\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clos",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8448\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWe",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "847e94d8ccc82bef7515cfc1d2bdc3580fa73e78",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026",
"port": 8448,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8448\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWe",
"attack_vector": "port scan syn \u00b7 via HTTP:8448 \u00b7 (reconnaissance)",
"target_port_label": "8448 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8448,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWebKit\/534.30 (KHTML, like Gecko) Version\/4.\u2026",
"port": 8448,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8448 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8448\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 4.0.3; de-de; Galaxy S II Build\/GRJ22) AppleWe",
"target_port_label": "8448 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8448"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 33.01,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8447 · HTTP
Scan de ports
port scan syn · via HTTP:8447 · (reconnaissance)
Élevée
Moyen · 55
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA UCWEB/8.8 (SymbianOS/9.2; U; en-US; NokiaE63) AppleWebKit/534.1…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8447
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 55
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
UCWEB/8.8 (SymbianOS/9.2; U; en-US; NokiaE63) AppleWebKit/534.1 UCBrowser/8.8.0.245 Mobile
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8447
User-Agent: UCWEB/8.8 (SymbianOS/9.2; U; en-US; NokiaE63) AppleWebKit/534.1 UCBrowser/8.8
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8447 User-Agent: UCWEB/8.8 (SymbianOS/9.2; U; en-US; NokiaE63) AppleWebKit/534.1 UCBrowser/8.8.0.245 Mobile Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "5ea7d85d8fe6132c17e0536e752b83fcf770fa13",
"http_host_hash": "4e67491c185b4366b26e7c221223a2f4fa0825bd",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 210,
"payload_entropy": 5.417701993424472,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8447,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 55,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "bc2c6beaa00dad9e8be318e15c47701a3bdfa07f",
"event_fingerprint": "6df2de3e18206d608e192bd1e1edaa436390b519",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "39ad0ae59c7eafa63a9e1b2ed3789552",
"payload_hash": "41819ae5411fd532e66fd57f7e9e7207",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8447,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8447\r\nUser-Agent: UCWEB\/8.8 (SymbianOS\/9.2; U; en-US; NokiaE63) AppleWebKit\/534.1 UCBrowser\/8.8",
"method": "GET",
"path": "\/",
"user_agent": "UCWEB\/8.8 (SymbianOS\/9.2; U; en-US; NokiaE63) AppleWebKit\/534.1 UCBrowser\/8.8.0.245 Mobile",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8447\r\nUser-Agent: UCWEB\/8.8 (SymbianOS\/9.2; U; en-US; NokiaE63) AppleWebKit\/534.1 UCBrowser\/8.8.0.245 Mobile\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8447\r\nUser-Agent: UCWEB\/8.8 (SymbianOS\/9.2; U; en-US; NokiaE63) AppleWebKit\/534.1 UCBrowser\/8.8",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "UCWEB\/8.8 (SymbianOS\/9.2; U; en-US; NokiaE63) AppleWebKit\/534.1 UCBrowser\/8.8.0.245 Mobile",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8447\r\nUser-Agent: UCWEB\/8.8 (SymbianOS\/9.2; U; en-US; NokiaE63) AppleWebKit\/534.1 UCBrowser\/8.8.0.245 Mobile\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8447\r\nUser-Agent: UCWEB\/8.8 (SymbianOS\/9.2; U; en-US; NokiaE63) AppleWebKit\/534.1 UCBrowser\/8.8",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "dccd0426bd22a2c5cae6aacacbf0210e4a3cba0a",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "UCWEB\/8.8 (SymbianOS\/9.2; U; en-US; NokiaE63) AppleWebKit\/534.1 UCBrowser\/8.8.0.245 Mobile",
"port": 8447,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8447\r\nUser-Agent: UCWEB\/8.8 (SymbianOS\/9.2; U; en-US; NokiaE63) AppleWebKit\/534.1 UCBrowser\/8.8",
"attack_vector": "port scan syn \u00b7 via HTTP:8447 \u00b7 (reconnaissance)",
"target_port_label": "8447 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8447,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "UCWEB\/8.8 (SymbianOS\/9.2; U; en-US; NokiaE63) AppleWebKit\/534.1 UCBrowser\/8.8.0.245 Mobile",
"port": 8447,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8447 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8447\r\nUser-Agent: UCWEB\/8.8 (SymbianOS\/9.2; U; en-US; NokiaE63) AppleWebKit\/534.1 UCBrowser\/8.8",
"target_port_label": "8447 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8447"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 32.96,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8501 · HTTP
Scan de ports
port scan syn · via HTTP:8501 · (reconnaissance)
Élevée
Moyen · 54
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Linux; U; Android 1.5; fr-fr; GT-I5700 Build/CUPCA…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8501
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 54
Confiance : Confiance 100 % — 3 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; U; Android 1.5; fr-fr; GT-I5700 Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8501
User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; fr-fr; GT-I5700 Build/CUPCAKE) AppleWebKi
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8501 User-Agent: Mozilla/5.0 (Linux; U; Android 1.5; fr-fr; GT-I5700 Build/CUPCAKE) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: clo
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "30bb428d0886ae65dffcba86074a4fd12e19f379",
"http_host_hash": "031f6915f6a72c8e894e3231a8eec5ac991a2dd9",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 262,
"payload_entropy": 5.389899003654921,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8501,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 54,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "c4b4526137d213ee237a47c5cdcb29091bb10468",
"event_fingerprint": "c2378983c0fac6898d57a6652cd705a0d79be1cb",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 54,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "49eb292637dc8e8436c99a2bb34355d5",
"payload_hash": "e3df4a4c3b277195c04aefa3d35db7bb",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8501,
"service": "http",
"service_name": "http",
"risk_score": 54
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8501\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; fr-fr; GT-I5700 Build\/CUPCAKE) AppleWebKi",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; fr-fr; GT-I5700 Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8501\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; fr-fr; GT-I5700 Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8501\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; fr-fr; GT-I5700 Build\/CUPCAKE) AppleWebKi",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; fr-fr; GT-I5700 Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8501\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; fr-fr; GT-I5700 Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2 Mobile Safari\/525.20.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: clo",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8501\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; fr-fr; GT-I5700 Build\/CUPCAKE) AppleWebKi",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3bcdbd4e0d65948b579820fd638cc2c05822342e",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; fr-fr; GT-I5700 Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2\u2026",
"port": 8501,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8501\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; fr-fr; GT-I5700 Build\/CUPCAKE) AppleWebKi",
"attack_vector": "port scan syn \u00b7 via HTTP:8501 \u00b7 (reconnaissance)",
"target_port_label": "8501 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 54,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 54,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8501,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; U; Android 1.5; fr-fr; GT-I5700 Build\/CUPCAKE) AppleWebKit\/528.5 (KHTML, like Gecko) Version\/3.1.2\u2026",
"port": 8501,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8501 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8501\r\nUser-Agent: Mozilla\/5.0 (Linux; U; Android 1.5; fr-fr; GT-I5700 Build\/CUPCAKE) AppleWebKi",
"target_port_label": "8501 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8501"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 32.75,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8900 · HTTP
Scan de ports
port scan syn · via HTTP:8900 · (reconnaissance)
Élevée
Moyen · 63
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Linux; Android 9; CLT-AL00 Build/HUAWEICLT-AL00; w…
Émulateur
HTTP
WAF
23
Recommandation
Investiguer
Tags
950086:sqli-21
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8900
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 63
Confiance : Confiance 100 % — 4 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; CLT-AL00 Build/HUAWEICLT-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044807 Mobile Safari/537.36 MMWEBID/9069 M…
Règles WAF
sqli-21
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8900
User-Agent: Mozilla/5.0 (Linux; Android 9; CLT-AL00 Build/HUAWEICLT-AL00; wv) AppleWebKit
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8900 User-Agent: Mozilla/5.0 (Linux; Android 9; CLT-AL00 Build/HUAWEICLT-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.126 MQQBrowser/6.2 TBS/044807 Mobile Safari/537.36 MMWEBID/9069 MicroMe
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "10fcaecdc5efaa17e47cab72cdb98dc121ed6f5d",
"http_host_hash": "7b3d883cc06145041c820a0a5486ab9e02a29c72",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 397,
"payload_entropy": 5.57609264108827,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8900,
"risk_waf": 100,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 25
},
"risk_score": 63,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "348449c8080d07b477ce5aadc8b494f0c580a11f",
"event_fingerprint": "fd205ce155f551d0d5d23a6c9a328cc4b7b78cfb",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 25,
"risk_score": 63,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "48f15457741198e0b1443c8cb5da4209",
"payload_hash": "03506b2e9653db0f66746fa81213227e",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8900,
"service": "http",
"service_name": "http",
"risk_score": 63
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL00; wv) AppleWebKit",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/9069 MicroMessenger\/7.0.6.1460(0x27000634) Process\/tools NetTy\u2026",
"waf_tags": [
"950086:sqli-21",
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"sqli-21",
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/9069 MicroMe",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL00; wv) AppleWebKit",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/9069 MicroMessenger\/7.0.6.1460(0x27000634) Process\/tools NetTy\u2026",
"waf_tags": [
"950086:sqli-21",
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"sqli-21",
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/66.0.3359.126 MQQBrowser\/6.2 TBS\/044807 Mobile Safari\/537.36 MMWEBID\/9069 MicroMe",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL00; wv) AppleWebKit",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8081e6e10b6196d78d9f499effd95eb6e5a6b406",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Ch\u2026",
"port": 8900,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL00; wv) AppleWebKit",
"attack_vector": "port scan syn \u00b7 via HTTP:8900 \u00b7 (reconnaissance)",
"target_port_label": "8900 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 100,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 25,
"risk_score": 63,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 63,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8900,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL00; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Ch\u2026",
"port": 8900,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8900 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8900\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; CLT-AL00 Build\/HUAWEICLT-AL00; wv) AppleWebKit",
"target_port_label": "8900 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +23 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8900"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 32.64,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950086:sqli-21",
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8600 · HTTP
Scan de ports
port scan syn · via HTTP:8600 · (reconnaissance)
Élevée
Moyen · 55
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build/PPR1.1806…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8600
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 55
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/9.4 Chrome/67.0.3396.87 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8600
User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build/PPR1.180610.011) AppleW
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8600 User-Agent: Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/9.4 Chrome/67.0.3396.87 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Enco
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "1014a6231b008e6c8586be554fffa48f7623b8af",
"http_host_hash": "2dbaf2c1a412e0cb071c226e936b95c48a886105",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 289,
"payload_entropy": 5.520689113706984,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8600,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 55,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "c901731096512d13cb0ccbb8ebf0d5610391bff2",
"event_fingerprint": "aa41f504ee33b41fb5a027b1f8794946a4855011",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "5b6124fc391b05135bc5ebea946869c2",
"payload_hash": "479f42895fb5bbc240f0b63f157bb95b",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8600,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.011) AppleW",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Enco",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.011) AppleW",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBrowser\/9.4 Chrome\/67.0.3396.87 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Enco",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.011) AppleW",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "925c2d5bb97effb8ae1e0aaa816d49b9ff902eae",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBr\u2026",
"port": 8600,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.011) AppleW",
"attack_vector": "port scan syn \u00b7 via HTTP:8600 \u00b7 (reconnaissance)",
"target_port_label": "8600 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8600,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.011) AppleWebKit\/537.36 (KHTML, like Gecko) SamsungBr\u2026",
"port": 8600,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8600 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8600\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; SAMSUNG SM-G955F Build\/PPR1.180610.011) AppleW",
"target_port_label": "8600 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8600"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 32.5,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8880 · HTTP
Scan de ports
port scan syn · via HTTP:8880 · (reconnaissance)
Élevée
Moyen · 55
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (X11; CrOS x86_64 12425.0.0) AppleWebKit/537.36 (KH…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8880
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 55
Confiance : Confiance 100 % — 3 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (X11; CrOS x86_64 12425.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3877.0 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8880
User-Agent: Mozilla/5.0 (X11; CrOS x86_64 12425.0.0) AppleWebKit/537.36 (KHTML, like Geck
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8880 User-Agent: Mozilla/5.0 (X11; CrOS x86_64 12425.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3877.0 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "991fd50e295c1d08e0e6d2c4a9266736e36c237a",
"http_host_hash": "705e57393925ae4499d6cc481be3dac8642e294d",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 232,
"payload_entropy": 5.427615213096927,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8880,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 55,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "b278a01d646761ef4ee54239650574dc65fc5fff",
"event_fingerprint": "d02d0cf983692d58cdb0cfca4295b2fba7206c25",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "4ac7f9fc6c6653dccf3331d839f0e7e9",
"payload_hash": "1edbeb661db3bf30984feb0f55d181d9",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8880,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 12425.0.0) AppleWebKit\/537.36 (KHTML, like Geck",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 12425.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3877.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 12425.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3877.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 12425.0.0) AppleWebKit\/537.36 (KHTML, like Geck",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 12425.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3877.0 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 12425.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3877.0 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 12425.0.0) AppleWebKit\/537.36 (KHTML, like Geck",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "aba682f3f246b0540f801e0520cd54c2335e5a67",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 12425.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3877.0 Safari\/537.36",
"port": 8880,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 12425.0.0) AppleWebKit\/537.36 (KHTML, like Geck",
"attack_vector": "port scan syn \u00b7 via HTTP:8880 \u00b7 (reconnaissance)",
"target_port_label": "8880 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8880,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; CrOS x86_64 12425.0.0) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/78.0.3877.0 Safari\/537.36",
"port": 8880,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8880 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8880\r\nUser-Agent: Mozilla\/5.0 (X11; CrOS x86_64 12425.0.0) AppleWebKit\/537.36 (KHTML, like Geck",
"target_port_label": "8880 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8880"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 32.42,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8898 · HTTP
Scan de ports
port scan syn · via HTTP:8898 · (reconnaissance)
Élevée
Moyen · 53
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (K…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8898
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 53
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8898
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gec
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8898 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "6ab77051bd3d6e3f44ede9388cce7acb1db78edc",
"http_host_hash": "978d22a73b0aebcfc9d90301144847ead596b327",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 235,
"payload_entropy": 5.415472318663963,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8898,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.6,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 53,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "a2692ef0f685e6eef3a2885e465c00de3cf6c0c8",
"event_fingerprint": "00749ffc1b3c8d484a48855a9da427de689d555c",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 53,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "bf101620cf0b6082e01f09b33db5b6ea",
"payload_hash": "9a4adad9ca0999ebe4c948c23796b056",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8898,
"service": "http",
"service_name": "http",
"risk_score": 53
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8898\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8898\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8898\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8898\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8898\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e65bb93f890f0ac0514166deb691dc2519e5d7d3",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36",
"port": 8898,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8898\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"attack_vector": "port scan syn \u00b7 via HTTP:8898 \u00b7 (reconnaissance)",
"target_port_label": "8898 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 53,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 53,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8898,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/70.0.3538.110 Safari\/537.36",
"port": 8898,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8898 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8898\r\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gec",
"target_port_label": "8898 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8898"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 32.33,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8686 · HTTP
Scan de ports
port scan syn · via HTTP:8686 · (reconnaissance)
Élevée
Moyen · 53
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/2004040…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8686
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 53
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040406 Galeon/1.3.15
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8686
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040406 Galeon/1.3.1
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8686 User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040406 Galeon/1.3.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "cd7f935f67e2c2d3b340fe2f661c4eb4c7ca3bfc",
"http_host_hash": "f8635c69ca518396c53f2ba332d289a8d18ad1a3",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 198,
"payload_entropy": 5.27896498806695,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8686,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.4,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 53,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "9ea8ad4569c947a2fb6d0686c4000691fd343e05",
"event_fingerprint": "c90747b3f69fb044c717f042885c0df553db0891",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 53,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "4ba5f0424b032695635664639be2c84c",
"payload_hash": "9368009dc79b4e5f6fe9208935d5e113",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8686,
"service": "http",
"service_name": "http",
"risk_score": 53
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8686\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko\/20040406 Galeon\/1.3.1",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko\/20040406 Galeon\/1.3.15",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8686\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko\/20040406 Galeon\/1.3.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8686\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko\/20040406 Galeon\/1.3.1",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko\/20040406 Galeon\/1.3.15",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8686\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko\/20040406 Galeon\/1.3.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8686\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko\/20040406 Galeon\/1.3.1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "190356f330286b9e4fa2ef3293f1aea53af8c149",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko\/20040406 Galeon\/1.3.15",
"port": 8686,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8686\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko\/20040406 Galeon\/1.3.1",
"attack_vector": "port scan syn \u00b7 via HTTP:8686 \u00b7 (reconnaissance)",
"target_port_label": "8686 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 53,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 53,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8686,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko\/20040406 Galeon\/1.3.15",
"port": 8686,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8686 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8686\r\nUser-Agent: Mozilla\/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko\/20040406 Galeon\/1.3.1",
"target_port_label": "8686 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8686"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 32.23,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
8700 · HTTP
Scan de ports
port scan syn · via HTTP:8700 · (reconnaissance)
Élevée
Moyen · 56
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, …
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8700
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 56
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:8700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Ch
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:8700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "fc8b8433cce0c19f01e84258538fa46cfdad863f",
"http_host_hash": "e3479255aaf47e1393142e0817fd2f36bbc53a37",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 229,
"payload_entropy": 5.40562403972719,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8700,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 56,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "486fbeede2463e5013522b8005c5b0543032056f",
"event_fingerprint": "2e116f2cb52b0b1f4a4d2b6f0a72046c72f686aa",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "82a3c6e74e689531cb1b5860b14916f6",
"payload_hash": "fa9004db0b0eca85127edd58853bf035",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 8700,
"service": "http",
"service_name": "http",
"risk_score": 56
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8700\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8700\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8700\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8700\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8700\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d7028b6b267781bc2c48b62fa4de4a03f381fb0d",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36",
"port": 8700,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8700\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch",
"attack_vector": "port scan syn \u00b7 via HTTP:8700 \u00b7 (reconnaissance)",
"target_port_label": "8700 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 56,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8700,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/75.0.3770.142 Safari\/537.36",
"port": 8700,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8700 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:8700\r\nUser-Agent: Mozilla\/5.0 (Windows NT 6.3; WOW64) AppleWebKit\/537.36 (KHTML, like Gecko) Ch",
"target_port_label": "8700 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8700"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 32.2,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:59 UTC
TCP
5432 · POSTGRES
Scan de ports
port scan syn · via POSTGRES:5432 · (reconnaissance)
Élevée
Moyen · 53
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Handshake PostgreSQL (startup)
Émulateur
POSTGRES
WAF
—
Recommandation
Investiguer
Tags
http_get_probe
mozi_pattern
net_bruteforce_burst
net_flood
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
5432
Chemin / cible
—
Service
POSTGRES
Payload
GET / HTTP/1.1 Host: 62.3.50.33:5432 User-Agent: Mozilla/5.0 (Linux; Android 7.0; YS900) AppleWebKit/537.36 (KHTML, like Gecko
Pourquoi cette classification : Rafale d'authentification SSH · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 53
Confiance : Confiance 100 % — 5 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:5432
User-Agent: Mozilla/5.0 (Linux; Android 7.0; YS900) AppleWebKit/537.36 (KHTML, like Gecko
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:5432 User-Agent: Mozilla/5.0 (Linux; Android 7.0; YS900) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.136 Iron Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"bytes_in": 238,
"payload_entropy": 5.426125510893605,
"port_category": "registered",
"org": "Google LLC",
"service": "postgres",
"app_proto": "postgres",
"asn": 396982,
"country": "US",
"dst_port": 5432,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 46,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 46,
"novelty": 25
},
"risk_score": 53,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "4a5e35a138c51245c77208e677870b6aace0ca2b",
"event_fingerprint": "94c4cbfb85d1c35e2f48ce388a5c59a6c911d001",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 46,
"novelty": 25,
"risk_score": 53,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "postgres",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "af2fbf0460fa8814f11587bae5f6856d",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 5432,
"service": "postgres",
"service_name": "postgres",
"risk_score": 53
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5432\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, like Gecko",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5432\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.136 Iron Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5432\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, like Gecko",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5432\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/74.0.3729.136 Iron Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5432\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, like Gecko",
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1b4ffc21867ebc97e4e2c8249537551e9b4f5193",
"protocol_details": {
"postgres_startup_fr": "Handshake PostgreSQL (startup)",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5432\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, like Gecko",
"port": 5432,
"service": "postgres",
"service_label_fr": "POSTGRES"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5432\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, like Gecko",
"attack_vector": "port scan syn \u00b7 via POSTGRES:5432 \u00b7 (reconnaissance)",
"target_port_label": "5432 \u00b7 POSTGRES",
"emulator_service": "postgres",
"confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Rafale d'authentification SSH \u00b7 confiance 100%",
"classification_reason_label_fr": "Rafale d'authentification SSH \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via POSTGRES \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 46,
"novelty": 25,
"risk_score": 53,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 53,
"risk_label": "Moyen",
"service_name": "postgres",
"service_label_fr": "POSTGRES",
"dst_port": 5432,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "PostgreSQL 15.4",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"postgres_startup_fr": "Handshake PostgreSQL (startup)",
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5432\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, like Gecko",
"port": 5432,
"service": "postgres",
"service_label_fr": "POSTGRES"
},
"attack_vector": "port scan syn \u00b7 via POSTGRES:5432 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:5432\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 7.0; YS900) AppleWebKit\/537.36 (KHTML, like Gecko",
"target_port_label": "5432 \u00b7 POSTGRES",
"emulator_service": "postgres",
"confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "postgres",
"service_banner": "PostgreSQL 15.4",
"service_os": "linux",
"dst_port": "5432"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 32.2,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"http_get_probe",
"mozi_pattern",
"net_bruteforce_burst",
"net_flood",
"postgres_emulated"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:58 UTC
TCP
9009 · CLICKHOUSE NATIVE
Scan de ports
port scan syn · via CLICKHOUSE NATIVE:9009 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
CLICKHOUSE-NATIVE
WAF
—
Recommandation
Surveiller
Tags
clickhouse_native_emulated
clickhouse_native_payload
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9009
Chemin / cible
—
Service
CLICKHOUSE NATIVE
Payload
������������(� �@w� e�r�>��^� k�܇3�&��Q��� ⎌/�!����O�ۿ�>"��ܽ�����5'w$u�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������(���@w� e�r�>��^� k�܇3�&��Q��� ⎌/�!����O�ۿ�>"��ܽ�����5'w$u�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������(� �@w� e�r�>��^� k�܇3�&��Q��� ⎌/�!����O�ۿ�>"��ܽ�����5'w$u�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ����˺%v�~X�Vwr����5=3f�P���F?�,
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "436c69636b486f757365207365727665722076657273696f6e2032342e332e312e0d0a",
"emulator_response_len": 35,
"bytes_in": 239,
"payload_entropy": 5.6873500990703505,
"port_category": "registered",
"org": "Google LLC",
"service": "clickhouse-native",
"app_proto": "clickhouse-native",
"asn": 396982,
"country": "US",
"dst_port": 9009,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "78dd3efe35a1f13d81f50f64736c4d37fddc9c53",
"event_fingerprint": "67a40b46e4812679b2c6646a0f636b5759145821",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "clickhouse-native",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d35768ad402db91eea17c3495cc023ff",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9009,
"service": "clickhouse-native",
"service_name": "clickhouse-native",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(\ufffd\u000b\ufffd@w\ufffd\te\u000fr\u0013>\u0017\ufffd^\ufffd\tk\ufffd\u07073\ufffd&\u0019\u001fQ\ufffd\ufffd\ufffd \u238c\/\u001a!\u0003\ufffd\ufffd\u0013O\ufffd\u06ff\u0013>\"\ufffd\ufffd\u073d\ufffd\ufffd\ufffd\ufffd\u00005'w$u\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(\ufffd\u000b\ufffd@w\ufffd\te\u000fr\u0013>\u0017\ufffd^\ufffd\tk\ufffd\u07073\ufffd&\u0019\u001fQ\ufffd\ufffd\ufffd \u238c\/\u001a!\u0003\ufffd\ufffd\u0013O\ufffd\u06ff\u0013>\"\ufffd\ufffd\u073d\ufffd\ufffd\ufffd\ufffd\u00005'w$u\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0013\ufffd\ufffd\ufffd\u02fa%v\ufffd~X\ufffdVwr\ufffd\ufffd\ufffd\ufffd5=3f\ufffdP\ufffd\u001b\ufffdF?\ufffd,",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(\ufffd\u000b\ufffd@w\ufffd\te\u000fr\u0013>\u0017\ufffd^\ufffd\tk\ufffd\u07073\ufffd&\u0019\u001fQ\ufffd\ufffd\ufffd \u238c\/\u001a!\u0003\ufffd\ufffd\u0013O\ufffd\u06ff\u0013>\"\ufffd\ufffd\u073d\ufffd\ufffd\ufffd\ufffd\u00005'w$u\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ec350afa5ce4ed366dadd49c3957308fe6fe6467",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(\ufffd\u000b\ufffd@w\ufffd\te\u000fr\u0013>\u0017\ufffd^\ufffd\tk\ufffd\u07073\ufffd&\u0019\u001fQ\ufffd\ufffd\ufffd \u238c\/\u001a!\u0003\ufffd\ufffd\u0013O\ufffd\u06ff\u0013>\"\ufffd\ufffd\u073d\ufffd\ufffd\ufffd\ufffd\u00005'w$u\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9009,
"service": "clickhouse-native",
"service_label_fr": "CLICKHOUSE NATIVE"
},
"evidence_snippet": "\ufffd\ufffd\ufffd(\ufffd\ufffd@w\ufffd\ter>\ufffd^\ufffd\tk\ufffd\u07073\ufffd&Q\ufffd\ufffd\ufffd \u238c\/!\ufffd\ufffdO\ufffd\u06ff>\"\ufffd\ufffd\u073d\ufffd\ufffd\ufffd\ufffd5'w$u&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via CLICKHOUSE NATIVE:9009 \u00b7 (reconnaissance)",
"target_port_label": "9009 \u00b7 CLICKHOUSE NATIVE",
"emulator_service": "clickhouse-native",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CLICKHOUSE NATIVE \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "clickhouse-native",
"service_label_fr": "CLICKHOUSE NATIVE",
"dst_port": 9009,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-clickhouse-native",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(\ufffd\u000b\ufffd@w\ufffd\te\u000fr\u0013>\u0017\ufffd^\ufffd\tk\ufffd\u07073\ufffd&\u0019\u001fQ\ufffd\ufffd\ufffd \u238c\/\u001a!\u0003\ufffd\ufffd\u0013O\ufffd\u06ff\u0013>\"\ufffd\ufffd\u073d\ufffd\ufffd\ufffd\ufffd\u00005'w$u\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9009,
"service": "clickhouse-native",
"service_label_fr": "CLICKHOUSE NATIVE"
},
"attack_vector": "port scan syn \u00b7 via CLICKHOUSE NATIVE:9009 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd(\ufffd\ufffd@w\ufffd\ter>\ufffd^\ufffd\tk\ufffd\u07073\ufffd&Q\ufffd\ufffd\ufffd \u238c\/!\ufffd\ufffdO\ufffd\u06ff>\"\ufffd\ufffd\u073d\ufffd\ufffd\ufffd\ufffd5'w$u&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9009 \u00b7 CLICKHOUSE NATIVE",
"emulator_service": "clickhouse-native",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "clickhouse_native",
"service_banner": "honeypot-clickhouse-native",
"service_os": "linux",
"dst_port": "9009"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 53.03,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"clickhouse_native_emulated",
"clickhouse_native_payload",
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:58 UTC
TCP
10000 · HTTP
Scan de ports
port scan syn · via HTTP:10000 · (reconnaissance)
Élevée
Moyen · 55
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
10000
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 55
Confiance : Confiance 100 % — 3 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko)
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:10000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML,
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:10000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 126,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "5239ad7d22afb3d7eae8dd135226be187ef5cd33",
"http_host_hash": "08ba06a3067b7b908f83ce02b0e95a4941ea7cbc",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 209,
"payload_entropy": 5.3128099289906725,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 10000,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.3,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 55,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "64f713fc6ccf2aa070cee4ff4809658d464d27c0",
"event_fingerprint": "270a0905a786b3fca78af9b91b45a2bd11b7f39d",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "e2dc6da1de2eb0d618cf99c82d936563",
"payload_hash": "0238653ae0606453e678a95d63961f78",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 10000,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML,",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko)",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML,",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko)",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko)\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML,",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "159e47f85e4d76bc1e3ea1f67ec7cd23b010c897",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko)",
"port": 10000,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML,",
"attack_vector": "port scan syn \u00b7 via HTTP:10000 \u00b7 (reconnaissance)",
"target_port_label": "10000 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 10000,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML, like Gecko)",
"port": 10000,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:10000 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10000\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit\/605.1.15 (KHTML,",
"target_port_label": "10000 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "10000"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 52.63,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:58 UTC
TCP
9042 · CASSANDRA
Scan de ports
port scan syn · via CASSANDRA:9042 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
CASSANDRA
WAF
—
Recommandation
Surveiller
Tags
cassandra_emulated
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9042
Chemin / cible
—
Service
CASSANDRA
Payload
����������� \M��ɳ��I���W����o���� �����z�� ��{d�\ :��֫'%շ�<�J���W��m+U���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������
\M��ɳ��I���W����o���� �����z�� ��{d�\
:��֫'%շ�<�J���W��m+U���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
����������� \M��ɳ��I���W����o���� �����z�� ��{d�\ :��֫'%շ�<�J���W��m+U���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �� |+��7��y��7D�`�L��lj��R����}
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "840000000200000002",
"emulator_response_len": 9,
"bytes_in": 239,
"payload_entropy": 5.850278846579478,
"port_category": "registered",
"org": "Google LLC",
"service": "cassandra",
"app_proto": "cassandra",
"asn": 396982,
"country": "US",
"dst_port": 9042,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "2d2d11a3caf15c9e7737eb3edeb7d17ebc55e2dc",
"event_fingerprint": "635c4ed3314f5a2daac2617f5dedd145c721246d",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "cassandra",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "82874f7077e79f1322b671da2afed986",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9042,
"service": "cassandra",
"service_name": "cassandra",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\n\\M\ufffd\ufffd\u0273\ufffd\ufffdI\ufffd\ufffd\ufffdW\ufffd\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\u0011 \ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffd \u0016\ufffd{d\ufffd\\\n:\u0017\ufffd\u05ab'%\u0577\ufffd<\ufffdJ\ufffd\ufffd\ufffdW\ufffd\ufffdm+U\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\n\\M\ufffd\ufffd\u0273\ufffd\ufffdI\ufffd\ufffd\ufffdW\ufffd\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\u0011 \ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffd \u0016\ufffd{d\ufffd\\\n:\u0017\ufffd\u05ab'%\u0577\ufffd<\ufffdJ\ufffd\ufffd\ufffdW\ufffd\ufffdm+U\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\r|+\b\ufffd7\ufffd\ufffdy\ufffd\ufffd7D\ufffd`\ufffdL\ufffd\u0007\u01c9\u0000\ufffdR\ufffd\ufffd\ufffd\ufffd}",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\n\\M\ufffd\ufffd\u0273\ufffd\ufffdI\ufffd\ufffd\ufffdW\ufffd\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\u0011 \ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffd \u0016\ufffd{d\ufffd\\\n:\u0017\ufffd\u05ab'%\u0577\ufffd<\ufffdJ\ufffd\ufffd\ufffdW\ufffd\ufffdm+U\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ba639301d520cdb242cf415b8bba0321e8308bd2",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\n\\M\ufffd\ufffd\u0273\ufffd\ufffdI\ufffd\ufffd\ufffdW\ufffd\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\u0011 \ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffd \u0016\ufffd{d\ufffd\\\n:\u0017\ufffd\u05ab'%\u0577\ufffd<\ufffdJ\ufffd\ufffd\ufffdW\ufffd\ufffdm+U\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9042,
"service": "cassandra",
"service_label_fr": "CASSANDRA"
},
"evidence_snippet": "\ufffd\ufffd\n\\M\ufffd\ufffd\u0273\ufffd\ufffdI\ufffd\ufffd\ufffdW\ufffd\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffd \ufffd{d\ufffd\\\n:\ufffd\u05ab'%\u0577\ufffd<\ufffdJ\ufffd\ufffd\ufffdW\ufffd\ufffdm+U\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via CASSANDRA:9042 \u00b7 (reconnaissance)",
"target_port_label": "9042 \u00b7 CASSANDRA",
"emulator_service": "cassandra",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CASSANDRA \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "cassandra",
"service_label_fr": "CASSANDRA",
"dst_port": 9042,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-cassandra",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\n\\M\ufffd\ufffd\u0273\ufffd\ufffdI\ufffd\ufffd\ufffdW\ufffd\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd\u0011 \ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffd \u0016\ufffd{d\ufffd\\\n:\u0017\ufffd\u05ab'%\u0577\ufffd<\ufffdJ\ufffd\ufffd\ufffdW\ufffd\ufffdm+U\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9042,
"service": "cassandra",
"service_label_fr": "CASSANDRA"
},
"attack_vector": "port scan syn \u00b7 via CASSANDRA:9042 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\n\\M\ufffd\ufffd\u0273\ufffd\ufffdI\ufffd\ufffd\ufffdW\ufffd\ufffd\ufffd\ufffdo\ufffd\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffd \ufffd{d\ufffd\\\n:\ufffd\u05ab'%\u0577\ufffd<\ufffdJ\ufffd\ufffd\ufffdW\ufffd\ufffdm+U\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9042 \u00b7 CASSANDRA",
"emulator_service": "cassandra",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "cassandra",
"service_banner": "honeypot-cassandra",
"service_os": "linux",
"dst_port": "9042"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 52.47,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"cassandra_emulated",
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:58 UTC
TCP
9011 · Webhook GitHub
Scan de ports
port scan syn · via Webhook GitHub:9011 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
GITHUB-WEBHOOK
WAF
—
Recommandation
Surveiller
Tags
github_webhook_emulated
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9011
Chemin / cible
—
Service
Webhook GitHub
Payload
��������������)���}�8�j���%)�� 㺐���$|�� �Gj��/�0sT� 䆐3r����1���_gA7�+�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������)���}�8�j���%)���
㺐���$|�� �Gj��/�0sT�
䆐3r����1���_gA7�+�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������)���}�8�j���%)�� 㺐���$|�� �Gj��/�0sT� 䆐3r����1���_gA7�+�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �u#U=A���`Q�ٓU'�6h�a�>���<xT�H\
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206769746875625f776562686f6f6b20726561647920706f72743d393031310d0a",
"emulator_response_len": 45,
"bytes_in": 239,
"payload_entropy": 5.883769954857762,
"port_category": "registered",
"org": "Google LLC",
"service": "github-webhook",
"app_proto": "github-webhook",
"asn": 396982,
"country": "US",
"dst_port": 9011,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "b99a9c02c918efad049fb449eef290bfa5294569",
"event_fingerprint": "b41575be70ceb9389c1b64125ad558d2a8e629f8",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "github-webhook",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2b4243d9727535d8dfb5c1afb3931447",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9011,
"service": "github-webhook",
"service_name": "github-webhook",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0001\ufffd)\u0001\ufffd\ufffd}\ufffd8\ufffdj\ufffd\ufffd\u001a%)\ufffd\ufffd\f\r\u3e90\ufffd\ufffd\ufffd$|\ufffd\u0002 \ufffdGj\ufffd\ufffd\/\ufffd0sT\ufffd\n\u41903r\ufffd\ufffd\ufffd\ufffd1\u0016\ufffd\u0010_gA7\ufffd+\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0001\ufffd)\u0001\ufffd\ufffd}\ufffd8\ufffdj\ufffd\ufffd\u001a%)\ufffd\ufffd\f\r\u3e90\ufffd\ufffd\ufffd$|\ufffd\u0002 \ufffdGj\ufffd\ufffd\/\ufffd0sT\ufffd\n\u41903r\ufffd\ufffd\ufffd\ufffd1\u0016\ufffd\u0010_gA7\ufffd+\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdu#U=A\ufffd\ufffd\ufffd`Q\ufffd\u0653U'\ufffd6h\ufffda\ufffd>\ufffd\u001b\ufffd<xT\u001aH\\",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0001\ufffd)\u0001\ufffd\ufffd}\ufffd8\ufffdj\ufffd\ufffd\u001a%)\ufffd\ufffd\f\r\u3e90\ufffd\ufffd\ufffd$|\ufffd\u0002 \ufffdGj\ufffd\ufffd\/\ufffd0sT\ufffd\n\u41903r\ufffd\ufffd\ufffd\ufffd1\u0016\ufffd\u0010_gA7\ufffd+\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4d8690b8933eced25692986a6ceaf6f7ac1d82fb",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0001\ufffd)\u0001\ufffd\ufffd}\ufffd8\ufffdj\ufffd\ufffd\u001a%)\ufffd\ufffd\f\r\u3e90\ufffd\ufffd\ufffd$|\ufffd\u0002 \ufffdGj\ufffd\ufffd\/\ufffd0sT\ufffd\n\u41903r\ufffd\ufffd\ufffd\ufffd1\u0016\ufffd\u0010_gA7\ufffd+\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9011,
"service": "github-webhook",
"service_label_fr": "Webhook GitHub"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd)\ufffd\ufffd}\ufffd8\ufffdj\ufffd\ufffd%)\ufffd\ufffd\r\u3e90\ufffd\ufffd\ufffd$|\ufffd \ufffdGj\ufffd\ufffd\/\ufffd0sT\ufffd\n\u41903r\ufffd\ufffd\ufffd\ufffd1\ufffd_gA7\ufffd+&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via Webhook GitHub:9011 \u00b7 (reconnaissance)",
"target_port_label": "9011 \u00b7 Webhook GitHub",
"emulator_service": "github-webhook",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via Webhook GitHub \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "github-webhook",
"service_label_fr": "Webhook GitHub",
"dst_port": 9011,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-github-webhook",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0001\ufffd)\u0001\ufffd\ufffd}\ufffd8\ufffdj\ufffd\ufffd\u001a%)\ufffd\ufffd\f\r\u3e90\ufffd\ufffd\ufffd$|\ufffd\u0002 \ufffdGj\ufffd\ufffd\/\ufffd0sT\ufffd\n\u41903r\ufffd\ufffd\ufffd\ufffd1\u0016\ufffd\u0010_gA7\ufffd+\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9011,
"service": "github-webhook",
"service_label_fr": "Webhook GitHub"
},
"attack_vector": "port scan syn \u00b7 via Webhook GitHub:9011 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd)\ufffd\ufffd}\ufffd8\ufffdj\ufffd\ufffd%)\ufffd\ufffd\r\u3e90\ufffd\ufffd\ufffd$|\ufffd \ufffdGj\ufffd\ufffd\/\ufffd0sT\ufffd\n\u41903r\ufffd\ufffd\ufffd\ufffd1\ufffd_gA7\ufffd+&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9011 \u00b7 Webhook GitHub",
"emulator_service": "github-webhook",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "github_webhook",
"service_banner": "honeypot-github-webhook",
"service_os": "linux",
"dst_port": "9011"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 52.3,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"github_webhook_emulated",
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:58 UTC
TCP
9010 · Webhook Discord
Scan de ports
port scan syn · via Webhook Discord:9010 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
DISCORD-WEBHOOK
WAF
—
Recommandation
Surveiller
Tags
discord_webhook_emulated
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9010
Chemin / cible
—
Service
Webhook Discord
Payload
��������������0p��[� �^�� 3k���f����=i�h�m �ɂ�&��f��t���f�Z�n�0*�l���S�q5��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������0p��[�� �^���3k���f����=i�h�m �ɂ�&��f��t���f�Z�n�0*�l���S�q5��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������0p��[� �^�� 3k���f����=i�h�m �ɂ�&��f��t���f�Z�n�0*�l���S�q5��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �@��MVYGb�"�p`T �,�H(�A�A��4��H
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f7420646973636f72645f776562686f6f6b20726561647920706f72743d393031300d0a",
"emulator_response_len": 46,
"bytes_in": 239,
"payload_entropy": 5.803024598208957,
"port_category": "registered",
"org": "Google LLC",
"service": "discord-webhook",
"app_proto": "discord-webhook",
"asn": 396982,
"country": "US",
"dst_port": 9010,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "1829f2d84ed3e7fdb68367807c952e7169b238fa",
"event_fingerprint": "714ee648df467d06bed715db930cfc8ea966fe7d",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "discord-webhook",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "056e12bde068037f9d8452ce40575728",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9010,
"service": "discord-webhook",
"service_name": "discord-webhook",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd0p\ufffd\ufffd[\u0001\u000b \ufffd^\ufffd\ufffd\u000b3k\ufffd\ufffd\ufffdf\ufffd\u000f\u0007\u0003=i\ufffdh\ufffdm \ufffd\u0242\ufffd&\ufffd\bf\ufffd\ufffdt\ufffd\ufffd\u0016f\ufffdZ\ufffdn\ufffd0*\ufffdl\ufffd\u001d\ufffdS\ufffdq5\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd0p\ufffd\ufffd[\u0001\u000b \ufffd^\ufffd\ufffd\u000b3k\ufffd\ufffd\ufffdf\ufffd\u000f\u0007\u0003=i\ufffdh\ufffdm \ufffd\u0242\ufffd&\ufffd\bf\ufffd\ufffdt\ufffd\ufffd\u0016f\ufffdZ\ufffdn\ufffd0*\ufffdl\ufffd\u001d\ufffdS\ufffdq5\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd@\u001b\ufffdMVYGb\ufffd\"\ufffdp`T \u000e,\u0014H(\u0014A\u0001A\u0005\ufffd4\ufffd\ufffdH",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd0p\ufffd\ufffd[\u0001\u000b \ufffd^\ufffd\ufffd\u000b3k\ufffd\ufffd\ufffdf\ufffd\u000f\u0007\u0003=i\ufffdh\ufffdm \ufffd\u0242\ufffd&\ufffd\bf\ufffd\ufffdt\ufffd\ufffd\u0016f\ufffdZ\ufffdn\ufffd0*\ufffdl\ufffd\u001d\ufffdS\ufffdq5\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c37bc09abed391c5cf8a4ce611a36ed64cd1618c",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd0p\ufffd\ufffd[\u0001\u000b \ufffd^\ufffd\ufffd\u000b3k\ufffd\ufffd\ufffdf\ufffd\u000f\u0007\u0003=i\ufffdh\ufffdm \ufffd\u0242\ufffd&\ufffd\bf\ufffd\ufffdt\ufffd\ufffd\u0016f\ufffdZ\ufffdn\ufffd0*\ufffdl\ufffd\u001d\ufffdS\ufffdq5\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9010,
"service": "discord-webhook",
"service_label_fr": "Webhook Discord"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd0p\ufffd\ufffd[ \ufffd^\ufffd\ufffd3k\ufffd\ufffd\ufffdf\ufffd=i\ufffdh\ufffdm \ufffd\u0242\ufffd&\ufffdf\ufffd\ufffdt\ufffd\ufffdf\ufffdZ\ufffdn\ufffd0*\ufffdl\ufffd\ufffdS\ufffdq5\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via Webhook Discord:9010 \u00b7 (reconnaissance)",
"target_port_label": "9010 \u00b7 Webhook Discord",
"emulator_service": "discord-webhook",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via Webhook Discord \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "discord-webhook",
"service_label_fr": "Webhook Discord",
"dst_port": 9010,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-discord-webhook",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd0p\ufffd\ufffd[\u0001\u000b \ufffd^\ufffd\ufffd\u000b3k\ufffd\ufffd\ufffdf\ufffd\u000f\u0007\u0003=i\ufffdh\ufffdm \ufffd\u0242\ufffd&\ufffd\bf\ufffd\ufffdt\ufffd\ufffd\u0016f\ufffdZ\ufffdn\ufffd0*\ufffdl\ufffd\u001d\ufffdS\ufffdq5\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9010,
"service": "discord-webhook",
"service_label_fr": "Webhook Discord"
},
"attack_vector": "port scan syn \u00b7 via Webhook Discord:9010 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd0p\ufffd\ufffd[ \ufffd^\ufffd\ufffd3k\ufffd\ufffd\ufffdf\ufffd=i\ufffdh\ufffdm \ufffd\u0242\ufffd&\ufffdf\ufffd\ufffdt\ufffd\ufffdf\ufffdZ\ufffdn\ufffd0*\ufffdl\ufffd\ufffdS\ufffdq5\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9010 \u00b7 Webhook Discord",
"emulator_service": "discord-webhook",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "discord_webhook",
"service_banner": "honeypot-discord-webhook",
"service_os": "linux",
"dst_port": "9010"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 52.16,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"discord_webhook_emulated",
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:58 UTC
TCP
9090 · PROMETHEUS
Scan de ports
port scan syn · via PROMETHEUS:9090 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
PROMETHEUS
WAF
—
Recommandation
Surveiller
Tags
net_flood
prometheus_emulated
prometheus_payload
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9090
Chemin / cible
—
Service
PROMETHEUS
Payload
�������������!4 ���ߟON��f��������������ٻ3 9Ϟ������q���+�������xRm��L�K6�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������!4
���ߟON��f��������������ٻ3 9Ϟ������q���+�������xRm��L�K6�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������!4 ���ߟON��f��������������ٻ3 9Ϟ������q���+�������xRm��L�K6�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �w��������1����Mm�{N����g�Pe�{-
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a20746578742f706c61696e3b2076657273696f6e3d302e302e340d0a436f6e74656e742d4c656e6774683a2036360d0a0d0a232048454c502075702031206966207461726765742069732075702e0a2320545950452075702067617567650a75707b",
"emulator_response_len": 146,
"bytes_in": 239,
"payload_entropy": 5.841135773372654,
"port_category": "registered",
"org": "Google LLC",
"service": "prometheus",
"app_proto": "prometheus",
"asn": 396982,
"country": "US",
"dst_port": 9090,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "0d069216ef95845fb7e0d0ba7996c3ee67eed274",
"event_fingerprint": "9c8d49fb20a5cccdb0c6757e9b6fb56f36190de0",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "prometheus",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "9e8bb9bc1bf79040f03bdd843e26313b",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9090,
"service": "prometheus",
"service_name": "prometheus",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001c\ufffd!4\r\ufffd\ufffd\ufffd\u07dfON\u0005\u0015f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffd\ufffd\ufffd\u0013\ufffd\u067b3 9\u03de\ufffd\ufffd\ufffd\ufffd\u0018\ufffdq\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdxRm\ufffd\ufffdL\ufffdK6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001c\ufffd!4\r\ufffd\ufffd\ufffd\u07dfON\u0005\u0015f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffd\ufffd\ufffd\u0013\ufffd\u067b3 9\u03de\ufffd\ufffd\ufffd\ufffd\u0018\ufffdq\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdxRm\ufffd\ufffdL\ufffdK6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdw\ufffd\ufffd\ufffd\u0002\ufffd\ufffd\ufffd\u00011\ufffd\ufffd\ufffd\u0011Mm\ufffd{N\ufffd\u0016\ufffd\ufffdg\ufffdPe\u0015{-",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001c\ufffd!4\r\ufffd\ufffd\ufffd\u07dfON\u0005\u0015f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffd\ufffd\ufffd\u0013\ufffd\u067b3 9\u03de\ufffd\ufffd\ufffd\ufffd\u0018\ufffdq\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdxRm\ufffd\ufffdL\ufffdK6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f2853dad80f4984508d74007a0d0fd4d77cedcd7",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001c\ufffd!4\r\ufffd\ufffd\ufffd\u07dfON\u0005\u0015f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffd\ufffd\ufffd\u0013\ufffd\u067b3 9\u03de\ufffd\ufffd\ufffd\ufffd\u0018\ufffdq\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdxRm\ufffd\ufffdL\ufffdK6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9090,
"service": "prometheus",
"service_label_fr": "PROMETHEUS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd!4\r\ufffd\ufffd\ufffd\u07dfONf\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u067b3 9\u03de\ufffd\ufffd\ufffd\ufffd\ufffdq\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdxRm\ufffd\ufffdL\ufffdK6&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via PROMETHEUS:9090 \u00b7 (reconnaissance)",
"target_port_label": "9090 \u00b7 PROMETHEUS",
"emulator_service": "prometheus",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via PROMETHEUS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "prometheus",
"service_label_fr": "PROMETHEUS",
"dst_port": 9090,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-prometheus",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001c\ufffd!4\r\ufffd\ufffd\ufffd\u07dfON\u0005\u0015f\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffd\ufffd\ufffd\u0013\ufffd\u067b3 9\u03de\ufffd\ufffd\ufffd\ufffd\u0018\ufffdq\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdxRm\ufffd\ufffdL\ufffdK6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9090,
"service": "prometheus",
"service_label_fr": "PROMETHEUS"
},
"attack_vector": "port scan syn \u00b7 via PROMETHEUS:9090 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd!4\r\ufffd\ufffd\ufffd\u07dfONf\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u067b3 9\u03de\ufffd\ufffd\ufffd\ufffd\ufffdq\ufffd\ufffd\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdxRm\ufffd\ufffdL\ufffdK6&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9090 \u00b7 PROMETHEUS",
"emulator_service": "prometheus",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "prometheus",
"service_banner": "honeypot-prometheus",
"service_os": "linux",
"dst_port": "9090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 52.03,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"prometheus_emulated",
"prometheus_payload",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:58 UTC
TCP
1443 · HTTP
Scan de ports
port scan syn · via HTTP:1443 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA SonyEricssonT68/R201A
Émulateur
HTTP
WAF
3
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
1443
Chemin / cible
/
Pourquoi cette classification : Tags WAF: sap-sapcontrol-path · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 1 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
SonyEricssonT68/R201A
Règles WAF
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:1443
User-Agent: SonyEricssonT68/R201A
Accept-Charset: utf-8
Accept-Encoding: gzip
Connecti
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:1443 User-Agent: SonyEricssonT68/R201A Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "67ab3798a2c61a1ffcebfc30c7ef29acfe1ed9a9",
"http_host_hash": "e217923dbbc6bf0a923b5e203c553b7387e57d65",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 141,
"payload_entropy": 5.077828698172617,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 1443,
"risk_waf": 20,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 20,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "42db1689e50fd489b81b4955e76fd3965342fc9b",
"event_fingerprint": "3ee1dfdd12593f4ec73ed8b3b456173000cb09cf",
"classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 20,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "4c4277840e4dd2b187cdddaeef972ab2",
"payload_hash": "e7a32b3a079410f0c254177f477edfff",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 1443,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: SonyEricssonT68\/R201A\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti",
"method": "GET",
"path": "\/",
"user_agent": "SonyEricssonT68\/R201A",
"waf_tags": [
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: SonyEricssonT68\/R201A\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: SonyEricssonT68\/R201A\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "SonyEricssonT68\/R201A",
"waf_tags": [
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: SonyEricssonT68\/R201A\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: SonyEricssonT68\/R201A\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti",
"classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4e99b09f8d48cfbc097f786e265726231f73b7e0",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "SonyEricssonT68\/R201A",
"port": 1443,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: SonyEricssonT68\/R201A\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti",
"attack_vector": "port scan syn \u00b7 via HTTP:1443 \u00b7 (reconnaissance)",
"target_port_label": "1443 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%",
"classification_reason_label_fr": "Tags WAF: sap-sapcontrol-path \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 20,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 1443,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "SonyEricssonT68\/R201A",
"port": 1443,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:1443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1443\r\nUser-Agent: SonyEricssonT68\/R201A\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnecti",
"target_port_label": "1443 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 20 \u00b7 Bonus corr\u00e9lation +23 \u00b7 1 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "1443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 51.89,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:58 UTC
TCP
18080 · MONERO P2P
Scan de ports
port scan syn · via MONERO P2P:18080 · (reconnaissance)
Élevée
Moyen · 53
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
MONERO-P2P
WAF
—
Recommandation
Investiguer
Tags
http_get_probe
monero_p2p_emulated
monero_p2p_payload
mozi_pattern
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
18080
Chemin / cible
—
Service
MONERO P2P
Payload
GET / HTTP/1.1 Host: 62.3.50.33:18080 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0 Accept-C
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 53
Confiance : Confiance 100 % — 5 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:18080
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0
Accept-C
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:18080 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "01110101010101010000000000000000",
"emulator_response_len": 16,
"bytes_in": 187,
"payload_entropy": 5.227010280890743,
"port_category": "registered",
"org": "Google LLC",
"service": "monero-p2p",
"app_proto": "monero-p2p",
"asn": 396982,
"country": "US",
"dst_port": 18080,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 25,
"risk_boost": 20,
"risk_granularity": 2.9,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25
},
"risk_score": 53,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "07e64fc9391dc37941a9b3c6672aa37569ff0e38",
"event_fingerprint": "bf45d65f7395f66db4e427696e102842579d0239",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 53,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "monero-p2p",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6d1b51b80ca2c13f806a04149898a8ab",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 18080,
"service": "monero-p2p",
"service_name": "monero-p2p",
"risk_score": 53
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:28.0) Gecko\/20100101 Firefox\/28.0\r\nAccept-C",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:28.0) Gecko\/20100101 Firefox\/28.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:28.0) Gecko\/20100101 Firefox\/28.0\r\nAccept-C",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:28.0) Gecko\/20100101 Firefox\/28.0\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:28.0) Gecko\/20100101 Firefox\/28.0\r\nAccept-C",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6c972fddfeeffe77e5f66eee143aaa92a4eaca52",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:28.0) Gecko\/20100101 Firefox\/28.0\r\nAccept-C",
"port": 18080,
"service": "monero-p2p",
"service_label_fr": "MONERO P2P"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:28.0) Gecko\/20100101 Firefox\/28.0\r\nAccept-C",
"attack_vector": "port scan syn \u00b7 via MONERO P2P:18080 \u00b7 (reconnaissance)",
"target_port_label": "18080 \u00b7 MONERO P2P",
"emulator_service": "monero-p2p",
"confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 53\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MONERO P2P \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 25,
"risk_score": 53,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 53,
"risk_label": "Moyen",
"service_name": "monero-p2p",
"service_label_fr": "MONERO P2P",
"dst_port": 18080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-monero-p2p",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:28.0) Gecko\/20100101 Firefox\/28.0\r\nAccept-C",
"port": 18080,
"service": "monero-p2p",
"service_label_fr": "MONERO P2P"
},
"attack_vector": "port scan syn \u00b7 via MONERO P2P:18080 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:18080\r\nUser-Agent: Mozilla\/5.0 (X11; Linux i686; rv:28.0) Gecko\/20100101 Firefox\/28.0\r\nAccept-C",
"target_port_label": "18080 \u00b7 MONERO P2P",
"emulator_service": "monero-p2p",
"confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "monero_p2p",
"service_banner": "honeypot-monero-p2p",
"service_os": "linux",
"dst_port": "18080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 51.78,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"http_get_probe",
"monero_p2p_emulated",
"monero_p2p_payload",
"mozi_pattern",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:58 UTC
TCP
10443 · HTTPS
Scan de ports
port scan syn · via HTTPS:10443 · (reconnaissance)
Élevée
Moyen · 56
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
HTTPS
WAF
—
Recommandation
Investiguer
Tags
http_alt_port
http_get_probe
mozi_pattern
net_flood
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
10443
Chemin / cible
—
Service
HTTPS
Payload
GET / HTTP/1.1 Host: 62.3.50.33:10443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubunt
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 56
Confiance : Confiance 100 % — 4 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:10443
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubunt
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:10443 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/74.0.3729.169 Chrome/74.0.3729.169 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 256,
"payload_entropy": 5.469920214857915,
"port_category": "registered",
"org": "Google LLC",
"service": "https",
"app_proto": "https",
"asn": 396982,
"country": "US",
"dst_port": 10443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 20,
"risk_granularity": 5.7,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 56,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "9fe0cf2375eb0c284bcc5c1d7aba96f85abe055f",
"event_fingerprint": "224ede99be8e95a628ea21d40f1e36a561bbe843",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "https",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "57cb129f7da14744c406fe5f8f7f326b",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 10443,
"service": "https",
"service_name": "https",
"risk_score": 56
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubunt",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/74.0.3729.169 Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubunt",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubuntu Chromium\/74.0.3729.169 Chrome\/74.0.3729.169 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubunt",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "156d9d288cab2fa602bdb2c4874972c55402153e",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubunt",
"port": 10443,
"service": "https",
"service_label_fr": "HTTPS"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubunt",
"attack_vector": "port scan syn \u00b7 via HTTPS:10443 \u00b7 (reconnaissance)",
"target_port_label": "10443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTPS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 56,
"risk_label": "Moyen",
"service_name": "https",
"service_label_fr": "HTTPS",
"dst_port": 10443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-https",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubunt",
"port": 10443,
"service": "https",
"service_label_fr": "HTTPS"
},
"attack_vector": "port scan syn \u00b7 via HTTPS:10443 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10443\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Ubunt",
"target_port_label": "10443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "https",
"service_banner": "honeypot-https",
"service_os": "linux",
"dst_port": "10443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 51.67,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"http_alt_port",
"http_get_probe",
"mozi_pattern",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:58 UTC
TCP
10002 · HTTP
Scan de ports
port scan syn · via HTTP:10002 · (reconnaissance)
Élevée
Moyen · 56
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Linux; Android 9; VOG-L29) AppleWebKit/537.36 (KHT…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
10002
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 56
Confiance : Confiance 100 % — 3 tag(s) WAF
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 9; VOG-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:10002
User-Agent: Mozilla/5.0 (Linux; Android 9; VOG-L29) AppleWebKit/537.36 (KHTML, like Geck
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:10002 User-Agent: Mozilla/5.0 (Linux; Android 9; VOG-L29) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.111 Mobile Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "48e4ba6e2311cc3b680df34feac8abe9c1f79a12",
"http_host_hash": "5817925db6a96eeacba22edc14fd3e8b07993d86",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 241,
"payload_entropy": 5.432378134950643,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 10002,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 56,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "b9dbffb6d6a47bd7a0c70d21addcab1e0d538e3a",
"event_fingerprint": "3e8cd935f8abfa5e5824635428038434a671fbed",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "15923ad48d9322c295676239fbf81afc",
"payload_hash": "91f138388de18ab28b9e2bf1a8566bda",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 10002,
"service": "http",
"service_name": "http",
"risk_score": 56
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537.36 (KHTML, like Geck",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537.36 (KHTML, like Geck",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537.36 (KHTML, like Geck",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3535a712e3bf0efe4ed1d233e61a6c4dda544698",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"port": 10002,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537.36 (KHTML, like Geck",
"attack_vector": "port scan syn \u00b7 via HTTP:10002 \u00b7 (reconnaissance)",
"target_port_label": "10002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 56,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 56,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 10002,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.111 Mobile Safari\/537.36",
"port": 10002,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:10002 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10002\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 9; VOG-L29) AppleWebKit\/537.36 (KHTML, like Geck",
"target_port_label": "10002 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "10002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 51.5,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:58 UTC
TCP
10001 · MEMCACHED ALT
Scan de ports
port scan syn · via MEMCACHED ALT:10001 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
Émulateur
MEMCACHED-ALT
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
net_flood
redis_config_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
10001
Chemin / cible
—
Service
MEMCACHED ALT
Payload
GET / HTTP/1.1 Host: 62.3.50.33:10001 User-Agent: SonyEricssonT650i/R7AA Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/C
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:10001
User-Agent: SonyEricssonT650i/R7AA Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/C
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:10001 User-Agent: SonyEricssonT650i/R7AA Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "56455253494f4e20312e362e360d0a",
"emulator_response_len": 15,
"bytes_in": 204,
"payload_entropy": 5.226954095003,
"port_category": "registered",
"org": "Google LLC",
"service": "memcached-alt",
"app_proto": "memcached-alt",
"asn": 396982,
"country": "US",
"dst_port": 10001,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "f764a042b48b7563f60811d8d4fceab92b664100",
"event_fingerprint": "0e6f565eb2a4836a06aa3da397473222fb244643",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "memcached-alt",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d395c4dfa2d96dc6af84c46d47fce105",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9"
},
"target_context": {
"dst_port": 10001,
"service": "memcached-alt",
"service_name": "memcached-alt",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10001\r\nUser-Agent: SonyEricssonT650i\/R7AA Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/C",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10001\r\nUser-Agent: SonyEricssonT650i\/R7AA Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10001\r\nUser-Agent: SonyEricssonT650i\/R7AA Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/C",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10001\r\nUser-Agent: SonyEricssonT650i\/R7AA Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/CLDC-1.1\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10001\r\nUser-Agent: SonyEricssonT650i\/R7AA Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/C",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b154c2f14e58f19397f8b5386c1363ec41b83fcc",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10001\r\nUser-Agent: SonyEricssonT650i\/R7AA Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/C",
"port": 10001,
"service": "memcached-alt",
"service_label_fr": "MEMCACHED ALT"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10001\r\nUser-Agent: SonyEricssonT650i\/R7AA Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/C",
"attack_vector": "port scan syn \u00b7 via MEMCACHED ALT:10001 \u00b7 (reconnaissance)",
"target_port_label": "10001 \u00b7 MEMCACHED ALT",
"emulator_service": "memcached-alt",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MEMCACHED ALT \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "memcached-alt",
"service_label_fr": "MEMCACHED ALT",
"dst_port": 10001,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-memcached-alt",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10001\r\nUser-Agent: SonyEricssonT650i\/R7AA Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/C",
"port": 10001,
"service": "memcached-alt",
"service_label_fr": "MEMCACHED ALT"
},
"attack_vector": "port scan syn \u00b7 via MEMCACHED ALT:10001 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10001\r\nUser-Agent: SonyEricssonT650i\/R7AA Browser\/NetFront\/3.3 Profile\/MIDP-2.0 Configuration\/C",
"target_port_label": "10001 \u00b7 MEMCACHED ALT",
"emulator_service": "memcached-alt",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "memcached_alt",
"service_banner": "honeypot-memcached-alt",
"service_os": "linux",
"dst_port": "10001"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 51.39,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"net_flood",
"redis_config_probe"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:58 UTC
TCP
15672 · HTTP
Scan de ports
port scan syn · via HTTP:15672 · (reconnaissance)
Élevée
Moyen · 55
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (Linux; Android 4.4.4; Nexus 7 Build/KTU84P) AppleW…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
15672
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 55
Confiance : Confiance 100 % — 3 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (Linux; Android 4.4.4; Nexus 7 Build/KTU84P) AppleWebKit/537.36 (KHTML like Gecko) Chrome/36.0.1985.135 Safari/537.36
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:15672
User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; Nexus 7 Build/KTU84P) AppleWebKit/537.36
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:15672 User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; Nexus 7 Build/KTU84P) AppleWebKit/537.36 (KHTML like Gecko) Chrome/36.0.1985.135 Safari/537.36 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "eaffd19466b40201afc74c1895732f48a659310f",
"http_host_hash": "e20166832ab649ed459a27600c089133ceb1b121",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 250,
"payload_entropy": 5.439639819721864,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 15672,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 55,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "db1674d7229861c492117ce70ebfcbb5d0796052",
"event_fingerprint": "0c7d390d2423728b44310ec11277b5af792cad67",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "f8a8bea4d7391eb9891620a4be35b125",
"payload_hash": "c7ed9a8d114250e167e47f3599da558f",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 15672,
"service": "http",
"service_name": "http",
"risk_score": 55
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15672\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 ",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15672\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15672\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Safari\/537.36",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15672\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Safari\/537.36\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15672\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6052c10fdb6fb69ebc112ba630f1a8b60c33e532",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Saf\u2026",
"port": 15672,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15672\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36",
"attack_vector": "port scan syn \u00b7 via HTTP:15672 \u00b7 (reconnaissance)",
"target_port_label": "15672 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 55,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 55,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 15672,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36 (KHTML like Gecko) Chrome\/36.0.1985.135 Saf\u2026",
"port": 15672,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:15672 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:15672\r\nUser-Agent: Mozilla\/5.0 (Linux; Android 4.4.4; Nexus 7 Build\/KTU84P) AppleWebKit\/537.36",
"target_port_label": "15672 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "15672"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 51.25,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:58 UTC
TCP
11434 · HTTP
Scan de ports
port scan syn · via HTTP:11434 · (reconnaissance)
Élevée
Moyen · 57
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
GET / UA Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.15 (K…
Émulateur
HTTP
WAF
16
Recommandation
Investiguer
Tags
950326:rce-0
950470:nosqli-3
950734:sap-sapcontrol-path
net_flood
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
11434
Chemin / cible
/
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 57
Confiance : Confiance 100 % — 3 tag(s) WAF
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Ligne de requête
GET / HTTP/1.1
User-Agent
Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.15 (KHTML, like Gecko) Chrome/10.0.613.0 Safari/534.15
Règles WAF
rce-0
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:11434
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.15 (KHTML, like Ge
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:11434 User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.15 (KHTML, like Gecko) Chrome/10.0.613.0 Safari/534.15 Accept-Charset: utf-8 Accept-Encoding: gzip Connection: close
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"http_header_count": 5,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "be1b0422073ac373e9c719ca6b743a7fcb737ca2",
"http_host_hash": "0edcf6ab7022a3c1a90b1ad0670bd95a56782eca",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": true,
"bytes_in": 233,
"payload_entropy": 5.39676405659104,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 11434,
"risk_waf": 72,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 57,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "5d5d400c5260134dda0d3a1fba57fa3b7727416a",
"event_fingerprint": "a3553765b40ae8c1aad4a494700a0a9576b68290",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 57,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "729eda3df9bea18b602258c2de583c94",
"payload_hash": "ee532133b6ab1553f080a825e2c096ed",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 11434,
"service": "http",
"service_name": "http",
"risk_score": 57
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11434\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Ge",
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Chrome\/10.0.613.0 Safari\/534.15",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11434\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Chrome\/10.0.613.0 Safari\/534.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11434\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Ge",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Chrome\/10.0.613.0 Safari\/534.15",
"waf_tags": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"rce-0",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11434\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Chrome\/10.0.613.0 Safari\/534.15\r\nAccept-Charset: utf-8\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11434\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Ge",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "595103e65416bfac0ca531e4b3a0ad7407eed13d",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Chrome\/10.0.613.0 Safari\/534.15",
"port": 11434,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11434\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Ge",
"attack_vector": "port scan syn \u00b7 via HTTP:11434 \u00b7 (reconnaissance)",
"target_port_label": "11434 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 72,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 57,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 57,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 11434,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Gecko) Chrome\/10.0.613.0 Safari\/534.15",
"port": 11434,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:11434 \u00b7 (reconnaissance)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11434\r\nUser-Agent: Mozilla\/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit\/534.15 (KHTML, like Ge",
"target_port_label": "11434 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 3 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 72 \u00b7 Bonus corr\u00e9lation +23 \u00b7 3 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "11434"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 51.08,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_investigate",
"tags_list": [
"950326:rce-0",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"net_flood"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:58 UTC
TCP
9100 · JETDIRECT
Scan de ports
port scan syn · via JETDIRECT:9100 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
JETDIRECT
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9100
Chemin / cible
—
Service
JETDIRECT
Payload
�������������$���W�&��v�2����G�3���ʗ2�iL�Z ��J�^Ç TD@C����1O �+m,H �E�F]Ґ�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1 Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������$���W�&��v�2����G�3���ʗ2�iL�Z ��J�^Ç TD@C����1O��+m,H �E�F]Ґ�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������$���W�&��v�2����G�3���ʗ2�iL�Z ��J�^Ç TD@C����1O �+m,H �E�F]Ґ�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �@�����������gr�\���G��U���T
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a",
"emulator_response_len": 40,
"bytes_in": 239,
"payload_entropy": 5.805772751632347,
"port_category": "registered",
"org": "Google LLC",
"service": "jetdirect",
"app_proto": "jetdirect",
"asn": 396982,
"country": "US",
"dst_port": 9100,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "6586f3356081283226bf285982981e41929f797c",
"event_fingerprint": "a7885f8ee12ae1a414d575fc45cf0af2df68f04d",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "jetdirect",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2f3927a70e0628d44224805c1e8a070a",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9100,
"service": "jetdirect",
"service_name": "jetdirect",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0017\ufffd$\u0015\ufffd\u001cW\ufffd&\u0007\u0000v\ufffd2\ufffd\ufffd\ufffd\ufffdG\ufffd3\ufffd\ufffd\u001c\u02972\ufffdiL\ufffdZ \ufffd\ufffdJ\ufffd^\u00c7\tTD@C\ufffd\u0005\ufffd\ufffd1O\f\ufffd+m,H \ufffdE\ufffdF]\u0490\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0017\ufffd$\u0015\ufffd\u001cW\ufffd&\u0007\u0000v\ufffd2\ufffd\ufffd\ufffd\ufffdG\ufffd3\ufffd\ufffd\u001c\u02972\ufffdiL\ufffdZ \ufffd\ufffdJ\ufffd^\u00c7\tTD@C\ufffd\u0005\ufffd\ufffd1O\f\ufffd+m,H \ufffdE\ufffdF]\u0490\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd@\ufffd\ufffd\u0000\ufffd\ufffd\u0006\ufffd\ufffd\ufffd\u001d\ufffdgr\ufffd\\\u0381\ufffd\u0018\ufffdG\ufffd\ufffdU\ufffd\u001a\ufffdT",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0017\ufffd$\u0015\ufffd\u001cW\ufffd&\u0007\u0000v\ufffd2\ufffd\ufffd\ufffd\ufffdG\ufffd3\ufffd\ufffd\u001c\u02972\ufffdiL\ufffdZ \ufffd\ufffdJ\ufffd^\u00c7\tTD@C\ufffd\u0005\ufffd\ufffd1O\f\ufffd+m,H \ufffdE\ufffdF]\u0490\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c444ad83c4f7bd38f1cd75dece7e8ba6a741cd74",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0017\ufffd$\u0015\ufffd\u001cW\ufffd&\u0007\u0000v\ufffd2\ufffd\ufffd\ufffd\ufffdG\ufffd3\ufffd\ufffd\u001c\u02972\ufffdiL\ufffdZ \ufffd\ufffdJ\ufffd^\u00c7\tTD@C\ufffd\u0005\ufffd\ufffd1O\f\ufffd+m,H \ufffdE\ufffdF]\u0490\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"evidence_snippet": "\ufffd\ufffd\ufffd$\ufffdW\ufffd&v\ufffd2\ufffd\ufffd\ufffd\ufffdG\ufffd3\ufffd\ufffd\u02972\ufffdiL\ufffdZ \ufffd\ufffdJ\ufffd^\u00c7\tTD@C\ufffd\ufffd\ufffd1O\ufffd+m,H \ufffdE\ufffdF]\u0490&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via JETDIRECT:9100 \u00b7 (reconnaissance)",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via JETDIRECT \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "jetdirect",
"service_label_fr": "JETDIRECT",
"dst_port": 9100,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jetdirect",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0017\ufffd$\u0015\ufffd\u001cW\ufffd&\u0007\u0000v\ufffd2\ufffd\ufffd\ufffd\ufffdG\ufffd3\ufffd\ufffd\u001c\u02972\ufffdiL\ufffdZ \ufffd\ufffdJ\ufffd^\u00c7\tTD@C\ufffd\u0005\ufffd\ufffd1O\f\ufffd+m,H \ufffdE\ufffdF]\u0490\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9100,
"service": "jetdirect",
"service_label_fr": "JETDIRECT"
},
"attack_vector": "port scan syn \u00b7 via JETDIRECT:9100 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd$\ufffdW\ufffd&v\ufffd2\ufffd\ufffd\ufffd\ufffdG\ufffd3\ufffd\ufffd\u02972\ufffdiL\ufffdZ \ufffd\ufffdJ\ufffd^\u00c7\tTD@C\ufffd\ufffd\ufffd1O\ufffd+m,H \ufffdE\ufffdF]\u0490&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9100 \u00b7 JETDIRECT",
"emulator_service": "jetdirect",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jetdirect",
"service_banner": "honeypot-jetdirect",
"service_os": "linux",
"dst_port": "9100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 50.98,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
13/06/2026 19:19:58 UTC
TCP
9202 · TLS
Scan de ports
port scan syn · via TLS:9202 · (reconnaissance)
Élevée
Moyen · 42
Détails
Voir
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9202
Chemin / cible
—
Service
TLS
Payload
�����������ޕ���S����@��X�#l� U��,ew�H�7KJ ��վ�]@G���+����H#DِOx���۫�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������ޕ���S����@��X�#l�
U��,ew�H�7KJ ��վ�]@G���+����H#DِOx���۫�����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������ޕ���S����@��X�#l� U��,ew�H�7KJ ��վ�]@G���+����H#DِOx���۫�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �˹�x�A4�h���o(���e� �s:z����?'L
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.831434319087137,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 9202,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "76f3b0730e07a3adabb16618d1f93c13b3e2a9ec",
"event_fingerprint": "9a82d6bfcbe48120d8f54878e70a6d0e1ad39696",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "869442e5fac8aa6884bb4ee55a4e6332",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9202,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0795\ufffd\u001e\ufffdS\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffdX\ufffd#l\u0000\rU\u0000\u0004,ew\ufffdH\ufffd7KJ \ufffd\u0017\u057e\ufffd]@G\ufffd\ufffd\u0018+\ufffd\u0004\u000e\ufffdH#D\u0650Ox\ufffd\ufffd\ufffd\u06eb\ufffd\ufffd\ufffd\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0795\ufffd\u001e\ufffdS\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffdX\ufffd#l\u0000\rU\u0000\u0004,ew\ufffdH\ufffd7KJ \ufffd\u0017\u057e\ufffd]@G\ufffd\ufffd\u0018+\ufffd\u0004\u000e\ufffdH#D\u0650Ox\ufffd\ufffd\ufffd\u06eb\ufffd\ufffd\ufffd\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u02f9\ufffdx\u000fA4\ufffdh\ufffd\b\ufffdo(\ufffd\ufffd\ufffde\ufffd\r\ufffds:z\ufffd\u0001\ufffd\ufffd?'L",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0795\ufffd\u001e\ufffdS\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffdX\ufffd#l\u0000\rU\u0000\u0004,ew\ufffdH\ufffd7KJ \ufffd\u0017\u057e\ufffd]@G\ufffd\ufffd\u0018+\ufffd\u0004\u000e\ufffdH#D\u0650Ox\ufffd\ufffd\ufffd\u06eb\ufffd\ufffd\ufffd\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b87af953d76127cddd4e6da308ce7a0a7f5c4d62",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0795\ufffd\u001e\ufffdS\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffdX\ufffd#l\u0000\rU\u0000\u0004,ew\ufffdH\ufffd7KJ \ufffd\u0017\u057e\ufffd]@G\ufffd\ufffd\u0018+\ufffd\u0004\u000e\ufffdH#D\u0650Ox\ufffd\ufffd\ufffd\u06eb\ufffd\ufffd\ufffd\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9202,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\u0795\ufffd\ufffdS\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffdX\ufffd#l\rU,ew\ufffdH\ufffd7KJ \ufffd\u057e\ufffd]@G\ufffd\ufffd+\ufffd\ufffdH#D\u0650Ox\ufffd\ufffd\ufffd\u06eb\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:9202 \u00b7 (reconnaissance)",
"target_port_label": "9202 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 9202,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0795\ufffd\u001e\ufffdS\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffdX\ufffd#l\u0000\rU\u0000\u0004,ew\ufffdH\ufffd7KJ \ufffd\u0017\u057e\ufffd]@G\ufffd\ufffd\u0018+\ufffd\u0004\u000e\ufffdH#D\u0650Ox\ufffd\ufffd\ufffd\u06eb\ufffd\ufffd\ufffd\u0014\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9202,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:9202 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\u0795\ufffd\ufffdS\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffdX\ufffd#l\rU,ew\ufffdH\ufffd7KJ \ufffd\u057e\ufffd]@G\ufffd\ufffd+\ufffd\ufffdH#D\u0650Ox\ufffd\ufffd\ufffd\u06eb\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9202 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "9202"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 50.86,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}