|
|
TCP |
7001 · WEBLOGIC
|
weblogic
|
Scan de ports
port scan syn · via WEBLOGIC:7001 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
weblogic_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
7001
Chemin / cible
—
Service
WEBLOGIC
Payload
������������a _���2���b������r��,�z�����J� ����^�o4_K��r����e����v�ge�%��\z�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������a
_���2���b������r��,�z�����J� ����^�o4_K��r����e����v�ge�%��\z�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������a _���2���b������r��,�z�����J� ����^�o4_K��r����e����v�ge�%��\z�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �9��E��>,�%�x����POt�a~c�����`k
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765624c6f676963205365727665722031342e312e312e300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2037390d0a0d0a3c68746d6c3e3c7469746c653e5765624c6f676963205365727665722043",
"emulator_response_len": 177,
"bytes_in": 239,
"payload_entropy": 5.855306576501997,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic",
"app_proto": "weblogic",
"asn": 396982,
"country": "US",
"dst_port": 7001,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "6bf3cee0de73d44ed01f5c7c99a6418e2e5a3907",
"event_fingerprint": "32a6f49697b2ce7b83bad5e52485d2b846e3c1df",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "weblogic",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f79893e041d105004a84611d235dc012",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7001,
"service": "weblogic",
"service_name": "weblogic",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffda\n_\u001e\u0001\ufffd2\ufffd\ufffd\ufffdb\ufffd\u0019\u001c\ufffd\ufffd\ufffdr\ufffd\ufffd,\ufffdz\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd \ufffd\ufffd\ufffd\ufffd^\ufffdo4_K\ufffd\ufffdr\ufffd\u0018\ufffd\u0015e\ufffd\ufffd\ufffd\ufffdv\ufffdge\ufffd%\u001c\ufffd\\z\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffda\n_\u001e\u0001\ufffd2\ufffd\ufffd\ufffdb\ufffd\u0019\u001c\ufffd\ufffd\ufffdr\ufffd\ufffd,\ufffdz\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd \ufffd\ufffd\ufffd\ufffd^\ufffdo4_K\ufffd\ufffdr\ufffd\u0018\ufffd\u0015e\ufffd\ufffd\ufffd\ufffdv\ufffdge\ufffd%\u001c\ufffd\\z\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd9\u0002\ufffdE\ufffd\ufffd>,\ufffd%\ufffdx\ufffd\ufffd\ufffd\u0013POt\u0013a~c\ufffd\u0011\u001e\ufffd\ufffd`k",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffda\n_\u001e\u0001\ufffd2\ufffd\ufffd\ufffdb\ufffd\u0019\u001c\ufffd\ufffd\ufffdr\ufffd\ufffd,\ufffdz\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd \ufffd\ufffd\ufffd\ufffd^\ufffdo4_K\ufffd\ufffdr\ufffd\u0018\ufffd\u0015e\ufffd\ufffd\ufffd\ufffdv\ufffdge\ufffd%\u001c\ufffd\\z\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f8d1ea277f65dae4448ac065517ffb6f5169b695",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffda\n_\u001e\u0001\ufffd2\ufffd\ufffd\ufffdb\ufffd\u0019\u001c\ufffd\ufffd\ufffdr\ufffd\ufffd,\ufffdz\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd \ufffd\ufffd\ufffd\ufffd^\ufffdo4_K\ufffd\ufffdr\ufffd\u0018\ufffd\u0015e\ufffd\ufffd\ufffd\ufffdv\ufffdge\ufffd%\u001c\ufffd\\z\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7001,
"service": "weblogic",
"service_label_fr": "WEBLOGIC"
},
"evidence_snippet": "\ufffd\ufffd\ufffda\n_\ufffd2\ufffd\ufffd\ufffdb\ufffd\ufffd\ufffd\ufffdr\ufffd\ufffd,\ufffdz\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd \ufffd\ufffd\ufffd\ufffd^\ufffdo4_K\ufffd\ufffdr\ufffd\ufffde\ufffd\ufffd\ufffd\ufffdv\ufffdge\ufffd%\ufffd\\z&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via WEBLOGIC:7001 \u00b7 (reconnaissance)",
"target_port_label": "7001 \u00b7 WEBLOGIC",
"emulator_service": "weblogic",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via WEBLOGIC \u2014 multi-protocole (76 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "weblogic",
"service_label_fr": "WEBLOGIC",
"dst_port": 7001,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffda\n_\u001e\u0001\ufffd2\ufffd\ufffd\ufffdb\ufffd\u0019\u001c\ufffd\ufffd\ufffdr\ufffd\ufffd,\ufffdz\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd \ufffd\ufffd\ufffd\ufffd^\ufffdo4_K\ufffd\ufffdr\ufffd\u0018\ufffd\u0015e\ufffd\ufffd\ufffd\ufffdv\ufffdge\ufffd%\u001c\ufffd\\z\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7001,
"service": "weblogic",
"service_label_fr": "WEBLOGIC"
},
"attack_vector": "port scan syn \u00b7 via WEBLOGIC:7001 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffda\n_\ufffd2\ufffd\ufffd\ufffdb\ufffd\ufffd\ufffd\ufffdr\ufffd\ufffd,\ufffdz\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd \ufffd\ufffd\ufffd\ufffd^\ufffdo4_K\ufffd\ufffdr\ufffd\ufffde\ufffd\ufffd\ufffd\ufffdv\ufffdge\ufffd%\ufffd\\z&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7001 \u00b7 WEBLOGIC",
"emulator_service": "weblogic",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic",
"service_banner": "honeypot-weblogic",
"service_os": "linux",
"dst_port": "7001"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 157,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 157,
"scan_velocity_ports_per_s": 76.7,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 76,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan",
"couchbase"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello",
"weblogic_emulated"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
7007 · WEBLOGIC CLUSTER
|
weblogic-cluster
|
Scan de ports
port scan syn · via WEBLOGIC CLUSTER:7007 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-CLUSTER
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
7007
Chemin / cible
—
Service
WEBLOGIC CLUSTER
Payload
��������������@C���!s71�����ZvU��@�vv[�+�: O֔[z���=ԂW-�G������[��岎6����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������@C���!s71�����ZvU��@�vv[�+�: O֔[z���=ԂW-�G������[��岎6����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������@C���!s71�����ZvU��@�vv[�+�: O֔[z���=ԂW-�G������[��岎6����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ����N���kw��o��G� �H��c�ty �'�F
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.939013065479923,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-cluster",
"app_proto": "weblogic-cluster",
"asn": 396982,
"country": "US",
"dst_port": 7007,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 0.9,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "3d810c00589cb60dd6d520adb57348ec4a99e6be",
"event_fingerprint": "806a4b333c9480802fcc146d650d9eb9f9376c08",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "weblogic-cluster",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "5c3da71d6a461edc10b43655e1dd1d20",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7007,
"service": "weblogic-cluster",
"service_name": "weblogic-cluster",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd@C\ufffd\ufffd\ufffd!s71\ufffd\ufffd\ufffd\u001e\ufffdZvU\ufffd\ufffd@\u001bvv[\ufffd+\ufffd: O\u0594[z\u001b\ufffd\ufffd=\u0502W-\ufffdG\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd[\ufffd\ufffd\u5c8e6\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd@C\ufffd\ufffd\ufffd!s71\ufffd\ufffd\ufffd\u001e\ufffdZvU\ufffd\ufffd@\u001bvv[\ufffd+\ufffd: O\u0594[z\u001b\ufffd\ufffd=\u0502W-\ufffdG\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd[\ufffd\ufffd\u5c8e6\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0018\ufffd\ufffd\ufffdN\ufffd\u0014\ufffdkw\u001c\ufffdo\ufffd\u0011G\ufffd\t\ufffdH\ufffd\ufffdc\ufffdty\n\ufffd'\ufffdF",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd@C\ufffd\ufffd\ufffd!s71\ufffd\ufffd\ufffd\u001e\ufffdZvU\ufffd\ufffd@\u001bvv[\ufffd+\ufffd: O\u0594[z\u001b\ufffd\ufffd=\u0502W-\ufffdG\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd[\ufffd\ufffd\u5c8e6\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "421346b2ebd6767ef63a17cfd48715cf96b90921",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd@C\ufffd\ufffd\ufffd!s71\ufffd\ufffd\ufffd\u001e\ufffdZvU\ufffd\ufffd@\u001bvv[\ufffd+\ufffd: O\u0594[z\u001b\ufffd\ufffd=\u0502W-\ufffdG\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd[\ufffd\ufffd\u5c8e6\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7007,
"service": "weblogic-cluster",
"service_label_fr": "WEBLOGIC CLUSTER"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd@C\ufffd\ufffd\ufffd!s71\ufffd\ufffd\ufffd\ufffdZvU\ufffd\ufffd@vv[\ufffd+\ufffd: O\u0594[z\ufffd\ufffd=\u0502W-\ufffdG\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd[\ufffd\ufffd\u5c8e6\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via WEBLOGIC CLUSTER:7007 \u00b7 (reconnaissance)",
"target_port_label": "7007 \u00b7 WEBLOGIC CLUSTER",
"emulator_service": "weblogic-cluster",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via WEBLOGIC CLUSTER \u2014 multi-protocole (76 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "weblogic-cluster",
"service_label_fr": "WEBLOGIC CLUSTER",
"dst_port": 7007,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-cluster",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd@C\ufffd\ufffd\ufffd!s71\ufffd\ufffd\ufffd\u001e\ufffdZvU\ufffd\ufffd@\u001bvv[\ufffd+\ufffd: O\u0594[z\u001b\ufffd\ufffd=\u0502W-\ufffdG\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd[\ufffd\ufffd\u5c8e6\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7007,
"service": "weblogic-cluster",
"service_label_fr": "WEBLOGIC CLUSTER"
},
"attack_vector": "port scan syn \u00b7 via WEBLOGIC CLUSTER:7007 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd@C\ufffd\ufffd\ufffd!s71\ufffd\ufffd\ufffd\ufffdZvU\ufffd\ufffd@vv[\ufffd+\ufffd: O\u0594[z\ufffd\ufffd=\u0502W-\ufffdG\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd[\ufffd\ufffd\u5c8e6\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7007 \u00b7 WEBLOGIC CLUSTER",
"emulator_service": "weblogic-cluster",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_cluster",
"service_banner": "honeypot-weblogic-cluster",
"service_os": "linux",
"dst_port": "7007"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 157,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 157,
"scan_velocity_ports_per_s": 76.45,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 76,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan",
"couchbase"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
7002 · WEBLOGIC SSL
|
weblogic-ssl
|
Scan de ports
port scan syn · via WEBLOGIC SSL:7002 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-SSL
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
7002
Chemin / cible
—
Service
WEBLOGIC SSL
Payload
�����������ȿ0 �Q��C�K�Q7�v ���������SB�az Ԏi\�J-���1i��?-���1?�E-"�� �)���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������ȿ0 �Q��C�K�Q7�v
���������SB�az Ԏi\�J-���1i��?-���1?�E-"��
�)���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������ȿ0 �Q��C�K�Q7�v ���������SB�az Ԏi\�J-���1i��?-���1?�E-"�� �)���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� !�>��4f��%���:f<������?F ����a
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.838147895830396,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-ssl",
"app_proto": "weblogic-ssl",
"asn": 396982,
"country": "US",
"dst_port": 7002,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "3d16dab87e179b2671c3a5cceadbd0d2891787fd",
"event_fingerprint": "f3e3bbe365d5ac0deef37afc2c518f2cdcd13df9",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "weblogic-ssl",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "eb099e05cd35b3d67b63c856e107de2a",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7002,
"service": "weblogic-ssl",
"service_name": "weblogic-ssl",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u023f0\t\ufffdQ\ufffd\ufffdC\ufffdK\ufffdQ7\ufffdv\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u001a\ufffd\ufffdSB\ufffdaz \u050ei\\\ufffdJ-\ufffd\u001a\ufffd1i\b\ufffd?-\ufffd\ufffd\ufffd1?\ufffdE-\"\ufffd\ufffd\r\ufffd)\u0016\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u023f0\t\ufffdQ\ufffd\ufffdC\ufffdK\ufffdQ7\ufffdv\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u001a\ufffd\ufffdSB\ufffdaz \u050ei\\\ufffdJ-\ufffd\u001a\ufffd1i\b\ufffd?-\ufffd\ufffd\ufffd1?\ufffdE-\"\ufffd\ufffd\r\ufffd)\u0016\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 !\ufffd>\u074c\ufffd\ufffd4f\ufffd\u0013%\ufffd\u001f\ufffd:f<\ufffd\ufffd\ufffd\b\ufffd\ufffd?F\u000b\u0013\ufffd\ufffd\ufffda",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u023f0\t\ufffdQ\ufffd\ufffdC\ufffdK\ufffdQ7\ufffdv\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u001a\ufffd\ufffdSB\ufffdaz \u050ei\\\ufffdJ-\ufffd\u001a\ufffd1i\b\ufffd?-\ufffd\ufffd\ufffd1?\ufffdE-\"\ufffd\ufffd\r\ufffd)\u0016\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ad27370321608699cad75aad411a9c73caaf4369",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u023f0\t\ufffdQ\ufffd\ufffdC\ufffdK\ufffdQ7\ufffdv\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u001a\ufffd\ufffdSB\ufffdaz \u050ei\\\ufffdJ-\ufffd\u001a\ufffd1i\b\ufffd?-\ufffd\ufffd\ufffd1?\ufffdE-\"\ufffd\ufffd\r\ufffd)\u0016\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"evidence_snippet": "\ufffd\ufffd\u023f0\t\ufffdQ\ufffd\ufffdC\ufffdK\ufffdQ7\ufffdv\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdSB\ufffdaz \u050ei\\\ufffdJ-\ufffd\ufffd1i\ufffd?-\ufffd\ufffd\ufffd1?\ufffdE-\"\ufffd\ufffd\r\ufffd)\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via WEBLOGIC SSL:7002 \u00b7 (reconnaissance)",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via WEBLOGIC SSL \u2014 multi-protocole (76 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL",
"dst_port": 7002,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-ssl",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u023f0\t\ufffdQ\ufffd\ufffdC\ufffdK\ufffdQ7\ufffdv\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u001a\ufffd\ufffdSB\ufffdaz \u050ei\\\ufffdJ-\ufffd\u001a\ufffd1i\b\ufffd?-\ufffd\ufffd\ufffd1?\ufffdE-\"\ufffd\ufffd\r\ufffd)\u0016\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7002,
"service": "weblogic-ssl",
"service_label_fr": "WEBLOGIC SSL"
},
"attack_vector": "port scan syn \u00b7 via WEBLOGIC SSL:7002 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\u023f0\t\ufffdQ\ufffd\ufffdC\ufffdK\ufffdQ7\ufffdv\n\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdSB\ufffdaz \u050ei\\\ufffdJ-\ufffd\ufffd1i\ufffd?-\ufffd\ufffd\ufffd1?\ufffdE-\"\ufffd\ufffd\r\ufffd)\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7002 \u00b7 WEBLOGIC SSL",
"emulator_service": "weblogic-ssl",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_ssl",
"service_banner": "honeypot-weblogic-ssl",
"service_os": "linux",
"dst_port": "7002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 157,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 157,
"scan_velocity_ports_per_s": 76.21,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 76,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan",
"couchbase"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9990 · JBOSS
|
jboss
|
Scan de ports
port scan syn · via JBOSS:9990 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
JBOSS
WAF
—
Recommandation
Surveiller
Tags
jboss_emulated
jboss_payload
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9990
Chemin / cible
—
Service
JBOSS
Payload
�������������� 7�� �AEl��E۱��������}m�K�ɧ f=�4.+ʁH���c0��,�e�p���~���B1�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������
7��
�AEl��E۱��������}m�K�ɧ f=�4.+ʁH���c0��,�e�p���~���B1�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������� 7�� �AEl��E۱��������}m�K�ɧ f=�4.+ʁH���c0��,�e�p���~���B1�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� Uy ������: ��s���܂�Z�H���H����R
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.8164494838915815,
"port_category": "registered",
"org": "Google LLC",
"service": "jboss",
"app_proto": "jboss",
"asn": 396982,
"country": "US",
"dst_port": 9990,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "033420b11985dce09456b0c758f36fba0bff5f7e",
"event_fingerprint": "2300b583b7d0ea8d7c0c4bea1e4b04f105da53bb",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "jboss",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "fbcff5ea2b5d2dfeaab7ce6116402039",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9990,
"service": "jboss",
"service_name": "jboss",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\n7\ufffd\ufffd\r\ufffdAEl\ufffd\ufffdE\u06f1\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\ufffd\ufffd}m\ufffdK\ufffd\u0267 f=\ufffd4.+\u0281H\ufffd\ufffd\u001ac0\ufffd\u001a,\ufffde\ufffdp\ufffd\ufffd\ufffd~\ufffd\u0003\ufffdB1\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\n7\ufffd\ufffd\r\ufffdAEl\ufffd\ufffdE\u06f1\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\ufffd\ufffd}m\ufffdK\ufffd\u0267 f=\ufffd4.+\u0281H\ufffd\ufffd\u001ac0\ufffd\u001a,\ufffde\ufffdp\ufffd\ufffd\ufffd~\ufffd\u0003\ufffdB1\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 Uy \u0007\ufffd\ufffd\u0017\ufffd\ufffd:\u000b\ufffd\ufffds\u0004\u000f\ufffd\u0702\ufffdZ\ufffdH\ufffd\u0000\ufffdH\u0007\u0016\ufffd\ufffdR",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\n7\ufffd\ufffd\r\ufffdAEl\ufffd\ufffdE\u06f1\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\ufffd\ufffd}m\ufffdK\ufffd\u0267 f=\ufffd4.+\u0281H\ufffd\ufffd\u001ac0\ufffd\u001a,\ufffde\ufffdp\ufffd\ufffd\ufffd~\ufffd\u0003\ufffdB1\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "037b64ab8e9dd8d0b5e08f1339657dbab316ab3a",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\n7\ufffd\ufffd\r\ufffdAEl\ufffd\ufffdE\u06f1\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\ufffd\ufffd}m\ufffdK\ufffd\u0267 f=\ufffd4.+\u0281H\ufffd\ufffd\u001ac0\ufffd\u001a,\ufffde\ufffdp\ufffd\ufffd\ufffd~\ufffd\u0003\ufffdB1\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9990,
"service": "jboss",
"service_label_fr": "JBOSS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\n7\ufffd\ufffd\r\ufffdAEl\ufffd\ufffdE\u06f1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd}m\ufffdK\ufffd\u0267 f=\ufffd4.+\u0281H\ufffd\ufffdc0\ufffd,\ufffde\ufffdp\ufffd\ufffd\ufffd~\ufffd\ufffdB1&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via JBOSS:9990 \u00b7 (reconnaissance)",
"target_port_label": "9990 \u00b7 JBOSS",
"emulator_service": "jboss",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via JBOSS \u2014 multi-protocole (77 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "jboss",
"service_label_fr": "JBOSS",
"dst_port": 9990,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-jboss",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\n7\ufffd\ufffd\r\ufffdAEl\ufffd\ufffdE\u06f1\ufffd\ufffd\ufffd\ufffd\u001d\ufffd\ufffd\ufffd}m\ufffdK\ufffd\u0267 f=\ufffd4.+\u0281H\ufffd\ufffd\u001ac0\ufffd\u001a,\ufffde\ufffdp\ufffd\ufffd\ufffd~\ufffd\u0003\ufffdB1\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9990,
"service": "jboss",
"service_label_fr": "JBOSS"
},
"attack_vector": "port scan syn \u00b7 via JBOSS:9990 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\n7\ufffd\ufffd\r\ufffdAEl\ufffd\ufffdE\u06f1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd}m\ufffdK\ufffd\u0267 f=\ufffd4.+\u0281H\ufffd\ufffdc0\ufffd,\ufffde\ufffdp\ufffd\ufffd\ufffd~\ufffd\ufffdB1&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9990 \u00b7 JBOSS",
"emulator_service": "jboss",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "jboss",
"service_banner": "honeypot-jboss",
"service_os": "linux",
"dst_port": "9990"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 158,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 158,
"scan_velocity_ports_per_s": 76.46,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 77,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan",
"couchbase"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"jboss_emulated",
"jboss_payload",
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9998 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:9998 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9998
Chemin / cible
—
Service
TLS
Payload
�����������Ӆ1+� 0�A+����!��&�a���� [��@E0� k�p�֮����������:{��ޢ�ʒkٻ�o��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������Ӆ1+� 0�A+����!��&�a�����[��@E0� k�p�֮����������:{��ޢ�ʒkٻ�o��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������Ӆ1+� 0�A+����!��&�a���� [��@E0� k�p�֮����������:{��ޢ�ʒkٻ�o��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �d�� ����ū����\��X�t���9��;�jG:
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.896900381102224,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 9998,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "a6872888a0152c196f15fcbf8d546b775051ba0c",
"event_fingerprint": "6ee54ad5256f53f4cb09892a873ad9cd859011fd",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "929667311e952e0989de7d0303e59519",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9998,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u04c51+\u001c\t0\ufffdA+\ufffd\ufffd\u0017\ufffd!\ufffd\ufffd&\u0012a\ufffd\ufffd\ufffd\u0019\f[\u000e\ufffd@E0\ufffd k\u0015p\ufffd\u05ae\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u001c:{\ufffd\ufffd\u07a2\ufffd\u0292k\u067b\ufffdo\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u04c51+\u001c\t0\ufffdA+\ufffd\ufffd\u0017\ufffd!\ufffd\ufffd&\u0012a\ufffd\ufffd\ufffd\u0019\f[\u000e\ufffd@E0\ufffd k\u0015p\ufffd\u05ae\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u001c:{\ufffd\ufffd\u07a2\ufffd\u0292k\u067b\ufffdo\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdd\ufffd\ufffd\n\ufffd\u0011\ufffd\ufffd\u016b\u001a\ufffd\u0007\ufffd\\\u001a\ufffdX\ufffdt\ufffd\ufffd\ufffd9\ufffd\ufffd;\ufffdjG:",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u04c51+\u001c\t0\ufffdA+\ufffd\ufffd\u0017\ufffd!\ufffd\ufffd&\u0012a\ufffd\ufffd\ufffd\u0019\f[\u000e\ufffd@E0\ufffd k\u0015p\ufffd\u05ae\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u001c:{\ufffd\ufffd\u07a2\ufffd\u0292k\u067b\ufffdo\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7fe4db73d4d853fe23435dbdb5f0b7e64e7ca4e4",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u04c51+\u001c\t0\ufffdA+\ufffd\ufffd\u0017\ufffd!\ufffd\ufffd&\u0012a\ufffd\ufffd\ufffd\u0019\f[\u000e\ufffd@E0\ufffd k\u0015p\ufffd\u05ae\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u001c:{\ufffd\ufffd\u07a2\ufffd\u0292k\u067b\ufffdo\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9998,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\u04c51+\t0\ufffdA+\ufffd\ufffd\ufffd!\ufffd\ufffd&a\ufffd\ufffd\ufffd[\ufffd@E0\ufffd kp\ufffd\u05ae\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd:{\ufffd\ufffd\u07a2\ufffd\u0292k\u067b\ufffdo&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:9998 \u00b7 (reconnaissance)",
"target_port_label": "9998 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (77 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 9998,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u04c51+\u001c\t0\ufffdA+\ufffd\ufffd\u0017\ufffd!\ufffd\ufffd&\u0012a\ufffd\ufffd\ufffd\u0019\f[\u000e\ufffd@E0\ufffd k\u0015p\ufffd\u05ae\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u001c:{\ufffd\ufffd\u07a2\ufffd\u0292k\u067b\ufffdo\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9998,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:9998 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\u04c51+\t0\ufffdA+\ufffd\ufffd\ufffd!\ufffd\ufffd&a\ufffd\ufffd\ufffd[\ufffd@E0\ufffd kp\ufffd\u05ae\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd:{\ufffd\ufffd\u07a2\ufffd\u0292k\u067b\ufffdo&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9998 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "9998"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 159,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 159,
"scan_velocity_ports_per_s": 76.68,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 77,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan",
"couchbase"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9999 · ADMIN ALT
|
admin-alt
|
Scan de ports
port scan syn · via ADMIN ALT:9999 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
ADMIN-ALT
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9999
Chemin / cible
—
Service
ADMIN ALT
Payload
������������<I�Hh�A����kJ���l@g9]�9����&�� �u���B+X���%���Y] 1P��I�� �����P�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������<I�Hh�A����kJ���l@g9]�9����&�� �u���B+X���%���Y]
1P��I��
�����P�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������<I�Hh�A����kJ���l@g9]�9����&�� �u���B+X���%���Y] 1P��I�� �����P�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� MP���~��g]ك[ !�P�����+����ui�a
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.778378236321492,
"port_category": "registered",
"org": "Google LLC",
"service": "admin-alt",
"app_proto": "admin-alt",
"asn": 396982,
"country": "US",
"dst_port": 9999,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "bdbbe5233b19b0c9c12daa551e879ad8d54d7ecc",
"event_fingerprint": "2ee2262594a4abb9d6fa4e3a1985a94d69b768de",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "admin-alt",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "8b84c9aa53686a470275056fd65dfc7b",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9999,
"service": "admin-alt",
"service_name": "admin-alt",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0006<I\ufffdHh\ufffdA\ufffd\ufffd\ufffd\ufffdkJ\u0002\u001c\ufffdl@g9]\ufffd9\ufffd\ufffd\ufffd\u001d&\ufffd\ufffd \ufffdu\ufffd\ufffd\u0011B+X\ufffd\u0003\u001b%\ufffd\ufffd\ufffdY]\r1P\ufffd\u0002I\ufffd\ufffd\n\ufffd\ufffd\ufffd\u0010\ufffdP\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0006<I\ufffdHh\ufffdA\ufffd\ufffd\ufffd\ufffdkJ\u0002\u001c\ufffdl@g9]\ufffd9\ufffd\ufffd\ufffd\u001d&\ufffd\ufffd \ufffdu\ufffd\ufffd\u0011B+X\ufffd\u0003\u001b%\ufffd\ufffd\ufffdY]\r1P\ufffd\u0002I\ufffd\ufffd\n\ufffd\ufffd\ufffd\u0010\ufffdP\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 MP\u0013\u0002\ufffd~\ufffd\ufffdg]\u0643[\u000b!\ufffdP\ufffd\u001b\ufffd\ufffd\ufffd+\ufffd\u0006\ufffd\u0015ui\ufffda",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0006<I\ufffdHh\ufffdA\ufffd\ufffd\ufffd\ufffdkJ\u0002\u001c\ufffdl@g9]\ufffd9\ufffd\ufffd\ufffd\u001d&\ufffd\ufffd \ufffdu\ufffd\ufffd\u0011B+X\ufffd\u0003\u001b%\ufffd\ufffd\ufffdY]\r1P\ufffd\u0002I\ufffd\ufffd\n\ufffd\ufffd\ufffd\u0010\ufffdP\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5e291c0b661eb19c20cb1855476d3e5f8499cbce",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0006<I\ufffdHh\ufffdA\ufffd\ufffd\ufffd\ufffdkJ\u0002\u001c\ufffdl@g9]\ufffd9\ufffd\ufffd\ufffd\u001d&\ufffd\ufffd \ufffdu\ufffd\ufffd\u0011B+X\ufffd\u0003\u001b%\ufffd\ufffd\ufffdY]\r1P\ufffd\u0002I\ufffd\ufffd\n\ufffd\ufffd\ufffd\u0010\ufffdP\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9999,
"service": "admin-alt",
"service_label_fr": "ADMIN ALT"
},
"evidence_snippet": "\ufffd\ufffd<I\ufffdHh\ufffdA\ufffd\ufffd\ufffd\ufffdkJ\ufffdl@g9]\ufffd9\ufffd\ufffd\ufffd&\ufffd\ufffd \ufffdu\ufffd\ufffdB+X\ufffd%\ufffd\ufffd\ufffdY]\r1P\ufffdI\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffdP&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via ADMIN ALT:9999 \u00b7 (reconnaissance)",
"target_port_label": "9999 \u00b7 ADMIN ALT",
"emulator_service": "admin-alt",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via ADMIN ALT \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "admin-alt",
"service_label_fr": "ADMIN ALT",
"dst_port": 9999,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-admin-alt",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0006<I\ufffdHh\ufffdA\ufffd\ufffd\ufffd\ufffdkJ\u0002\u001c\ufffdl@g9]\ufffd9\ufffd\ufffd\ufffd\u001d&\ufffd\ufffd \ufffdu\ufffd\ufffd\u0011B+X\ufffd\u0003\u001b%\ufffd\ufffd\ufffdY]\r1P\ufffd\u0002I\ufffd\ufffd\n\ufffd\ufffd\ufffd\u0010\ufffdP\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9999,
"service": "admin-alt",
"service_label_fr": "ADMIN ALT"
},
"attack_vector": "port scan syn \u00b7 via ADMIN ALT:9999 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd<I\ufffdHh\ufffdA\ufffd\ufffd\ufffd\ufffdkJ\ufffdl@g9]\ufffd9\ufffd\ufffd\ufffd&\ufffd\ufffd \ufffdu\ufffd\ufffdB+X\ufffd%\ufffd\ufffd\ufffdY]\r1P\ufffdI\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffdP&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9999 \u00b7 ADMIN ALT",
"emulator_service": "admin-alt",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "admin_alt",
"service_banner": "honeypot-admin-alt",
"service_os": "linux",
"dst_port": "9999"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 76.89,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
7272 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:7272 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
7272
Chemin / cible
—
Service
TLS
Payload
�������������0�ԑ,���yh�����!C[�� 0�S��ӈ� Z#���"%�Î��֠��$����LW^������C�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������0�ԑ,���yh�����!C[���0�S��ӈ� Z#���"%�Î��֠��$����LW^������C�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������0�ԑ,���yh�����!C[�� 0�S��ӈ� Z#���"%�Î��֠��$����LW^������C�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���sE�=��l[�</��7����������ٔ�N
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.794673588192056,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 7272,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "7fe50cd234110f34d2381597b919af6b4439cda4",
"event_fingerprint": "9a798299243770165ffbe357f91c8314ff84bea1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "62d2618e626fb7975b0b819be0d4bdd0",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7272,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0010\ufffd0\ufffd\u0511,\u0012\ufffd\ufffdyh\ufffd\u0012\ufffd\u0017\ufffd!C[\ufffd\u0016\u000b0\ufffdS\ufffd\u0012\u04c8\ufffd Z#\ufffd\ufffd\u0004\"%\ufffd\u00ce\ufffd\u0012\u05a0\ufffd\ufffd$\ufffd\ufffd\ufffd\u0005LW^\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0010\ufffd0\ufffd\u0511,\u0012\ufffd\ufffdyh\ufffd\u0012\ufffd\u0017\ufffd!C[\ufffd\u0016\u000b0\ufffdS\ufffd\u0012\u04c8\ufffd Z#\ufffd\ufffd\u0004\"%\ufffd\u00ce\ufffd\u0012\u05a0\ufffd\ufffd$\ufffd\ufffd\ufffd\u0005LW^\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0007\ufffd\ufffdsE\ufffd=\ufffd\ufffdl[\ufffd<\/\ufffd\ufffd7\u0010\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0005\ufffd\u0004\u0654\ufffdN",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0010\ufffd0\ufffd\u0511,\u0012\ufffd\ufffdyh\ufffd\u0012\ufffd\u0017\ufffd!C[\ufffd\u0016\u000b0\ufffdS\ufffd\u0012\u04c8\ufffd Z#\ufffd\ufffd\u0004\"%\ufffd\u00ce\ufffd\u0012\u05a0\ufffd\ufffd$\ufffd\ufffd\ufffd\u0005LW^\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "645e460473603efce800dcd34bf9a64ae296a517",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0010\ufffd0\ufffd\u0511,\u0012\ufffd\ufffdyh\ufffd\u0012\ufffd\u0017\ufffd!C[\ufffd\u0016\u000b0\ufffdS\ufffd\u0012\u04c8\ufffd Z#\ufffd\ufffd\u0004\"%\ufffd\u00ce\ufffd\u0012\u05a0\ufffd\ufffd$\ufffd\ufffd\ufffd\u0005LW^\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7272,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd0\ufffd\u0511,\ufffd\ufffdyh\ufffd\ufffd\ufffd!C[\ufffd0\ufffdS\ufffd\u04c8\ufffd Z#\ufffd\ufffd\"%\ufffd\u00ce\ufffd\u05a0\ufffd\ufffd$\ufffd\ufffd\ufffdLW^\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:7272 \u00b7 (reconnaissance)",
"target_port_label": "7272 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 7272,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0010\ufffd0\ufffd\u0511,\u0012\ufffd\ufffdyh\ufffd\u0012\ufffd\u0017\ufffd!C[\ufffd\u0016\u000b0\ufffdS\ufffd\u0012\u04c8\ufffd Z#\ufffd\ufffd\u0004\"%\ufffd\u00ce\ufffd\u0012\u05a0\ufffd\ufffd$\ufffd\ufffd\ufffd\u0005LW^\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7272,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:7272 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd0\ufffd\u0511,\ufffd\ufffdyh\ufffd\ufffd\ufffd!C[\ufffd0\ufffdS\ufffd\u04c8\ufffd Z#\ufffd\ufffd\"%\ufffd\u00ce\ufffd\u05a0\ufffd\ufffd$\ufffd\ufffd\ufffdLW^\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7272 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "7272"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 76.61,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
7008 · WEBLOGIC CLUSTER
|
weblogic-cluster
|
Scan de ports
port scan syn · via WEBLOGIC CLUSTER:7008 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBLOGIC-CLUSTER
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
7008
Chemin / cible
—
Service
WEBLOGIC CLUSTER
Payload
�����������[���uR��%�K���9�eO~��v�*(�?���� 1���.������6���l�o�%6g�������vX�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������[���uR��%�K���9�eO~��v�*(�?���� 1���.������6���l�o�%6g�������vX�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������[���uR��%�K���9�eO~��v�*(�?���� 1���.������6���l�o�%6g�������vX�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��@}OX*�}(�j�����8�;�;�����wH��
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.785062334173601,
"port_category": "registered",
"org": "Google LLC",
"service": "weblogic-cluster",
"app_proto": "weblogic-cluster",
"asn": 396982,
"country": "US",
"dst_port": 7008,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "dfaa47b999f4c6f8bb3c6a7c15d188b9035a4244",
"event_fingerprint": "64ef318c3c98c9d5c284f6912844a6293bfcffc7",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "weblogic-cluster",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ce27218ce40738897465bbec40b808dc",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7008,
"service": "weblogic-cluster",
"service_name": "weblogic-cluster",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003[\u0003\ufffd\ufffduR\ufffd\u0005%\ufffdK\u0012\ufffd\ufffd9\ufffdeO~\ufffd\ufffdv\u0000*(\ufffd?\ufffd\ufffd\ufffd\ufffd 1\ufffd\ufffd\ufffd.\ufffd\ufffd\ufffd\ufffd\u0014\ufffd6\ufffd\ufffd\ufffdl\ufffdo\u0015%6g\ufffd\ufffd\ufffd\ufffd\b\ufffd\ufffdvX\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003[\u0003\ufffd\ufffduR\ufffd\u0005%\ufffdK\u0012\ufffd\ufffd9\ufffdeO~\ufffd\ufffdv\u0000*(\ufffd?\ufffd\ufffd\ufffd\ufffd 1\ufffd\ufffd\ufffd.\ufffd\ufffd\ufffd\ufffd\u0014\ufffd6\ufffd\ufffd\ufffdl\ufffdo\u0015%6g\ufffd\ufffd\ufffd\ufffd\b\ufffd\ufffdvX\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd@}OX*\u0007}(\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd8\ufffd;\ufffd;\ufffd\u0000\u0005\ufffd\ufffdwH\ufffd\u0016",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003[\u0003\ufffd\ufffduR\ufffd\u0005%\ufffdK\u0012\ufffd\ufffd9\ufffdeO~\ufffd\ufffdv\u0000*(\ufffd?\ufffd\ufffd\ufffd\ufffd 1\ufffd\ufffd\ufffd.\ufffd\ufffd\ufffd\ufffd\u0014\ufffd6\ufffd\ufffd\ufffdl\ufffdo\u0015%6g\ufffd\ufffd\ufffd\ufffd\b\ufffd\ufffdvX\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8fd88395c2a8a7879bed7029db8aa929149a7fa7",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003[\u0003\ufffd\ufffduR\ufffd\u0005%\ufffdK\u0012\ufffd\ufffd9\ufffdeO~\ufffd\ufffdv\u0000*(\ufffd?\ufffd\ufffd\ufffd\ufffd 1\ufffd\ufffd\ufffd.\ufffd\ufffd\ufffd\ufffd\u0014\ufffd6\ufffd\ufffd\ufffdl\ufffdo\u0015%6g\ufffd\ufffd\ufffd\ufffd\b\ufffd\ufffdvX\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7008,
"service": "weblogic-cluster",
"service_label_fr": "WEBLOGIC CLUSTER"
},
"evidence_snippet": "\ufffd\ufffd[\ufffd\ufffduR\ufffd%\ufffdK\ufffd\ufffd9\ufffdeO~\ufffd\ufffdv*(\ufffd?\ufffd\ufffd\ufffd\ufffd 1\ufffd\ufffd\ufffd.\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffd\ufffd\ufffdl\ufffdo%6g\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdvX&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via WEBLOGIC CLUSTER:7008 \u00b7 (reconnaissance)",
"target_port_label": "7008 \u00b7 WEBLOGIC CLUSTER",
"emulator_service": "weblogic-cluster",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via WEBLOGIC CLUSTER \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "weblogic-cluster",
"service_label_fr": "WEBLOGIC CLUSTER",
"dst_port": 7008,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-weblogic-cluster",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003[\u0003\ufffd\ufffduR\ufffd\u0005%\ufffdK\u0012\ufffd\ufffd9\ufffdeO~\ufffd\ufffdv\u0000*(\ufffd?\ufffd\ufffd\ufffd\ufffd 1\ufffd\ufffd\ufffd.\ufffd\ufffd\ufffd\ufffd\u0014\ufffd6\ufffd\ufffd\ufffdl\ufffdo\u0015%6g\ufffd\ufffd\ufffd\ufffd\b\ufffd\ufffdvX\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7008,
"service": "weblogic-cluster",
"service_label_fr": "WEBLOGIC CLUSTER"
},
"attack_vector": "port scan syn \u00b7 via WEBLOGIC CLUSTER:7008 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd[\ufffd\ufffduR\ufffd%\ufffdK\ufffd\ufffd9\ufffdeO~\ufffd\ufffdv*(\ufffd?\ufffd\ufffd\ufffd\ufffd 1\ufffd\ufffd\ufffd.\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffd\ufffd\ufffdl\ufffdo%6g\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdvX&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7008 \u00b7 WEBLOGIC CLUSTER",
"emulator_service": "weblogic-cluster",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "weblogic_cluster",
"service_banner": "honeypot-weblogic-cluster",
"service_os": "linux",
"dst_port": "7008"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 76.37,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
7474 · NEO4J HTTP
|
neo4j-http
|
Scan de ports
port scan syn · via NEO4J HTTP:7474 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
NEO4J-HTTP
WAF
—
Recommandation
Surveiller
Tags
neo4j_http_emulated
neo4j_http_payload
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
7474
Chemin / cible
—
Service
NEO4J HTTP
Payload
�����������Y{%�d��.}L�B�����#\�0;�;��zh���� �z�umv���ט�v��v-j�����f��x�.W֭�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������Y{%�d��.}L�B�����#\�0;�;��zh���� �z�umv���ט�v��v-j�����f��x�.W֭�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������Y{%�d��.}L�B�����#\�0;�;��zh���� �z�umv���ט�v��v-j�����f��x�.W֭�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �/�+���������s�/��]\uz��Y�u��Z
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206e656f346a5f6874747020726561647920706f72743d373437340d0a",
"emulator_response_len": 41,
"bytes_in": 239,
"payload_entropy": 5.853626479067588,
"port_category": "registered",
"org": "Google LLC",
"service": "neo4j-http",
"app_proto": "neo4j-http",
"asn": 396982,
"country": "US",
"dst_port": 7474,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.9,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "de5117d0f779915e28c8ace13add8f8878355feb",
"event_fingerprint": "567b5a7b5228f3d7fb85dff2966ccc2eba4ea747",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "neo4j-http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6bdca837a9be61a4f79e1520974c7ab7",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7474,
"service": "neo4j-http",
"service_name": "neo4j-http",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Y{%\ufffdd\ufffd\ufffd.}L\ufffdB\u0003\ufffd\ufffd\u001e\u0010#\\\u00100;\ufffd;\u000f\ufffdzh\ufffd\u0014\ufffd\ufffd \ufffdz\u001bumv\u0003\ufffd\ufffd\u05d8\ufffdv\ufffd\ufffdv-j\ufffd\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffdx\ufffd.W\u05ad\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Y{%\ufffdd\ufffd\ufffd.}L\ufffdB\u0003\ufffd\ufffd\u001e\u0010#\\\u00100;\ufffd;\u000f\ufffdzh\ufffd\u0014\ufffd\ufffd \ufffdz\u001bumv\u0003\ufffd\ufffd\u05d8\ufffdv\ufffd\ufffdv-j\ufffd\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffdx\ufffd.W\u05ad\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\/\ufffd+\ufffd\ufffd\u001b\u001b\ufffd\ufffd\ufffd\u0004\ufffds\ufffd\/\ufffd\ufffd]\\uz\ufffd\ufffdY\ufffdu\ufffd\ufffdZ",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Y{%\ufffdd\ufffd\ufffd.}L\ufffdB\u0003\ufffd\ufffd\u001e\u0010#\\\u00100;\ufffd;\u000f\ufffdzh\ufffd\u0014\ufffd\ufffd \ufffdz\u001bumv\u0003\ufffd\ufffd\u05d8\ufffdv\ufffd\ufffdv-j\ufffd\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffdx\ufffd.W\u05ad\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "66d2e8c9d4447015f9294ddf43a15816d014824c",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Y{%\ufffdd\ufffd\ufffd.}L\ufffdB\u0003\ufffd\ufffd\u001e\u0010#\\\u00100;\ufffd;\u000f\ufffdzh\ufffd\u0014\ufffd\ufffd \ufffdz\u001bumv\u0003\ufffd\ufffd\u05d8\ufffdv\ufffd\ufffdv-j\ufffd\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffdx\ufffd.W\u05ad\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7474,
"service": "neo4j-http",
"service_label_fr": "NEO4J HTTP"
},
"evidence_snippet": "\ufffd\ufffdY{%\ufffdd\ufffd\ufffd.}L\ufffdB\ufffd\ufffd#\\0;\ufffd;\ufffdzh\ufffd\ufffd\ufffd \ufffdzumv\ufffd\ufffd\u05d8\ufffdv\ufffd\ufffdv-j\ufffd\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffdx\ufffd.W\u05ad&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via NEO4J HTTP:7474 \u00b7 (reconnaissance)",
"target_port_label": "7474 \u00b7 NEO4J HTTP",
"emulator_service": "neo4j-http",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via NEO4J HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "neo4j-http",
"service_label_fr": "NEO4J HTTP",
"dst_port": 7474,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-neo4j-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Y{%\ufffdd\ufffd\ufffd.}L\ufffdB\u0003\ufffd\ufffd\u001e\u0010#\\\u00100;\ufffd;\u000f\ufffdzh\ufffd\u0014\ufffd\ufffd \ufffdz\u001bumv\u0003\ufffd\ufffd\u05d8\ufffdv\ufffd\ufffdv-j\ufffd\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffdx\ufffd.W\u05ad\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7474,
"service": "neo4j-http",
"service_label_fr": "NEO4J HTTP"
},
"attack_vector": "port scan syn \u00b7 via NEO4J HTTP:7474 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdY{%\ufffdd\ufffd\ufffd.}L\ufffdB\ufffd\ufffd#\\0;\ufffd;\ufffdzh\ufffd\ufffd\ufffd \ufffdzumv\ufffd\ufffd\u05d8\ufffdv\ufffd\ufffdv-j\ufffd\ufffd\ufffd\ufffd\ufffdf\ufffd\ufffdx\ufffd.W\u05ad&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7474 \u00b7 NEO4J HTTP",
"emulator_service": "neo4j-http",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "neo4j_http",
"service_banner": "honeypot-neo4j-http",
"service_os": "linux",
"dst_port": "7474"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 76.13,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"neo4j_http_emulated",
"neo4j_http_payload",
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
7373 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:7373 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
7373
Chemin / cible
—
Service
TLS
Payload
������������M��E�P�I���_�G���ŷ���ij���Q �� ��n����?��:t�=�I���B��3��q"�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������M��E�P�I���_�G���ŷ���ij���Q��� ��n����?��:t�=�I���B��3��q"�����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������M��E�P�I���_�G���ŷ���ij���Q �� ��n����?��:t�=�I���B��3��q"�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� $_+��;�2��ZUN=�6�]Ut`�K@H+ٸ��65
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.8685291716832815,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 7373,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 5.6,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "8aa0986985b15fad944749be675067b127bd5dfd",
"event_fingerprint": "80ae7b245ee692f04eaae628590d47ffc7bce516",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "bccf4d6f54d85b8462c569b94074d085",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7373,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdM\ufffd\u0007E\ufffdP\ufffdI\ufffd\ufffd\ufffd_\ufffdG\ufffd\ufffd\ufffd\u0177\ufffd\u0007\ufffd\u0133\ufffd\u0004\ufffdQ\f\ufffd\ufffd \ufffd\ufffdn\ufffd\ufffd\ufffd\b?\ufffd\ufffd:t\ufffd=\ufffdI\ufffd\u0010\ufffdB\ufffd\ufffd3\ufffd\ufffdq\"\ufffd\ufffd\ufffd\u0002\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdM\ufffd\u0007E\ufffdP\ufffdI\ufffd\ufffd\ufffd_\ufffdG\ufffd\ufffd\ufffd\u0177\ufffd\u0007\ufffd\u0133\ufffd\u0004\ufffdQ\f\ufffd\ufffd \ufffd\ufffdn\ufffd\ufffd\ufffd\b?\ufffd\ufffd:t\ufffd=\ufffdI\ufffd\u0010\ufffdB\ufffd\ufffd3\ufffd\ufffdq\"\ufffd\ufffd\ufffd\u0002\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 $_+\ufffd\ufffd;\ufffd2\ufffd\ufffdZUN=\u00156\ufffd]Ut`\ufffdK@H+\u0678\u0015\ufffd65",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdM\ufffd\u0007E\ufffdP\ufffdI\ufffd\ufffd\ufffd_\ufffdG\ufffd\ufffd\ufffd\u0177\ufffd\u0007\ufffd\u0133\ufffd\u0004\ufffdQ\f\ufffd\ufffd \ufffd\ufffdn\ufffd\ufffd\ufffd\b?\ufffd\ufffd:t\ufffd=\ufffdI\ufffd\u0010\ufffdB\ufffd\ufffd3\ufffd\ufffdq\"\ufffd\ufffd\ufffd\u0002\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "53ef664f8f384a41d124a5d25e8a846292b30fde",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdM\ufffd\u0007E\ufffdP\ufffdI\ufffd\ufffd\ufffd_\ufffdG\ufffd\ufffd\ufffd\u0177\ufffd\u0007\ufffd\u0133\ufffd\u0004\ufffdQ\f\ufffd\ufffd \ufffd\ufffdn\ufffd\ufffd\ufffd\b?\ufffd\ufffd:t\ufffd=\ufffdI\ufffd\u0010\ufffdB\ufffd\ufffd3\ufffd\ufffdq\"\ufffd\ufffd\ufffd\u0002\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7373,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffdM\ufffdE\ufffdP\ufffdI\ufffd\ufffd\ufffd_\ufffdG\ufffd\ufffd\ufffd\u0177\ufffd\ufffd\u0133\ufffd\ufffdQ\ufffd\ufffd \ufffd\ufffdn\ufffd\ufffd\ufffd?\ufffd\ufffd:t\ufffd=\ufffdI\ufffd\ufffdB\ufffd\ufffd3\ufffd\ufffdq\"\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:7373 \u00b7 (reconnaissance)",
"target_port_label": "7373 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 7373,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdM\ufffd\u0007E\ufffdP\ufffdI\ufffd\ufffd\ufffd_\ufffdG\ufffd\ufffd\ufffd\u0177\ufffd\u0007\ufffd\u0133\ufffd\u0004\ufffdQ\f\ufffd\ufffd \ufffd\ufffdn\ufffd\ufffd\ufffd\b?\ufffd\ufffd:t\ufffd=\ufffdI\ufffd\u0010\ufffdB\ufffd\ufffd3\ufffd\ufffdq\"\ufffd\ufffd\ufffd\u0002\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7373,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:7373 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffdM\ufffdE\ufffdP\ufffdI\ufffd\ufffd\ufffd_\ufffdG\ufffd\ufffd\ufffd\u0177\ufffd\ufffd\u0133\ufffd\ufffdQ\ufffd\ufffd \ufffd\ufffdn\ufffd\ufffd\ufffd?\ufffd\ufffd:t\ufffd=\ufffdI\ufffd\ufffdB\ufffd\ufffd3\ufffd\ufffdq\"\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7373 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "7373"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 75.89,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
7575 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:7575 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
7575
Chemin / cible
—
Service
TLS
Payload
�������������� B�HjZ�Vs��$?Q �Gf��f�E�'��e� �� LT�c©F��fi��h�����u��%,�"Y�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������
B�HjZ�Vs��$?Q
�Gf��f�E�'��e� ��
LT�c©F��fi��h�����u��%,�"Y�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������� B�HjZ�Vs��$?Q �Gf��f�E�'��e� �� LT�c©F��fi��h�����u��%,�"Y�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ������/�ȋ�p��v��B�����:�$��0��'
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.7945642284353145,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 7575,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "efc3bdadc4de93f14612ddff4b6dc8995aa3d509",
"event_fingerprint": "cd8773e4d1d9002a12db78c870d815cbd12b0aad",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "43b58a18bf3140bc1e403fbeccaeea8a",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7575,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\u0006\ufffd\nB\ufffdHjZ\ufffdVs\ufffd\u0006$?Q\r\ufffdGf\u001b\ufffdf\u001dE\ufffd'\ufffd\u0004e\u0015 \ufffd\ufffd\nLT\u001bc\u00a9F\ufffd\ufffdfi\ufffd\ufffdh\ufffd\ufffd\ufffd\u0013\ufffdu\u038b\u0007\ufffd%,\ufffd\"Y\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\u0006\ufffd\nB\ufffdHjZ\ufffdVs\ufffd\u0006$?Q\r\ufffdGf\u001b\ufffdf\u001dE\ufffd'\ufffd\u0004e\u0015 \ufffd\ufffd\nLT\u001bc\u00a9F\ufffd\ufffdfi\ufffd\ufffdh\ufffd\ufffd\ufffd\u0013\ufffdu\u038b\u0007\ufffd%,\ufffd\"Y\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\/\ufffd\u020b\ufffdp\u0004\ufffdv\ufffd\u0003B\ufffd\u0010\u0003\ufffd\ufffd:\ufffd$\u000f\ufffd0\ufffd\ufffd'",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\u0006\ufffd\nB\ufffdHjZ\ufffdVs\ufffd\u0006$?Q\r\ufffdGf\u001b\ufffdf\u001dE\ufffd'\ufffd\u0004e\u0015 \ufffd\ufffd\nLT\u001bc\u00a9F\ufffd\ufffdfi\ufffd\ufffdh\ufffd\ufffd\ufffd\u0013\ufffdu\u038b\u0007\ufffd%,\ufffd\"Y\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a269bdfb84ea2610d511e0248ceb28f068806a58",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\u0006\ufffd\nB\ufffdHjZ\ufffdVs\ufffd\u0006$?Q\r\ufffdGf\u001b\ufffdf\u001dE\ufffd'\ufffd\u0004e\u0015 \ufffd\ufffd\nLT\u001bc\u00a9F\ufffd\ufffdfi\ufffd\ufffdh\ufffd\ufffd\ufffd\u0013\ufffdu\u038b\u0007\ufffd%,\ufffd\"Y\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7575,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\nB\ufffdHjZ\ufffdVs\ufffd$?Q\r\ufffdGf\ufffdfE\ufffd'\ufffde \ufffd\ufffd\nLTc\u00a9F\ufffd\ufffdfi\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffdu\u038b\ufffd%,\ufffd\"Y&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:7575 \u00b7 (reconnaissance)",
"target_port_label": "7575 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 7575,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\u0006\ufffd\nB\ufffdHjZ\ufffdVs\ufffd\u0006$?Q\r\ufffdGf\u001b\ufffdf\u001dE\ufffd'\ufffd\u0004e\u0015 \ufffd\ufffd\nLT\u001bc\u00a9F\ufffd\ufffdfi\ufffd\ufffdh\ufffd\ufffd\ufffd\u0013\ufffdu\u038b\u0007\ufffd%,\ufffd\"Y\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7575,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:7575 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\nB\ufffdHjZ\ufffdVs\ufffd$?Q\r\ufffdGf\ufffdfE\ufffd'\ufffde \ufffd\ufffd\nLTc\u00a9F\ufffd\ufffdfi\ufffd\ufffdh\ufffd\ufffd\ufffd\ufffdu\u038b\ufffd%,\ufffd\"Y&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7575 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "7575"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 75.62,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
7676 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:7676 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
7676
Chemin / cible
—
Service
TLS
Payload
�����������Ǒ��H^m���C$�v�b��-_� bou5I �Ӛ �%2��y���*�Co�I�Ve��?����:O��F��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������Ǒ��H^m���C$�v�b��-_��bou5I �Ӛ �%2��y���*�Co�I�Ve��?����:O��F��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������Ǒ��H^m���C$�v�b��-_� bou5I �Ӛ �%2��y���*�Co�I�Ve��?����:O��F��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� r ����� ��L�$l��z�WH��q]�����l]a
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.811506590645209,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 7676,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "91c49414ad5c18e7545e8bbec53904a726edb224",
"event_fingerprint": "6861b9964f2f17788f20627cd2f320cabd93721c",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "587f8d6051a8a7ec07e2c64523a40a2d",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7676,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u01d1\ufffd\ufffdH^m\ufffd\b\ufffdC$\ufffdv\ufffdb\ufffd\u000f-_\ufffd\fbou5I\t\u001b\u04da \u001d%2\ufffd\ufffdy\u0007\ufffd\u0005*\u0004Co\ufffdI\ufffdVe\ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd:O\ufffd\ufffdF\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u01d1\ufffd\ufffdH^m\ufffd\b\ufffdC$\ufffdv\ufffdb\ufffd\u000f-_\ufffd\fbou5I\t\u001b\u04da \u001d%2\ufffd\ufffdy\u0007\ufffd\u0005*\u0004Co\ufffdI\ufffdVe\ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd:O\ufffd\ufffdF\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 r\t\u000f\ufffd\u0002\u0002\ufffd\t\ufffd\ufffdL\ufffd$l\ufffd\ufffdz\u0002WH\ufffd\ufffdq]\ufffd\ufffd\ufffd\ufffd\ufffdl]a",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u01d1\ufffd\ufffdH^m\ufffd\b\ufffdC$\ufffdv\ufffdb\ufffd\u000f-_\ufffd\fbou5I\t\u001b\u04da \u001d%2\ufffd\ufffdy\u0007\ufffd\u0005*\u0004Co\ufffdI\ufffdVe\ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd:O\ufffd\ufffdF\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "44e599110433d5ff5adfdf9a946e7978d83cd9d3",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u01d1\ufffd\ufffdH^m\ufffd\b\ufffdC$\ufffdv\ufffdb\ufffd\u000f-_\ufffd\fbou5I\t\u001b\u04da \u001d%2\ufffd\ufffdy\u0007\ufffd\u0005*\u0004Co\ufffdI\ufffdVe\ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd:O\ufffd\ufffdF\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7676,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\u01d1\ufffd\ufffdH^m\ufffd\ufffdC$\ufffdv\ufffdb\ufffd-_\ufffdbou5I\t\u04da %2\ufffd\ufffdy\ufffd*Co\ufffdI\ufffdVe\ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd:O\ufffd\ufffdF\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:7676 \u00b7 (reconnaissance)",
"target_port_label": "7676 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 7676,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u01d1\ufffd\ufffdH^m\ufffd\b\ufffdC$\ufffdv\ufffdb\ufffd\u000f-_\ufffd\fbou5I\t\u001b\u04da \u001d%2\ufffd\ufffdy\u0007\ufffd\u0005*\u0004Co\ufffdI\ufffdVe\ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd:O\ufffd\ufffdF\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7676,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:7676 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\u01d1\ufffd\ufffdH^m\ufffd\ufffdC$\ufffdv\ufffdb\ufffd-_\ufffdbou5I\t\u04da %2\ufffd\ufffdy\ufffd*Co\ufffdI\ufffdVe\ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd:O\ufffd\ufffdF\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7676 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "7676"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 75.31,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
7777 · GAME UNREAL
|
game-unreal
|
Scan de ports
port scan syn · via GAME UNREAL:7777 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
GAME-UNREAL
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
7777
Chemin / cible
—
Service
GAME UNREAL
Payload
������������`��̈́;)j�?�+ �;0x�Vӗ�Mΰ���2 g K��c*��k��/�D�����7��(��ڄ���"�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������`��̈́;)j�?�+
�;0x�Vӗ�Mΰ���2
g K��c*��k��/�D�����7��(��ڄ���"�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������`��̈́;)j�?�+ �;0x�Vӗ�Mΰ���2 g K��c*��k��/�D�����7��(��ڄ���"�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� a�Y@�����F꺯Z�� �K�u�;���{�^aq
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f742067616d655f756e7265616c20726561647920706f72743d373737370d0a",
"emulator_response_len": 42,
"bytes_in": 239,
"payload_entropy": 5.78248478659715,
"port_category": "registered",
"org": "Google LLC",
"service": "game-unreal",
"app_proto": "game-unreal",
"asn": 396982,
"country": "US",
"dst_port": 7777,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "8d5ae373e75af6868d8ed2e6b390af0856fff91e",
"event_fingerprint": "d1d5eef058c01dc28b25edac05bf96e96a6b749c",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "game-unreal",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "08c75d60a5de9480e08c8d15860e494c",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7777,
"service": "game-unreal",
"service_name": "game-unreal",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e`\u0006\ufffd\u0344;)j\u000e?\u0006+\n\ufffd;0x\ufffdV\u04d7\u0000M\u03b0\ufffd\ufffd\ufffd2\rg K\ufffd\u001ac*\u0003\ufffdk\ufffd\ufffd\/\ufffdD\ufffd\ufffd\ufffd\ufffd\u00057\ufffd\ufffd(\ufffd\ufffd\u0684\ufffd\ufffd\ufffd\"\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e`\u0006\ufffd\u0344;)j\u000e?\u0006+\n\ufffd;0x\ufffdV\u04d7\u0000M\u03b0\ufffd\ufffd\ufffd2\rg K\ufffd\u001ac*\u0003\ufffdk\ufffd\ufffd\/\ufffdD\ufffd\ufffd\ufffd\ufffd\u00057\ufffd\ufffd(\ufffd\ufffd\u0684\ufffd\ufffd\ufffd\"\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 a\ufffdY@\ufffd\ufffd\ufffd\ufffd\ufffdF\uaeafZ\u0003\ufffd\r\ufffdK\ufffdu\ufffd;\ufffd\ufffd\u0017{\ufffd^aq",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e`\u0006\ufffd\u0344;)j\u000e?\u0006+\n\ufffd;0x\ufffdV\u04d7\u0000M\u03b0\ufffd\ufffd\ufffd2\rg K\ufffd\u001ac*\u0003\ufffdk\ufffd\ufffd\/\ufffdD\ufffd\ufffd\ufffd\ufffd\u00057\ufffd\ufffd(\ufffd\ufffd\u0684\ufffd\ufffd\ufffd\"\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6ee6dc87fc7c22cc21f1076872c48b5d29869fa3",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e`\u0006\ufffd\u0344;)j\u000e?\u0006+\n\ufffd;0x\ufffdV\u04d7\u0000M\u03b0\ufffd\ufffd\ufffd2\rg K\ufffd\u001ac*\u0003\ufffdk\ufffd\ufffd\/\ufffdD\ufffd\ufffd\ufffd\ufffd\u00057\ufffd\ufffd(\ufffd\ufffd\u0684\ufffd\ufffd\ufffd\"\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7777,
"service": "game-unreal",
"service_label_fr": "GAME UNREAL"
},
"evidence_snippet": "\ufffd\ufffd`\ufffd\u0344;)j?+\n\ufffd;0x\ufffdV\u04d7M\u03b0\ufffd\ufffd\ufffd2\rg K\ufffdc*\ufffdk\ufffd\ufffd\/\ufffdD\ufffd\ufffd\ufffd\ufffd7\ufffd\ufffd(\ufffd\ufffd\u0684\ufffd\ufffd\ufffd\"&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via GAME UNREAL:7777 \u00b7 (reconnaissance)",
"target_port_label": "7777 \u00b7 GAME UNREAL",
"emulator_service": "game-unreal",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via GAME UNREAL \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "game-unreal",
"service_label_fr": "GAME UNREAL",
"dst_port": 7777,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-game-unreal",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u000e`\u0006\ufffd\u0344;)j\u000e?\u0006+\n\ufffd;0x\ufffdV\u04d7\u0000M\u03b0\ufffd\ufffd\ufffd2\rg K\ufffd\u001ac*\u0003\ufffdk\ufffd\ufffd\/\ufffdD\ufffd\ufffd\ufffd\ufffd\u00057\ufffd\ufffd(\ufffd\ufffd\u0684\ufffd\ufffd\ufffd\"\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7777,
"service": "game-unreal",
"service_label_fr": "GAME UNREAL"
},
"attack_vector": "port scan syn \u00b7 via GAME UNREAL:7777 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd`\ufffd\u0344;)j?+\n\ufffd;0x\ufffdV\u04d7M\u03b0\ufffd\ufffd\ufffd2\rg K\ufffdc*\ufffdk\ufffd\ufffd\/\ufffdD\ufffd\ufffd\ufffd\ufffd7\ufffd\ufffd(\ufffd\ufffd\u0684\ufffd\ufffd\ufffd\"&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7777 \u00b7 GAME UNREAL",
"emulator_service": "game-unreal",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "game_unreal",
"service_banner": "honeypot-game-unreal",
"service_os": "linux",
"dst_port": "7777"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 75.06,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
7860 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:7860 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
7860
Chemin / cible
—
Service
TLS
Payload
������������d�N��8i{7��d��(h �]��~���H�;�c� .����z�����C�����B���k&Z�`��V] m�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������d�N��8i{7��d��(h
�]��~���H�;�c� .����z�����C�����B���k&Z�`��V]
m�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������d�N��8i{7��d��(h �]��~���H�;�c� .����z�����C�����B���k&Z�`��V] m�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �zS �AO��������=^ceJ�o`��}. � <�
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.8165460846710975,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 7860,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "c87f8bf62696ece45c8f06e108ac4afe66888afb",
"event_fingerprint": "58ee5204ca4fc17024212fb98f22d09b2fafc082",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "ae3162f6244243f1e300d8d23efa8c1c",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7860,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdd\u000eN\ufffd\u00028i{7\ufffd\u0010d\u0003\ufffd(h\r\ufffd]\ufffd\ufffd~\ufffd\ufffd\ufffdH\ufffd;\ufffdc\ufffd .\u0015\ufffd\ufffd\ufffdz\u0006\u000e\u0002\ufffd\u001cC\ufffd\ufffd\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffdk&Z\u0015`\u0013\ufffdV]\rm\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdd\u000eN\ufffd\u00028i{7\ufffd\u0010d\u0003\ufffd(h\r\ufffd]\ufffd\ufffd~\ufffd\ufffd\ufffdH\ufffd;\ufffdc\ufffd .\u0015\ufffd\ufffd\ufffdz\u0006\u000e\u0002\ufffd\u001cC\ufffd\ufffd\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffdk&Z\u0015`\u0013\ufffdV]\rm\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdzS\f\ufffdAO\ufffd\u0002\u0018\ufffd\u0000\ufffd\u0017\u001b=^ceJ\ufffdo`\ufffd\ufffd}.\t\ufffd\f<\u000f",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdd\u000eN\ufffd\u00028i{7\ufffd\u0010d\u0003\ufffd(h\r\ufffd]\ufffd\ufffd~\ufffd\ufffd\ufffdH\ufffd;\ufffdc\ufffd .\u0015\ufffd\ufffd\ufffdz\u0006\u000e\u0002\ufffd\u001cC\ufffd\ufffd\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffdk&Z\u0015`\u0013\ufffdV]\rm\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3ff08d3bb4cedfff9a57ec7687464c04a03eee87",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdd\u000eN\ufffd\u00028i{7\ufffd\u0010d\u0003\ufffd(h\r\ufffd]\ufffd\ufffd~\ufffd\ufffd\ufffdH\ufffd;\ufffdc\ufffd .\u0015\ufffd\ufffd\ufffdz\u0006\u000e\u0002\ufffd\u001cC\ufffd\ufffd\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffdk&Z\u0015`\u0013\ufffdV]\rm\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7860,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffddN\ufffd8i{7\ufffdd\ufffd(h\r\ufffd]\ufffd\ufffd~\ufffd\ufffd\ufffdH\ufffd;\ufffdc\ufffd .\ufffd\ufffd\ufffdz\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffdk&Z`\ufffdV]\rm&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:7860 \u00b7 (reconnaissance)",
"target_port_label": "7860 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 7860,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdd\u000eN\ufffd\u00028i{7\ufffd\u0010d\u0003\ufffd(h\r\ufffd]\ufffd\ufffd~\ufffd\ufffd\ufffdH\ufffd;\ufffdc\ufffd .\u0015\ufffd\ufffd\ufffdz\u0006\u000e\u0002\ufffd\u001cC\ufffd\ufffd\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffdk&Z\u0015`\u0013\ufffdV]\rm\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7860,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:7860 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffddN\ufffd8i{7\ufffdd\ufffd(h\r\ufffd]\ufffd\ufffd~\ufffd\ufffd\ufffdH\ufffd;\ufffdc\ufffd .\ufffd\ufffd\ufffdz\ufffdC\ufffd\ufffd\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffdk&Z`\ufffdV]\rm&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7860 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "7860"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 74.82,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
7878 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:7878 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
7878
Chemin / cible
—
Service
TLS
Payload
������������D"����v��ĢpQԅ/�hTl�� ��T����� B{5�u��Njk7����h�.�GԺS-3z�Q��8|�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������D"����v��ĢpQԅ/�hTl�� ��T����� B{5�u��Njk7����h�.�GԺS-3z�Q��8|�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������D"����v��ĢpQԅ/�hTl�� ��T����� B{5�u��Njk7����h�.�GԺS-3z�Q��8|�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ͻ�����o�#��tÎ�F���b�z����s}�[m
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.903006390290413,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 7878,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "eccae9292436496fbba47d1aef899593edfc85ea",
"event_fingerprint": "a898a3ba7f71652c6c7110f56725e2fa0015f36d",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "ac6d6ead1ebbf660384a096fe690c857",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7878,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdD\"\ufffd\ufffd\ufffd\ufffdv\ufffd\u0010\u0122pQ\u0505\/\ufffdhTl\ufffd\ufffd\t\u000f\ufffdT\ufffd\ufffd\u001c\u0004\ufffd B{5\bu\ufffd\ufffd\u01cbk7\ufffd\ufffd\ufffd\ufffdh\u0001.\ufffdG\u053aS-3z\ufffdQ\ufffd\ufffd8|\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdD\"\ufffd\ufffd\ufffd\ufffdv\ufffd\u0010\u0122pQ\u0505\/\ufffdhTl\ufffd\ufffd\t\u000f\ufffdT\ufffd\ufffd\u001c\u0004\ufffd B{5\bu\ufffd\ufffd\u01cbk7\ufffd\ufffd\ufffd\ufffdh\u0001.\ufffdG\u053aS-3z\ufffdQ\ufffd\ufffd8|\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u037b\u0004\u0015\ufffd\ufffd\ufffdo\ufffd#\ufffd\ufffdt\u00ce\ufffdF\u0018\ufffd\ufffdb\ufffdz\ufffd\u0005\ufffd\u0006s}\ufffd[m",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdD\"\ufffd\ufffd\ufffd\ufffdv\ufffd\u0010\u0122pQ\u0505\/\ufffdhTl\ufffd\ufffd\t\u000f\ufffdT\ufffd\ufffd\u001c\u0004\ufffd B{5\bu\ufffd\ufffd\u01cbk7\ufffd\ufffd\ufffd\ufffdh\u0001.\ufffdG\u053aS-3z\ufffdQ\ufffd\ufffd8|\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "be44ff2101af073cee85de55e9725c0f148bdbf6",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdD\"\ufffd\ufffd\ufffd\ufffdv\ufffd\u0010\u0122pQ\u0505\/\ufffdhTl\ufffd\ufffd\t\u000f\ufffdT\ufffd\ufffd\u001c\u0004\ufffd B{5\bu\ufffd\ufffd\u01cbk7\ufffd\ufffd\ufffd\ufffdh\u0001.\ufffdG\u053aS-3z\ufffdQ\ufffd\ufffd8|\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7878,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffdD\"\ufffd\ufffd\ufffd\ufffdv\ufffd\u0122pQ\u0505\/\ufffdhTl\ufffd\ufffd\t\ufffdT\ufffd\ufffd\ufffd B{5u\ufffd\ufffd\u01cbk7\ufffd\ufffd\ufffd\ufffdh.\ufffdG\u053aS-3z\ufffdQ\ufffd\ufffd8|&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:7878 \u00b7 (reconnaissance)",
"target_port_label": "7878 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 7878,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdD\"\ufffd\ufffd\ufffd\ufffdv\ufffd\u0010\u0122pQ\u0505\/\ufffdhTl\ufffd\ufffd\t\u000f\ufffdT\ufffd\ufffd\u001c\u0004\ufffd B{5\bu\ufffd\ufffd\u01cbk7\ufffd\ufffd\ufffd\ufffdh\u0001.\ufffdG\u053aS-3z\ufffdQ\ufffd\ufffd8|\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7878,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:7878 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffdD\"\ufffd\ufffd\ufffd\ufffdv\ufffd\u0122pQ\u0505\/\ufffdhTl\ufffd\ufffd\t\ufffdT\ufffd\ufffd\ufffd B{5u\ufffd\ufffd\u01cbk7\ufffd\ufffd\ufffd\ufffdh.\ufffdG\u053aS-3z\ufffdQ\ufffd\ufffd8|&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7878 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "7878"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 74.57,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8001 · HTTP ALT 8001
|
http-alt-8001
|
Scan de ports
port scan syn · via HTTP ALT 8001:8001 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8001
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8001
Chemin / cible
—
Service
HTTP ALT 8001
Payload
�����������)d���L��F������H��`����R } TQ��a E�P�����@��7�IH{������-��[��pP3��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������)d���L��F������H��`����R�}�TQ��a E�P�����@��7�IH{������-��[��pP3��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������)d���L��F������H��`����R } TQ��a E�P�����@��7�IH{������-��[��pP3��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���ю:jOcQ�������h=Y��ʟ�����k�9
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.902752790194089,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8001",
"app_proto": "http-alt-8001",
"asn": 396982,
"country": "US",
"dst_port": 8001,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "2ced2d73f5ffb22e797c3a3364b78a0cf96e31b8",
"event_fingerprint": "3b3bb4858e85d368bbc751c5c76b9c0d3d8ef2eb",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-8001",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "337b587d56191130b4d30134c9bae40f",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8001,
"service": "http-alt-8001",
"service_name": "http-alt-8001",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)d\ufffd\ufffd\ufffdL\ufffd\ufffdF\ufffd\u0018\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffdR\u000b}\fTQ\ufffd\u0007a E\u001cP\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd7\ufffdIH{\u0018\u0015\b\ufffd\ufffd\ufffd-\ufffd\ufffd[\ufffd\u0002pP3\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)d\ufffd\ufffd\ufffdL\ufffd\ufffdF\ufffd\u0018\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffdR\u000b}\fTQ\ufffd\u0007a E\u001cP\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd7\ufffdIH{\u0018\u0015\b\ufffd\ufffd\ufffd-\ufffd\ufffd[\ufffd\u0002pP3\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0012\ufffd\u044e:jOcQ\ufffd\u0019\ufffd\u0003\ufffd\ufffd\ufffdh=Y\ufffd\ufffd\u029f\ufffd\ufffd\u0017\ufffd\ufffdk\ufffd9",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)d\ufffd\ufffd\ufffdL\ufffd\ufffdF\ufffd\u0018\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffdR\u000b}\fTQ\ufffd\u0007a E\u001cP\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd7\ufffdIH{\u0018\u0015\b\ufffd\ufffd\ufffd-\ufffd\ufffd[\ufffd\u0002pP3\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "722cddbe4eacd38eab7ccf2dff396bdc0b38df5a",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)d\ufffd\ufffd\ufffdL\ufffd\ufffdF\ufffd\u0018\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffdR\u000b}\fTQ\ufffd\u0007a E\u001cP\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd7\ufffdIH{\u0018\u0015\b\ufffd\ufffd\ufffd-\ufffd\ufffd[\ufffd\u0002pP3\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8001,
"service": "http-alt-8001",
"service_label_fr": "HTTP ALT 8001"
},
"evidence_snippet": "\ufffd\ufffd)d\ufffd\ufffd\ufffdL\ufffd\ufffdF\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffdR}TQ\ufffda EP\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd7\ufffdIH{\ufffd\ufffd\ufffd-\ufffd\ufffd[\ufffdpP3\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8001:8001 \u00b7 (reconnaissance)",
"target_port_label": "8001 \u00b7 HTTP ALT 8001",
"emulator_service": "http-alt-8001",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8001 \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8001",
"service_label_fr": "HTTP ALT 8001",
"dst_port": 8001,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8001",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003)d\ufffd\ufffd\ufffdL\ufffd\ufffdF\ufffd\u0018\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffdR\u000b}\fTQ\ufffd\u0007a E\u001cP\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd7\ufffdIH{\u0018\u0015\b\ufffd\ufffd\ufffd-\ufffd\ufffd[\ufffd\u0002pP3\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8001,
"service": "http-alt-8001",
"service_label_fr": "HTTP ALT 8001"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8001:8001 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd)d\ufffd\ufffd\ufffdL\ufffd\ufffdF\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffd`\ufffd\ufffd\ufffd\ufffdR}TQ\ufffda EP\ufffd\ufffd\ufffd\ufffd\ufffd@\ufffd\ufffd7\ufffdIH{\ufffd\ufffd\ufffd-\ufffd\ufffd[\ufffdpP3\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8001 \u00b7 HTTP ALT 8001",
"emulator_service": "http-alt-8001",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8001",
"service_banner": "honeypot-http-alt-8001",
"service_os": "linux",
"dst_port": "8001"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 74.11,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8008 · HTTP ALT 8008
|
http-alt-8008
|
Scan de ports
port scan syn · via HTTP ALT 8008:8008 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8008
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8008
Chemin / cible
—
Service
HTTP ALT 8008
Payload
������������k��J˫��L�a��A�k�Č 7#���l�B7Yo �d����k��0����j̙4y��Y��q�!�o�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������k��J˫��L�a��A�k�Č
7#���l�B7Yo �d����k��0����j̙4y��Y��q�!�o�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������k��J˫��L�a��A�k�Č 7#���l�B7Yo �d����k��0����j̙4y��Y��q�!�o�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �媼�֮V���k��uN��wF������*���V5
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.81540864113258,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8008",
"app_proto": "http-alt-8008",
"asn": 396982,
"country": "US",
"dst_port": 8008,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "876c062fd42150eba38be40f1021d2bc584fe7af",
"event_fingerprint": "aefb3820d49ac720432661ac132cded5c14f935b",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-8008",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0f54679d96f9ef477890ce78818dff0a",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8008,
"service": "http-alt-8008",
"service_name": "http-alt-8008",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdk\ufffd\ufffdJ\u02eb\ufffd\u0001L\ufffda\ufffd\ufffdA\ufffdk\ufffd\u010c\n7#\ufffd\u0011\u001dl\u001fB7Yo \u001ed\u001f\ufffd\ufffd\u000ek\ufffd\ufffd0\ufffd\u0016\ufffd\ufffdj\u03194y\ufffd\ufffdY\ufffd\ufffdq\ufffd!\ufffdo\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdk\ufffd\ufffdJ\u02eb\ufffd\u0001L\ufffda\ufffd\ufffdA\ufffdk\ufffd\u010c\n7#\ufffd\u0011\u001dl\u001fB7Yo \u001ed\u001f\ufffd\ufffd\u000ek\ufffd\ufffd0\ufffd\u0016\ufffd\ufffdj\u03194y\ufffd\ufffdY\ufffd\ufffdq\ufffd!\ufffdo\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u5abc\b\u05aeV\ufffd\u0017\ufffdk\ufffd\ufffduN\ufffd\ufffdwF\ufffd\u000f\u0007\ufffd\ufffd\ufffd*\ufffd\ufffd\ufffdV5",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdk\ufffd\ufffdJ\u02eb\ufffd\u0001L\ufffda\ufffd\ufffdA\ufffdk\ufffd\u010c\n7#\ufffd\u0011\u001dl\u001fB7Yo \u001ed\u001f\ufffd\ufffd\u000ek\ufffd\ufffd0\ufffd\u0016\ufffd\ufffdj\u03194y\ufffd\ufffdY\ufffd\ufffdq\ufffd!\ufffdo\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b6ec2370f57e4044b8d1677c89eb4415053543d5",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdk\ufffd\ufffdJ\u02eb\ufffd\u0001L\ufffda\ufffd\ufffdA\ufffdk\ufffd\u010c\n7#\ufffd\u0011\u001dl\u001fB7Yo \u001ed\u001f\ufffd\ufffd\u000ek\ufffd\ufffd0\ufffd\u0016\ufffd\ufffdj\u03194y\ufffd\ufffdY\ufffd\ufffdq\ufffd!\ufffdo\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8008,
"service": "http-alt-8008",
"service_label_fr": "HTTP ALT 8008"
},
"evidence_snippet": "\ufffd\ufffd\ufffdk\ufffd\ufffdJ\u02eb\ufffdL\ufffda\ufffd\ufffdA\ufffdk\ufffd\u010c\n7#\ufffdlB7Yo d\ufffd\ufffdk\ufffd\ufffd0\ufffd\ufffd\ufffdj\u03194y\ufffd\ufffdY\ufffd\ufffdq\ufffd!\ufffdo&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8008:8008 \u00b7 (reconnaissance)",
"target_port_label": "8008 \u00b7 HTTP ALT 8008",
"emulator_service": "http-alt-8008",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8008 \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8008",
"service_label_fr": "HTTP ALT 8008",
"dst_port": 8008,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8008",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdk\ufffd\ufffdJ\u02eb\ufffd\u0001L\ufffda\ufffd\ufffdA\ufffdk\ufffd\u010c\n7#\ufffd\u0011\u001dl\u001fB7Yo \u001ed\u001f\ufffd\ufffd\u000ek\ufffd\ufffd0\ufffd\u0016\ufffd\ufffdj\u03194y\ufffd\ufffdY\ufffd\ufffdq\ufffd!\ufffdo\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8008,
"service": "http-alt-8008",
"service_label_fr": "HTTP ALT 8008"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8008:8008 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffdk\ufffd\ufffdJ\u02eb\ufffdL\ufffda\ufffd\ufffdA\ufffdk\ufffd\u010c\n7#\ufffdlB7Yo d\ufffd\ufffdk\ufffd\ufffd0\ufffd\ufffd\ufffdj\u03194y\ufffd\ufffdY\ufffd\ufffdq\ufffd!\ufffdo&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8008 \u00b7 HTTP ALT 8008",
"emulator_service": "http-alt-8008",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8008",
"service_banner": "honeypot-http-alt-8008",
"service_os": "linux",
"dst_port": "8008"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 72.99,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8010 · HTTP ALT 8010
|
http-alt-8010
|
Scan de ports
port scan syn · via HTTP ALT 8010:8010 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8010
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8010
Chemin / cible
—
Service
HTTP ALT 8010
Payload
�����������zN�\��� 枔��&�$�����8���g� ,p�/5��2�,nm��m�k���²����z�>�),�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������zN�\���
枔��&�$�����8���g� ,p�/5��2�,nm��m�k���²����z�>�),�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������zN�\��� 枔��&�$�����8���g� ,p�/5��2�,nm��m�k���²����z�>�),�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� *ٚ+�����ޱ�0 ��d�!�"����P���$�y
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.7896145112732444,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8010",
"app_proto": "http-alt-8010",
"asn": 396982,
"country": "US",
"dst_port": 8010,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.6,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "7a3c5c421720ed67f1798bb5fb56ea7357359068",
"event_fingerprint": "9a1ae72ea8900f6149e53721f563ccbb31142e23",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-8010",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "aefada3941f857198bb54c4c96911560",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8010,
"service": "http-alt-8010",
"service_name": "http-alt-8010",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003zN\ufffd\ud9bc\udd87\\\ufffd\ufffd\ufffd\r\u6794\u0012\ufffd&\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd8\u001b\u001b\ufffdg\ufffd ,p\ufffd\/5\ufffd\ufffd2\ufffd,nm\ufffd\ufffdm\ufffdk\ufffd\ufffd\ufffd\u00b2\u0016\ufffd\ufffd\ufffdz\ufffd>\ufffd),\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003zN\ufffd\ud9bc\udd87\\\ufffd\ufffd\ufffd\r\u6794\u0012\ufffd&\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd8\u001b\u001b\ufffdg\ufffd ,p\ufffd\/5\ufffd\ufffd2\ufffd,nm\ufffd\ufffdm\ufffdk\ufffd\ufffd\ufffd\u00b2\u0016\ufffd\ufffd\ufffdz\ufffd>\ufffd),\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 *\u065a+\ufffd\ufffd\u0004\ufffd\u001d\u07b1\ufffd0\u000b\ufffd\ufffdd\ufffd!\ufffd\"\ufffd\u001b\ufffd\ufffdP\ufffd\u0001\ufffd$\ufffdy",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003zN\ufffd\ud9bc\udd87\\\ufffd\ufffd\ufffd\r\u6794\u0012\ufffd&\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd8\u001b\u001b\ufffdg\ufffd ,p\ufffd\/5\ufffd\ufffd2\ufffd,nm\ufffd\ufffdm\ufffdk\ufffd\ufffd\ufffd\u00b2\u0016\ufffd\ufffd\ufffdz\ufffd>\ufffd),\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "02fd84bb17db9c866e8d83145dc854fc484f915f",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003zN\ufffd\ud9bc\udd87\\\ufffd\ufffd\ufffd\r\u6794\u0012\ufffd&\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd8\u001b\u001b\ufffdg\ufffd ,p\ufffd\/5\ufffd\ufffd2\ufffd,nm\ufffd\ufffdm\ufffdk\ufffd\ufffd\ufffd\u00b2\u0016\ufffd\ufffd\ufffdz\ufffd>\ufffd),\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8010,
"service": "http-alt-8010",
"service_label_fr": "HTTP ALT 8010"
},
"evidence_snippet": "\ufffd\ufffdzN\ufffd\ud9bc\udd87\\\ufffd\ufffd\ufffd\r\u6794\ufffd&\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd8\ufffdg\ufffd ,p\ufffd\/5\ufffd\ufffd2\ufffd,nm\ufffd\ufffdm\ufffdk\ufffd\ufffd\ufffd\u00b2\ufffd\ufffd\ufffdz\ufffd>\ufffd),&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8010:8010 \u00b7 (reconnaissance)",
"target_port_label": "8010 \u00b7 HTTP ALT 8010",
"emulator_service": "http-alt-8010",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8010 \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8010",
"service_label_fr": "HTTP ALT 8010",
"dst_port": 8010,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8010",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003zN\ufffd\ud9bc\udd87\\\ufffd\ufffd\ufffd\r\u6794\u0012\ufffd&\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd8\u001b\u001b\ufffdg\ufffd ,p\ufffd\/5\ufffd\ufffd2\ufffd,nm\ufffd\ufffdm\ufffdk\ufffd\ufffd\ufffd\u00b2\u0016\ufffd\ufffd\ufffdz\ufffd>\ufffd),\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8010,
"service": "http-alt-8010",
"service_label_fr": "HTTP ALT 8010"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8010:8010 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdzN\ufffd\ud9bc\udd87\\\ufffd\ufffd\ufffd\r\u6794\ufffd&\ufffd$\ufffd\ufffd\ufffd\ufffd\ufffd8\ufffdg\ufffd ,p\ufffd\/5\ufffd\ufffd2\ufffd,nm\ufffd\ufffdm\ufffdk\ufffd\ufffd\ufffd\u00b2\ufffd\ufffd\ufffdz\ufffd>\ufffd),&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8010 \u00b7 HTTP ALT 8010",
"emulator_service": "http-alt-8010",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8010",
"service_banner": "honeypot-http-alt-8010",
"service_os": "linux",
"dst_port": "8010"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 72.71,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8020 · HDFS NAMENODE
|
hdfs-namenode
|
Scan de ports
port scan syn · via HDFS NAMENODE:8020 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HDFS-NAMENODE
WAF
—
Recommandation
Surveiller
Tags
hdfs_namenode_emulated
hdfs_namenode_payload
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8020
Chemin / cible
—
Service
HDFS NAMENODE
Payload
�����������s ���r�q�Ȑ�@!�#����D�,�Q#����@� )ʁy�#K�Ts鹚K�L� O@���i��2ND>^T�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������s
���r�q�Ȑ�@!�#����D�,�Q#����@� )ʁy�#K�Ts鹚K�L��O@���i��2ND>^T�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������s ���r�q�Ȑ�@!�#����D�,�Q#����@� )ʁy�#K�Ts鹚K�L� O@���i��2ND>^T�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� =���v���/�f��U��MK������5�M�v�U
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2037330d0a0d0a7b2270726f746f636f6c223a226f72672e6170616368652e6861646f6f702e686466732e70726f746f636f6c2e436c69656e7450726f746f63",
"emulator_response_len": 144,
"bytes_in": 239,
"payload_entropy": 5.842142115254587,
"port_category": "registered",
"org": "Google LLC",
"service": "hdfs-namenode",
"app_proto": "hdfs-namenode",
"asn": 396982,
"country": "US",
"dst_port": 8020,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "f3346b7371a1d5dc6588a3579e5bdadd9ec7851b",
"event_fingerprint": "004499a144c92e4455aac1722fd9719117630099",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "hdfs-namenode",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "7c689b8e5d25eba0909341b281719525",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8020,
"service": "hdfs-namenode",
"service_name": "hdfs-namenode",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003s\r\ufffd\ufffd\ufffdr\ufffdq\ufffd\u0210\ufffd@!\u0004#\ufffd\ufffd\ufffd\ufffdD\ufffd,\u000eQ#\ufffd\u0012\u000f\u001c@\ufffd )\u0281y\ufffd#K\ufffdTs\u9e5aK\ufffdL\ufffd\fO@\u0004\ufffd\ufffdi\ufffd\ufffd2ND>^T\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003s\r\ufffd\ufffd\ufffdr\ufffdq\ufffd\u0210\ufffd@!\u0004#\ufffd\ufffd\ufffd\ufffdD\ufffd,\u000eQ#\ufffd\u0012\u000f\u001c@\ufffd )\u0281y\ufffd#K\ufffdTs\u9e5aK\ufffdL\ufffd\fO@\u0004\ufffd\ufffdi\ufffd\ufffd2ND>^T\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 =\ufffd\ufffd\ufffdv\ufffd\u000f\ufffd\/\ufffdf\ufffd\ufffdU\ufffd\bMK\ufffd\ufffd\ufffd\ufffd\u000f\ufffd5\ufffdM\ufffdv\ufffdU",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003s\r\ufffd\ufffd\ufffdr\ufffdq\ufffd\u0210\ufffd@!\u0004#\ufffd\ufffd\ufffd\ufffdD\ufffd,\u000eQ#\ufffd\u0012\u000f\u001c@\ufffd )\u0281y\ufffd#K\ufffdTs\u9e5aK\ufffdL\ufffd\fO@\u0004\ufffd\ufffdi\ufffd\ufffd2ND>^T\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c54da3b1f5c53164966f5d09eebe44fb32726e71",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003s\r\ufffd\ufffd\ufffdr\ufffdq\ufffd\u0210\ufffd@!\u0004#\ufffd\ufffd\ufffd\ufffdD\ufffd,\u000eQ#\ufffd\u0012\u000f\u001c@\ufffd )\u0281y\ufffd#K\ufffdTs\u9e5aK\ufffdL\ufffd\fO@\u0004\ufffd\ufffdi\ufffd\ufffd2ND>^T\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8020,
"service": "hdfs-namenode",
"service_label_fr": "HDFS NAMENODE"
},
"evidence_snippet": "\ufffd\ufffds\r\ufffd\ufffd\ufffdr\ufffdq\ufffd\u0210\ufffd@!#\ufffd\ufffd\ufffd\ufffdD\ufffd,Q#\ufffd@\ufffd )\u0281y\ufffd#K\ufffdTs\u9e5aK\ufffdL\ufffdO@\ufffd\ufffdi\ufffd\ufffd2ND>^T&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HDFS NAMENODE:8020 \u00b7 (reconnaissance)",
"target_port_label": "8020 \u00b7 HDFS NAMENODE",
"emulator_service": "hdfs-namenode",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HDFS NAMENODE \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "hdfs-namenode",
"service_label_fr": "HDFS NAMENODE",
"dst_port": 8020,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-hdfs-namenode",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003s\r\ufffd\ufffd\ufffdr\ufffdq\ufffd\u0210\ufffd@!\u0004#\ufffd\ufffd\ufffd\ufffdD\ufffd,\u000eQ#\ufffd\u0012\u000f\u001c@\ufffd )\u0281y\ufffd#K\ufffdTs\u9e5aK\ufffdL\ufffd\fO@\u0004\ufffd\ufffdi\ufffd\ufffd2ND>^T\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8020,
"service": "hdfs-namenode",
"service_label_fr": "HDFS NAMENODE"
},
"attack_vector": "port scan syn \u00b7 via HDFS NAMENODE:8020 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffds\r\ufffd\ufffd\ufffdr\ufffdq\ufffd\u0210\ufffd@!#\ufffd\ufffd\ufffd\ufffdD\ufffd,Q#\ufffd@\ufffd )\u0281y\ufffd#K\ufffdTs\u9e5aK\ufffdL\ufffdO@\ufffd\ufffdi\ufffd\ufffd2ND>^T&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8020 \u00b7 HDFS NAMENODE",
"emulator_service": "hdfs-namenode",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "hdfs_namenode",
"service_banner": "honeypot-hdfs-namenode",
"service_os": "linux",
"dst_port": "8020"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 72.5,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"hdfs_namenode_emulated",
"hdfs_namenode_payload",
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8040 · HTTP ALT 8040
|
http-alt-8040
|
Scan de ports
port scan syn · via HTTP ALT 8040:8040 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8040
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8040
Chemin / cible
—
Service
HTTP ALT 8040
Payload
����������� x�O�p��n��x� ���V���;N#� ǝ�{�� �P ��p&��*ݥ��A7�1α�����M��Z���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������
x�O�p��n��x� ���V���;N#�
ǝ�{�� �P
��p&��*ݥ��A7�1α�����M��Z���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
����������� x�O�p��n��x� ���V���;N#� ǝ�{�� �P ��p&��*ݥ��A7�1α�����M��Z���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� *����vd��W����S�b�nt��;Eޥ�b����
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.8076161760452045,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8040",
"app_proto": "http-alt-8040",
"asn": 396982,
"country": "US",
"dst_port": 8040,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "1de49a071c78be6d23edbb962fa324cff565a708",
"event_fingerprint": "01156ce910e3419ecde5bd0a51aa1a488d31e516",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-8040",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "9b8ec9297777858de14ff29ceeb26967",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8040,
"service": "http-alt-8040",
"service_name": "http-alt-8040",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\nx\u0017O\ufffdp\ufffd\ufffdn\ufffd\u0011x\ufffd\t\ufffd\ufffd\u0007V\ufffd\ufffd\ufffd;N#\ufffd\n\u01dd\ufffd{\ufffd\ufffd \ufffdP\r\ufffd\ufffdp&\u000e\ufffd*\u0765\u0005\ufffdA7\ufffd1\u03b1\ufffd\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffdZ\ufffd\u001a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\nx\u0017O\ufffdp\ufffd\ufffdn\ufffd\u0011x\ufffd\t\ufffd\ufffd\u0007V\ufffd\ufffd\ufffd;N#\ufffd\n\u01dd\ufffd{\ufffd\ufffd \ufffdP\r\ufffd\ufffdp&\u000e\ufffd*\u0765\u0005\ufffdA7\ufffd1\u03b1\ufffd\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffdZ\ufffd\u001a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 *\ufffd\ufffd\u000f\ufffdvd\ufffd\ufffdW\ufffd\ufffd\ufffd\ufffdS\ufffdb\ufffdnt\ufffd\ufffd;E\u07a5\ufffdb\u0001\ufffd\ufffd\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\nx\u0017O\ufffdp\ufffd\ufffdn\ufffd\u0011x\ufffd\t\ufffd\ufffd\u0007V\ufffd\ufffd\ufffd;N#\ufffd\n\u01dd\ufffd{\ufffd\ufffd \ufffdP\r\ufffd\ufffdp&\u000e\ufffd*\u0765\u0005\ufffdA7\ufffd1\u03b1\ufffd\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffdZ\ufffd\u001a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "529fce1f70b3bcebef92d4be8be3993bcbaa79a0",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\nx\u0017O\ufffdp\ufffd\ufffdn\ufffd\u0011x\ufffd\t\ufffd\ufffd\u0007V\ufffd\ufffd\ufffd;N#\ufffd\n\u01dd\ufffd{\ufffd\ufffd \ufffdP\r\ufffd\ufffdp&\u000e\ufffd*\u0765\u0005\ufffdA7\ufffd1\u03b1\ufffd\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffdZ\ufffd\u001a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8040,
"service": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040"
},
"evidence_snippet": "\ufffd\ufffd\nxO\ufffdp\ufffd\ufffdn\ufffdx\ufffd\t\ufffd\ufffdV\ufffd\ufffd\ufffd;N#\ufffd\n\u01dd\ufffd{\ufffd\ufffd \ufffdP\r\ufffd\ufffdp&\ufffd*\u0765\ufffdA7\ufffd1\u03b1\ufffd\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffdZ\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8040:8040 \u00b7 (reconnaissance)",
"target_port_label": "8040 \u00b7 HTTP ALT 8040",
"emulator_service": "http-alt-8040",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8040 \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040",
"dst_port": 8040,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8040",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\nx\u0017O\ufffdp\ufffd\ufffdn\ufffd\u0011x\ufffd\t\ufffd\ufffd\u0007V\ufffd\ufffd\ufffd;N#\ufffd\n\u01dd\ufffd{\ufffd\ufffd \ufffdP\r\ufffd\ufffdp&\u000e\ufffd*\u0765\u0005\ufffdA7\ufffd1\u03b1\ufffd\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffdZ\ufffd\u001a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8040,
"service": "http-alt-8040",
"service_label_fr": "HTTP ALT 8040"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8040:8040 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\nxO\ufffdp\ufffd\ufffdn\ufffdx\ufffd\t\ufffd\ufffdV\ufffd\ufffd\ufffd;N#\ufffd\n\u01dd\ufffd{\ufffd\ufffd \ufffdP\r\ufffd\ufffdp&\ufffd*\u0765\ufffdA7\ufffd1\u03b1\ufffd\ufffd\ufffd\ufffd\ufffdM\ufffd\ufffdZ\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8040 \u00b7 HTTP ALT 8040",
"emulator_service": "http-alt-8040",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8040",
"service_banner": "honeypot-http-alt-8040",
"service_os": "linux",
"dst_port": "8040"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 72.25,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8030 · HTTP ALT 8030
|
http-alt-8030
|
Scan de ports
port scan syn · via HTTP ALT 8030:8030 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8030
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8030
Chemin / cible
—
Service
HTTP ALT 8030
Payload
������������:C���䶰���>�����J!���ז���|�V� 8�q7�:kR������v_�n�4�ԋM�������&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������:C���䶰���>�����J!���ז���|�V� 8�q7�:kR������v_�n�4�ԋM�������&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������:C���䶰���>�����J!���ז���|�V� 8�q7�:kR������v_�n�4�ԋM�������&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���j\�}觰j� ���"^�f��7�a����
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.880435659622181,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8030",
"app_proto": "http-alt-8030",
"asn": 396982,
"country": "US",
"dst_port": 8030,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 0.9,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "4313f5633c48c05dcec3b1277b705f5bcbaa617e",
"event_fingerprint": "9bcf4b7227707450ea596d8b983f648dcf3cfe1c",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-8030",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ba4a143279b2c04a1da06ef8b0a6bf2e",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8030,
"service": "http-alt-8030",
"service_name": "http-alt-8030",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd:C\ufffd\ufffd\ufffd\u4db0\ufffd\ufffd\ufffd>\u0004\ufffd\u0013\ufffd\ufffdJ!\u0019\ufffd\ufffd\u05d6\ufffd\ufffd\ufffd|\ufffdV\ufffd 8\ufffdq7\ufffd:kR\ufffd\ufffd\ufffd\ufffd\u0018\ufffdv_\ufffd\u07fcn\ufffd4\ufffd\u050bM\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd:C\ufffd\ufffd\ufffd\u4db0\ufffd\ufffd\ufffd>\u0004\ufffd\u0013\ufffd\ufffdJ!\u0019\ufffd\ufffd\u05d6\ufffd\ufffd\ufffd|\ufffdV\ufffd 8\ufffdq7\ufffd:kR\ufffd\ufffd\ufffd\ufffd\u0018\ufffdv_\ufffd\u07fcn\ufffd4\ufffd\u050bM\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffdj\\\u0006}\u89f0j\ufffd\r\ufffd\ufffd\ufffd\"^\ufffdf\ufffd\ufffd7\ufffda\u070e\ufffd\ufffd\ufffd\u0006",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd:C\ufffd\ufffd\ufffd\u4db0\ufffd\ufffd\ufffd>\u0004\ufffd\u0013\ufffd\ufffdJ!\u0019\ufffd\ufffd\u05d6\ufffd\ufffd\ufffd|\ufffdV\ufffd 8\ufffdq7\ufffd:kR\ufffd\ufffd\ufffd\ufffd\u0018\ufffdv_\ufffd\u07fcn\ufffd4\ufffd\u050bM\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ec5767b5cfb40ff5792fd347aa7808d20a761796",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd:C\ufffd\ufffd\ufffd\u4db0\ufffd\ufffd\ufffd>\u0004\ufffd\u0013\ufffd\ufffdJ!\u0019\ufffd\ufffd\u05d6\ufffd\ufffd\ufffd|\ufffdV\ufffd 8\ufffdq7\ufffd:kR\ufffd\ufffd\ufffd\ufffd\u0018\ufffdv_\ufffd\u07fcn\ufffd4\ufffd\u050bM\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8030,
"service": "http-alt-8030",
"service_label_fr": "HTTP ALT 8030"
},
"evidence_snippet": "\ufffd\ufffd\ufffd:C\ufffd\ufffd\ufffd\u4db0\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffdJ!\ufffd\ufffd\u05d6\ufffd\ufffd\ufffd|\ufffdV\ufffd 8\ufffdq7\ufffd:kR\ufffd\ufffd\ufffd\ufffd\ufffdv_\ufffd\u07fcn\ufffd4\ufffd\u050bM\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8030:8030 \u00b7 (reconnaissance)",
"target_port_label": "8030 \u00b7 HTTP ALT 8030",
"emulator_service": "http-alt-8030",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8030 \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8030",
"service_label_fr": "HTTP ALT 8030",
"dst_port": 8030,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8030",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd:C\ufffd\ufffd\ufffd\u4db0\ufffd\ufffd\ufffd>\u0004\ufffd\u0013\ufffd\ufffdJ!\u0019\ufffd\ufffd\u05d6\ufffd\ufffd\ufffd|\ufffdV\ufffd 8\ufffdq7\ufffd:kR\ufffd\ufffd\ufffd\ufffd\u0018\ufffdv_\ufffd\u07fcn\ufffd4\ufffd\u050bM\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8030,
"service": "http-alt-8030",
"service_label_fr": "HTTP ALT 8030"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8030:8030 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd:C\ufffd\ufffd\ufffd\u4db0\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffdJ!\ufffd\ufffd\u05d6\ufffd\ufffd\ufffd|\ufffdV\ufffd 8\ufffdq7\ufffd:kR\ufffd\ufffd\ufffd\ufffd\ufffdv_\ufffd\u07fcn\ufffd4\ufffd\u050bM\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8030 \u00b7 HTTP ALT 8030",
"emulator_service": "http-alt-8030",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8030",
"service_banner": "honeypot-http-alt-8030",
"service_os": "linux",
"dst_port": "8030"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 72.04,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8050 · HTTP ALT 8050
|
http-alt-8050
|
Scan de ports
port scan syn · via HTTP ALT 8050:8050 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8050
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8050
Chemin / cible
—
Service
HTTP ALT 8050
Payload
����������������~�%���$�����K�j��d�S�_]�I" ?Σ� ��b�?���� �Olq��c���u��?Ji�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����������������~�%���$�����K�j��d�S�_]�I" ?Σ� ��b�?���� �Olq��c���u��?Ji�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
����������������~�%���$�����K�j��d�S�_]�I" ?Σ� ��b�?���� �Olq��c���u��?Ji�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �׀���na�@�뜳rS��ʸ�@�W��.�6'
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.8635241785344565,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8050",
"app_proto": "http-alt-8050",
"asn": 396982,
"country": "US",
"dst_port": 8050,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "cdd9a7ae4fc66a1db7f78b92b498fb7762ca4a90",
"event_fingerprint": "b11541a79f76c2786358c8a78a6582ed24464546",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-8050",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "66b6c5749dbb2d36e186bd07a1752aa5",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8050,
"service": "http-alt-8050",
"service_name": "http-alt-8050",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0019\ufffd\ufffd~\ufffd%\ufffd\u001c\ufffd$\ufffd\ufffd\u0012\u0017\ufffdK\ufffdj\b\u0014d\ufffdS\u001f_]\ufffdI\" ?\u03a3\ufffd \ufffd\ufffdb\ufffd?\ufffd\ufffd\ufffd\u0018 \ufffdOlq\ufffd\ufffdc\ufffd\ufffd\ufffdu\ufffd\ufffd?Ji\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0019\ufffd\ufffd~\ufffd%\ufffd\u001c\ufffd$\ufffd\ufffd\u0012\u0017\ufffdK\ufffdj\b\u0014d\ufffdS\u001f_]\ufffdI\" ?\u03a3\ufffd \ufffd\ufffdb\ufffd?\ufffd\ufffd\ufffd\u0018 \ufffdOlq\ufffd\ufffdc\ufffd\ufffd\ufffdu\ufffd\ufffd?Ji\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0013\u05c0\u001b\b\ufffdna\ufffd@\ufffd\ub733\uff52S\ufffd\ufffd\u02b8\ufffd@\u0014W\ufffd\ufffd.\ufffd6'",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0019\ufffd\ufffd~\ufffd%\ufffd\u001c\ufffd$\ufffd\ufffd\u0012\u0017\ufffdK\ufffdj\b\u0014d\ufffdS\u001f_]\ufffdI\" ?\u03a3\ufffd \ufffd\ufffdb\ufffd?\ufffd\ufffd\ufffd\u0018 \ufffdOlq\ufffd\ufffdc\ufffd\ufffd\ufffdu\ufffd\ufffd?Ji\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "aef8d4d259a96aeab936f8580ca52df9d492b447",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0019\ufffd\ufffd~\ufffd%\ufffd\u001c\ufffd$\ufffd\ufffd\u0012\u0017\ufffdK\ufffdj\b\u0014d\ufffdS\u001f_]\ufffdI\" ?\u03a3\ufffd \ufffd\ufffdb\ufffd?\ufffd\ufffd\ufffd\u0018 \ufffdOlq\ufffd\ufffdc\ufffd\ufffd\ufffdu\ufffd\ufffd?Ji\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8050,
"service": "http-alt-8050",
"service_label_fr": "HTTP ALT 8050"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd~\ufffd%\ufffd\ufffd$\ufffd\ufffd\ufffdK\ufffdjd\ufffdS_]\ufffdI\" ?\u03a3\ufffd \ufffd\ufffdb\ufffd?\ufffd\ufffd\ufffd \ufffdOlq\ufffd\ufffdc\ufffd\ufffd\ufffdu\ufffd\ufffd?Ji&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8050:8050 \u00b7 (reconnaissance)",
"target_port_label": "8050 \u00b7 HTTP ALT 8050",
"emulator_service": "http-alt-8050",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8050 \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8050",
"service_label_fr": "HTTP ALT 8050",
"dst_port": 8050,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8050",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0019\ufffd\ufffd~\ufffd%\ufffd\u001c\ufffd$\ufffd\ufffd\u0012\u0017\ufffdK\ufffdj\b\u0014d\ufffdS\u001f_]\ufffdI\" ?\u03a3\ufffd \ufffd\ufffdb\ufffd?\ufffd\ufffd\ufffd\u0018 \ufffdOlq\ufffd\ufffdc\ufffd\ufffd\ufffdu\ufffd\ufffd?Ji\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8050,
"service": "http-alt-8050",
"service_label_fr": "HTTP ALT 8050"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8050:8050 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd~\ufffd%\ufffd\ufffd$\ufffd\ufffd\ufffdK\ufffdjd\ufffdS_]\ufffdI\" ?\u03a3\ufffd \ufffd\ufffdb\ufffd?\ufffd\ufffd\ufffd \ufffdOlq\ufffd\ufffdc\ufffd\ufffd\ufffdu\ufffd\ufffd?Ji&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8050 \u00b7 HTTP ALT 8050",
"emulator_service": "http-alt-8050",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8050",
"service_banner": "honeypot-http-alt-8050",
"service_os": "linux",
"dst_port": "8050"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 71.73,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8060 · HTTP ALT 8060
|
http-alt-8060
|
Scan de ports
port scan syn · via HTTP ALT 8060:8060 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8060
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8060
Chemin / cible
—
Service
HTTP ALT 8060
Payload
�����������4�v͛��H��媬��:�>���W�㪕o���x ���z.<��Ǣ��ө�qw�O��f��v;9��J���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������4�v͛��H��媬��:�>���W�㪕o���x ���z.<��Ǣ��ө�qw�O��f��v;9��J���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������4�v͛��H��媬��:�>���W�㪕o���x ���z.<��Ǣ��ө�qw�O��f��v;9��J���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ɮ��?����EY���M��#o�.`���?�����
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.831680401670782,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8060",
"app_proto": "http-alt-8060",
"asn": 396982,
"country": "US",
"dst_port": 8060,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 0.7,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "aab47e9e3d9a35c3e51800c2d6b6d1564b864959",
"event_fingerprint": "3819dbd6011054f1d578fda3ac96df5957470b8c",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-8060",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "49afc11aae014c7c19476c1ef6567ee1",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8060,
"service": "http-alt-8060",
"service_name": "http-alt-8060",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00034\ufffdv\u035b\ufffd\ufffdH\ufffd\u001b\u5aac\u0003\u0007:\ufffd>\ufffd\ufffd\u0017W\u0010\u3a95o\ufffd\ufffd\ufffdx \ufffd\u0004\u000ez.<\ufffd\ufffd\u01e2\u0006\ufffd\u04e9\ufffdqw\ufffdO\ufffd\ufffdf\ufffd\ufffdv;9\u0010\ufffdJ\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00034\ufffdv\u035b\ufffd\ufffdH\ufffd\u001b\u5aac\u0003\u0007:\ufffd>\ufffd\ufffd\u0017W\u0010\u3a95o\ufffd\ufffd\ufffdx \ufffd\u0004\u000ez.<\ufffd\ufffd\u01e2\u0006\ufffd\u04e9\ufffdqw\ufffdO\ufffd\ufffdf\ufffd\ufffdv;9\u0010\ufffdJ\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u026e\ufffd\ufffd?\ufffd\ufffd\u0010\ufffdEY\b\ufffd\ufffdM\ufffd\ufffd#o\u001d.`\ufffd\ufffd\ufffd?\ufffd\ufffd\ufffd\ufffd\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00034\ufffdv\u035b\ufffd\ufffdH\ufffd\u001b\u5aac\u0003\u0007:\ufffd>\ufffd\ufffd\u0017W\u0010\u3a95o\ufffd\ufffd\ufffdx \ufffd\u0004\u000ez.<\ufffd\ufffd\u01e2\u0006\ufffd\u04e9\ufffdqw\ufffdO\ufffd\ufffdf\ufffd\ufffdv;9\u0010\ufffdJ\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5ff1d746aa495ee2353eee63388c4b21c84d5da7",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00034\ufffdv\u035b\ufffd\ufffdH\ufffd\u001b\u5aac\u0003\u0007:\ufffd>\ufffd\ufffd\u0017W\u0010\u3a95o\ufffd\ufffd\ufffdx \ufffd\u0004\u000ez.<\ufffd\ufffd\u01e2\u0006\ufffd\u04e9\ufffdqw\ufffdO\ufffd\ufffdf\ufffd\ufffdv;9\u0010\ufffdJ\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8060,
"service": "http-alt-8060",
"service_label_fr": "HTTP ALT 8060"
},
"evidence_snippet": "\ufffd\ufffd4\ufffdv\u035b\ufffd\ufffdH\ufffd\u5aac:\ufffd>\ufffd\ufffdW\u3a95o\ufffd\ufffd\ufffdx \ufffdz.<\ufffd\ufffd\u01e2\ufffd\u04e9\ufffdqw\ufffdO\ufffd\ufffdf\ufffd\ufffdv;9\ufffdJ\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8060:8060 \u00b7 (reconnaissance)",
"target_port_label": "8060 \u00b7 HTTP ALT 8060",
"emulator_service": "http-alt-8060",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8060 \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8060",
"service_label_fr": "HTTP ALT 8060",
"dst_port": 8060,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8060",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00034\ufffdv\u035b\ufffd\ufffdH\ufffd\u001b\u5aac\u0003\u0007:\ufffd>\ufffd\ufffd\u0017W\u0010\u3a95o\ufffd\ufffd\ufffdx \ufffd\u0004\u000ez.<\ufffd\ufffd\u01e2\u0006\ufffd\u04e9\ufffdqw\ufffdO\ufffd\ufffdf\ufffd\ufffdv;9\u0010\ufffdJ\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8060,
"service": "http-alt-8060",
"service_label_fr": "HTTP ALT 8060"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8060:8060 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd4\ufffdv\u035b\ufffd\ufffdH\ufffd\u5aac:\ufffd>\ufffd\ufffdW\u3a95o\ufffd\ufffd\ufffdx \ufffdz.<\ufffd\ufffd\u01e2\ufffd\u04e9\ufffdqw\ufffdO\ufffd\ufffdf\ufffd\ufffdv;9\ufffdJ\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8060 \u00b7 HTTP ALT 8060",
"emulator_service": "http-alt-8060",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8060",
"service_banner": "honeypot-http-alt-8060",
"service_os": "linux",
"dst_port": "8060"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 70.98,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8080 · HTTP
|
http
|
Scan de ports
port scan syn · via HTTP:8080 · (reconnaissance) · → T(]jG:r`�T1
|
Élevée
|
Moyen · 44
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
���������s�ۿCG�m T(]jG:r`�T1 JA3 19e29534fd49dd27
Émulateur
HTTP
WAF
7
Recommandation
Surveiller
Tags
950324:rce-0
http_no_ua
net_flood
Cible HTTP
���������s�ۿCG�m
T(]jG:r`�T1
TLS SNI
—
Capteur
paris-1
|
Méthode
���������s�ۿCG�m
Port
8080
Chemin / cible
T(]jG:r`�T1
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 44
Confiance : Confiance 100 % — 1 tag(s) WAF
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
Ligne de requête
���������S�ۿCG�M T(]jG:r`�T1 HTTP/1.1
User-Agent
—
Règles WAF
rce-0
Payload (extrait)
��������������s�ۿ�C�G��m� T�(�]jG:r`���T�1 ��7 �d�xc��<�@�������Ԥ%�g�!��*�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������s�ۿ�C�G��m� T�(�]jG:r`���T�1 ��7 �d�xc��<�@�������Ԥ%�g !��*�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� _��PyQY��-7��q�����qm����a��3�4
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 81,
"http_header_count": 0,
"http_query_params": 0,
"http_path_depth": 1,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "bce73dcf51d1bc6f7ac051e3d6fc0df4d5373832",
"http_referer_hash": null,
"http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003s\u0018\u06ffCG\u0001m",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 239,
"payload_entropy": 5.816442434718962,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 8080,
"risk_waf": 36,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 36,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 44,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "df2c31b39872544fb3da29be430d03bda99c18cc",
"event_fingerprint": "75f3be758a0ee277ce3fbe125e397ab1810b5494",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 36,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 44,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "093e4604762db69111e25e14c522c4f3",
"path_pattern_hash": "9e6f166577c471fb8815f153bf13d950",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8080,
"service": "http",
"service_name": "http",
"risk_score": 44
},
"method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003s\u0018\u06ffCG\u0001m",
"path": "T(]jG:r`\u000fT1",
"waf_tags": [
"950324:rce-0"
],
"waf_rule_names": [
"rce-0"
],
"request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003S\u0018\u06ffCG\u0001M T(]jG:r`\u000fT1 HTTP\/1.1",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffds\u0018\u06ff\ufffdC\ufffdG\ufffd\u0001m\ufffd T\ufffd(\ufffd]jG:r`\ufffd\u000f\ufffdT\ufffd1 \u0003\ufffd7 \ufffdd\ufffdxc\u001d\ufffd<\ufffd@\u0016\ufffd\u001f\u001b\u0013\ufffd\ufffd\u0524%\bg\f!\ufffd\u001e*\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003s\u0018\u06ffCG\u0001m",
"path": "T(]jG:r`\u000fT1",
"waf_tags": [
"950324:rce-0"
],
"waf_rule_names": [
"rce-0"
],
"request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003S\u0018\u06ffCG\u0001M T(]jG:r`\u000fT1 HTTP\/1.1",
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffds\u0018\u06ff\ufffdC\ufffdG\ufffd\u0001m\ufffd T\ufffd(\ufffd]jG:r`\ufffd\u000f\ufffdT\ufffd1 \u0003\ufffd7 \ufffdd\ufffdxc\u001d\ufffd<\ufffd@\u0016\ufffd\u001f\u001b\u0013\ufffd\ufffd\u0524%\bg\f!\ufffd\u001e*\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 _\ufffd\u0000PyQY\ufffd\ufffd-7\ufffd\ufffdq\u0006\ufffd\ufffd\u001a\ufffdqm\ufffd\u0019\ufffd\ufffda\u000e\ufffd3\ufffd4",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffds\u0018\u06ff\ufffdC\ufffdG\ufffd\u0001m\ufffd T\ufffd(\ufffd]jG:r`\ufffd\u000f\ufffdT\ufffd1 \u0003\ufffd7 \ufffdd\ufffdxc\u001d\ufffd<\ufffd@\u0016\ufffd\u001f\u001b\u0013\ufffd\ufffd\u0524%\bg\f!\ufffd\u001e*\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ab44b593262493c2d0489885d48abcc908d57c2a",
"protocol_details": {
"http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003s\u0018\u06ffCG\u0001m",
"http_path": "T(]jG:r`\u000fT1",
"request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003S\u0018\u06ffCG\u0001M T(]jG:r`\u000fT1 HTTP\/1.1",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffds\u06ff\ufffdC\ufffdG\ufffdm\ufffd T\ufffd(\ufffd]jG:r`\ufffd\ufffdT\ufffd1 \ufffd7 \ufffdd\ufffdxc\ufffd<\ufffd@\ufffd\ufffd\ufffd\u0524%g!\ufffd*&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 T(]jG:r`\u000fT1",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 36,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 44,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 8080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"http_method": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003s\u0018\u06ffCG\u0001m",
"http_path": "T(]jG:r`\u000fT1",
"request_line": "\u0016\u0003\u0001\u0000\u0001\u0000\u0000\u0003\u0003S\u0018\u06ffCG\u0001M T(]jG:r`\u000fT1 HTTP\/1.1",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8080,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port scan syn \u00b7 via HTTP:8080 \u00b7 (reconnaissance) \u00b7 \u2192 T(]jG:r`\u000fT1",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffds\u06ff\ufffdC\ufffdG\ufffdm\ufffd T\ufffd(\ufffd]jG:r`\ufffd\ufffdT\ufffd1 \ufffd7 \ufffdd\ufffdxc\ufffd<\ufffd@\ufffd\ufffd\ufffd\u0524%g!\ufffd*&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8080 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 1 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 36 \u00b7 Bonus corr\u00e9lation +23 \u00b7 1 tag(s) WAF",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "8080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 69.44,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"950324:rce-0",
"http_no_ua",
"net_flood"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8081 · HTTP ALT 8081
|
http-alt-8081
|
Scan de ports
port scan syn · via HTTP ALT 8081:8081 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8081
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8081
Chemin / cible
—
Service
HTTP ALT 8081
Payload
������������y��v �)d�� ����>��l�"���2������ �� X �U����"�y5)g��� �~�$���1���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������y��v��)d�������>��l�"���2������ ��
X��U����"�y5)g���
�~�$���1���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������y��v �)d�� ����>��l�"���2������ �� X �U����"�y5)g��� �~�$���1���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �!����q��n�וݻ�iMz�X�p��F�[�O�>
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.851912150033721,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8081",
"app_proto": "http-alt-8081",
"asn": 396982,
"country": "US",
"dst_port": 8081,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "adc18765dea9c033662210f3040e4e075e5b4f7c",
"event_fingerprint": "299e4481712667d3cd006e5867e01c563a8c7863",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-8081",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "748486c27d030a853fe59aa77915bf4a",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8081,
"service": "http-alt-8081",
"service_name": "http-alt-8081",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdy\u0017\ufffdv\f\ufffd)d\ufffd\u001d\u000b\ufffd\ufffd\ufffd\ufffd>\ufffd\u001el\ufffd\"\ufffd\u0002\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffd\u0012 \ufffd\ufffd\nX\u000b\u0014U\u0010\ufffd\ufffd\u001c\"\ufffdy5)g\u0010\ufffd\ufffd\r\ufffd~\ufffd$\u001c\ufffd\ufffd1\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdy\u0017\ufffdv\f\ufffd)d\ufffd\u001d\u000b\ufffd\ufffd\ufffd\ufffd>\ufffd\u001el\ufffd\"\ufffd\u0002\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffd\u0012 \ufffd\ufffd\nX\u000b\u0014U\u0010\ufffd\ufffd\u001c\"\ufffdy5)g\u0010\ufffd\ufffd\r\ufffd~\ufffd$\u001c\ufffd\ufffd1\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0004!\ufffd\ufffd\ufffd\u0000q\ufffd\ufffdn\ufffd\u05d5\u077b\ufffdiMz\u0002X\ufffdp\ufffd\ufffdF\ufffd[\ufffdO\ufffd>",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdy\u0017\ufffdv\f\ufffd)d\ufffd\u001d\u000b\ufffd\ufffd\ufffd\ufffd>\ufffd\u001el\ufffd\"\ufffd\u0002\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffd\u0012 \ufffd\ufffd\nX\u000b\u0014U\u0010\ufffd\ufffd\u001c\"\ufffdy5)g\u0010\ufffd\ufffd\r\ufffd~\ufffd$\u001c\ufffd\ufffd1\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b7dd57e41ccac4acb2908100a32dd4d3701ca9a2",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdy\u0017\ufffdv\f\ufffd)d\ufffd\u001d\u000b\ufffd\ufffd\ufffd\ufffd>\ufffd\u001el\ufffd\"\ufffd\u0002\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffd\u0012 \ufffd\ufffd\nX\u000b\u0014U\u0010\ufffd\ufffd\u001c\"\ufffdy5)g\u0010\ufffd\ufffd\r\ufffd~\ufffd$\u001c\ufffd\ufffd1\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8081,
"service": "http-alt-8081",
"service_label_fr": "HTTP ALT 8081"
},
"evidence_snippet": "\ufffd\ufffd\ufffdy\ufffdv\ufffd)d\ufffd\ufffd\ufffd\ufffd\ufffd>\ufffdl\ufffd\"\ufffd\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\nXU\ufffd\ufffd\"\ufffdy5)g\ufffd\ufffd\r\ufffd~\ufffd$\ufffd\ufffd1\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8081:8081 \u00b7 (reconnaissance)",
"target_port_label": "8081 \u00b7 HTTP ALT 8081",
"emulator_service": "http-alt-8081",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8081 \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8081",
"service_label_fr": "HTTP ALT 8081",
"dst_port": 8081,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8081",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdy\u0017\ufffdv\f\ufffd)d\ufffd\u001d\u000b\ufffd\ufffd\ufffd\ufffd>\ufffd\u001el\ufffd\"\ufffd\u0002\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffd\u0012 \ufffd\ufffd\nX\u000b\u0014U\u0010\ufffd\ufffd\u001c\"\ufffdy5)g\u0010\ufffd\ufffd\r\ufffd~\ufffd$\u001c\ufffd\ufffd1\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8081,
"service": "http-alt-8081",
"service_label_fr": "HTTP ALT 8081"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8081:8081 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffdy\ufffdv\ufffd)d\ufffd\ufffd\ufffd\ufffd\ufffd>\ufffdl\ufffd\"\ufffd\ufffd2\ufffd\ufffd\ufffd\ufffd\ufffd \ufffd\ufffd\nXU\ufffd\ufffd\"\ufffdy5)g\ufffd\ufffd\r\ufffd~\ufffd$\ufffd\ufffd1\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8081 \u00b7 HTTP ALT 8081",
"emulator_service": "http-alt-8081",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8081",
"service_banner": "honeypot-http-alt-8081",
"service_os": "linux",
"dst_port": "8081"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 69.23,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8082 · HTTP ALT 8082
|
http-alt-8082
|
Scan de ports
port scan syn · via HTTP ALT 8082:8082 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8082
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8082
Chemin / cible
—
Service
HTTP ALT 8082
Payload
�����������c<�0 ��gN�ˤ[�X��-� DuΘ�x�j��6� .���.أ�uH��q���$ y��Kv��gk�g�L��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������c<�0 ��gN�ˤ[�X��-� DuΘ�x�j��6� .���.أ�uH��q���$�y��Kv��gk�g�L��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������c<�0 ��gN�ˤ[�X��-� DuΘ�x�j��6� .���.أ�uH��q���$ y��Kv��gk�g�L��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� e�����D��Y�g��O���V�N�������ܱxN
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.856348231348795,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8082",
"app_proto": "http-alt-8082",
"asn": 396982,
"country": "US",
"dst_port": 8082,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "20c0dee08dab87968ce80fa671a0603a8bc9058d",
"event_fingerprint": "27ee41642bfbf2d7c87afb0f527f2b132d63d117",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-8082",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "716fc0be14754f41cf8c76be39a71ec1",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8082,
"service": "http-alt-8082",
"service_name": "http-alt-8082",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c<\ufffd0 \ufffd\u0010gN\ufffd\u02e4[\u0005X\ufffd\b-\ufffd Du\u0398\ufffdx\ufffdj\ufffd\ufffd6\ufffd .\ufffd\u0011\u0015.\u0623\ufffduH\u0017\ufffdq\ufffd\ufffd\ufffd$\fy\ufffd\u001aKv\ufffd\ufffdgk\ufffdg\ufffdL\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c<\ufffd0 \ufffd\u0010gN\ufffd\u02e4[\u0005X\ufffd\b-\ufffd Du\u0398\ufffdx\ufffdj\ufffd\ufffd6\ufffd .\ufffd\u0011\u0015.\u0623\ufffduH\u0017\ufffdq\ufffd\ufffd\ufffd$\fy\ufffd\u001aKv\ufffd\ufffdgk\ufffdg\ufffdL\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 e\ufffd\u0018\ufffd\u000e\u001cD\ufffd\ufffdY\ufffdg\ufffd\u0014O\ufffd\ufffd\ufffdV\ufffdN\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0731xN",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c<\ufffd0 \ufffd\u0010gN\ufffd\u02e4[\u0005X\ufffd\b-\ufffd Du\u0398\ufffdx\ufffdj\ufffd\ufffd6\ufffd .\ufffd\u0011\u0015.\u0623\ufffduH\u0017\ufffdq\ufffd\ufffd\ufffd$\fy\ufffd\u001aKv\ufffd\ufffdgk\ufffdg\ufffdL\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a2eaefe685585aab84a4df6f42ef0d82aae02ed8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c<\ufffd0 \ufffd\u0010gN\ufffd\u02e4[\u0005X\ufffd\b-\ufffd Du\u0398\ufffdx\ufffdj\ufffd\ufffd6\ufffd .\ufffd\u0011\u0015.\u0623\ufffduH\u0017\ufffdq\ufffd\ufffd\ufffd$\fy\ufffd\u001aKv\ufffd\ufffdgk\ufffdg\ufffdL\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8082,
"service": "http-alt-8082",
"service_label_fr": "HTTP ALT 8082"
},
"evidence_snippet": "\ufffd\ufffdc<\ufffd0 \ufffdgN\ufffd\u02e4[X\ufffd-\ufffd Du\u0398\ufffdx\ufffdj\ufffd\ufffd6\ufffd .\ufffd.\u0623\ufffduH\ufffdq\ufffd\ufffd\ufffd$y\ufffdKv\ufffd\ufffdgk\ufffdg\ufffdL\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8082:8082 \u00b7 (reconnaissance)",
"target_port_label": "8082 \u00b7 HTTP ALT 8082",
"emulator_service": "http-alt-8082",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8082 \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8082",
"service_label_fr": "HTTP ALT 8082",
"dst_port": 8082,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8082",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c<\ufffd0 \ufffd\u0010gN\ufffd\u02e4[\u0005X\ufffd\b-\ufffd Du\u0398\ufffdx\ufffdj\ufffd\ufffd6\ufffd .\ufffd\u0011\u0015.\u0623\ufffduH\u0017\ufffdq\ufffd\ufffd\ufffd$\fy\ufffd\u001aKv\ufffd\ufffdgk\ufffdg\ufffdL\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8082,
"service": "http-alt-8082",
"service_label_fr": "HTTP ALT 8082"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8082:8082 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdc<\ufffd0 \ufffdgN\ufffd\u02e4[X\ufffd-\ufffd Du\u0398\ufffdx\ufffdj\ufffd\ufffd6\ufffd .\ufffd.\u0623\ufffduH\ufffdq\ufffd\ufffd\ufffd$y\ufffdKv\ufffd\ufffdgk\ufffdg\ufffdL\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8082 \u00b7 HTTP ALT 8082",
"emulator_service": "http-alt-8082",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8082",
"service_banner": "honeypot-http-alt-8082",
"service_os": "linux",
"dst_port": "8082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 68.96,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8083 · HTTP ALT 8083
|
http-alt-8083
|
Scan de ports
port scan syn · via HTTP ALT 8083:8083 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8083
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8083
Chemin / cible
—
Service
HTTP ALT 8083
Payload
������������������A-��qT�`�8u����hx �+5! /���k4�L�6���C,��&�*3m�~�l]���R��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������������A-��qT�`�8u����hx��+5! /���k4�L�6���C,��&�*3m�~�l]���R��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������������A-��qT�`�8u����hx �+5! /���k4�L�6���C,��&�*3m�~�l]���R��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���oȚ��� -�����S���/��I��Ҽ��L6
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.8287689212689475,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8083",
"app_proto": "http-alt-8083",
"asn": 396982,
"country": "US",
"dst_port": 8083,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "1b879cfee65b6b04db16384d9063c48c03ad3b06",
"event_fingerprint": "5374662388119f0de85a6012faa9fbcd3b7cc4e2",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-8083",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "86e1d44b1f8501d7ce3c57c7be476bc0",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8083,
"service": "http-alt-8083",
"service_name": "http-alt-8083",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0007\ufffd\ufffd\u0012\ufffdA-\ufffd\ufffdqT\ufffd`\ufffd8u\ufffd\u0011\ufffd\ufffd\u0603hx\f\ufffd+5! \/\ufffd\ufffd\ufffdk4\ufffdL\u00126\ufffd\u0016\ufffdC,\u001b\ufffd&\ufffd*3m\ufffd~\ufffdl]\ufffd\u0001\u0017R\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0007\ufffd\ufffd\u0012\ufffdA-\ufffd\ufffdqT\ufffd`\ufffd8u\ufffd\u0011\ufffd\ufffd\u0603hx\f\ufffd+5! \/\ufffd\ufffd\ufffdk4\ufffdL\u00126\ufffd\u0016\ufffdC,\u001b\ufffd&\ufffd*3m\ufffd~\ufffdl]\ufffd\u0001\u0017R\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffdo\u021a\ufffd\ufffd\ufffd\r-\u0002\ufffd\ufffd\ufffd\ufffdS\ufffd\ufffd\u0001\/\ufffd\ufffdI\ufffd\ufffd\u04bc\ufffd\ufffdL6",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0007\ufffd\ufffd\u0012\ufffdA-\ufffd\ufffdqT\ufffd`\ufffd8u\ufffd\u0011\ufffd\ufffd\u0603hx\f\ufffd+5! \/\ufffd\ufffd\ufffdk4\ufffdL\u00126\ufffd\u0016\ufffdC,\u001b\ufffd&\ufffd*3m\ufffd~\ufffdl]\ufffd\u0001\u0017R\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6c00ca896f06d31ca08d59879197c527c8c78fd6",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0007\ufffd\ufffd\u0012\ufffdA-\ufffd\ufffdqT\ufffd`\ufffd8u\ufffd\u0011\ufffd\ufffd\u0603hx\f\ufffd+5! \/\ufffd\ufffd\ufffdk4\ufffdL\u00126\ufffd\u0016\ufffdC,\u001b\ufffd&\ufffd*3m\ufffd~\ufffdl]\ufffd\u0001\u0017R\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8083,
"service": "http-alt-8083",
"service_label_fr": "HTTP ALT 8083"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdA-\ufffd\ufffdqT\ufffd`\ufffd8u\ufffd\ufffd\ufffd\u0603hx\ufffd+5! \/\ufffd\ufffd\ufffdk4\ufffdL6\ufffd\ufffdC,\ufffd&\ufffd*3m\ufffd~\ufffdl]\ufffdR\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8083:8083 \u00b7 (reconnaissance)",
"target_port_label": "8083 \u00b7 HTTP ALT 8083",
"emulator_service": "http-alt-8083",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8083 \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8083",
"service_label_fr": "HTTP ALT 8083",
"dst_port": 8083,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8083",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0007\ufffd\ufffd\u0012\ufffdA-\ufffd\ufffdqT\ufffd`\ufffd8u\ufffd\u0011\ufffd\ufffd\u0603hx\f\ufffd+5! \/\ufffd\ufffd\ufffdk4\ufffdL\u00126\ufffd\u0016\ufffdC,\u001b\ufffd&\ufffd*3m\ufffd~\ufffdl]\ufffd\u0001\u0017R\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8083,
"service": "http-alt-8083",
"service_label_fr": "HTTP ALT 8083"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8083:8083 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdA-\ufffd\ufffdqT\ufffd`\ufffd8u\ufffd\ufffd\ufffd\u0603hx\ufffd+5! \/\ufffd\ufffd\ufffdk4\ufffdL6\ufffd\ufffdC,\ufffd&\ufffd*3m\ufffd~\ufffdl]\ufffdR\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8083 \u00b7 HTTP ALT 8083",
"emulator_service": "http-alt-8083",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8083",
"service_banner": "honeypot-http-alt-8083",
"service_os": "linux",
"dst_port": "8083"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 68.74,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
7000 · CASSANDRA JMX
|
cassandra-jmx
|
Scan de ports
port scan syn · via CASSANDRA JMX:7000 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
CASSANDRA-JMX
WAF
—
Recommandation
Surveiller
Tags
cassandra_emulated
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
7000
Chemin / cible
—
Service
CASSANDRA JMX
Payload
�����������m��� jc�ʵ# �M݊��<o���M��M{(�� �:�m�����|qD�y���n t��_��Z]�ՁS�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������m����jc�ʵ# �M݊��<o���M��M{(�� �:�m�����|qD�y���n t��_��Z]�ՁS�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������m��� jc�ʵ# �M݊��<o���M��M{(�� �:�m�����|qD�y���n t��_��Z]�ՁS�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �๎$2?l�CV �%�h�l_�V�p�J�&�!�`>
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "4f4b0d0a",
"emulator_response_len": 4,
"bytes_in": 239,
"payload_entropy": 5.909905534731939,
"port_category": "registered",
"org": "Google LLC",
"service": "cassandra-jmx",
"app_proto": "cassandra-jmx",
"asn": 396982,
"country": "US",
"dst_port": 7000,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "0e837f001fe9fba5f7c6be4510527027bb99803e",
"event_fingerprint": "0c69b3edfad1fd34f7b447e7480ba1b6050084c0",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "cassandra-jmx",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c994ad6a0fe34cd15c5998f31178ecad",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 7000,
"service": "cassandra-jmx",
"service_name": "cassandra-jmx",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003m\ufffd\ufffd\ufffd\u000bjc\ufffd\u02b5# \ufffdM\u074a\ufffd\ufffd<o\ufffd\ufffd\ufffdM\ufffd\u001cM{(\u000f\ufffd \ufffd:\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffd|qD\ufffdy\ufffd\u0003\u0004n t\ufffd\ufffd_\ufffd\ufffdZ]\ufffd\u0541S\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003m\ufffd\ufffd\ufffd\u000bjc\ufffd\u02b5# \ufffdM\u074a\ufffd\ufffd<o\ufffd\ufffd\ufffdM\ufffd\u001cM{(\u000f\ufffd \ufffd:\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffd|qD\ufffdy\ufffd\u0003\u0004n t\ufffd\ufffd_\ufffd\ufffdZ]\ufffd\u0541S\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0e4e$2?l\ufffdCV\f\u0011%\u000fh\ufffdl_\ufffdV\u001ap\bJ\ufffd&\ufffd!\ufffd`>",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003m\ufffd\ufffd\ufffd\u000bjc\ufffd\u02b5# \ufffdM\u074a\ufffd\ufffd<o\ufffd\ufffd\ufffdM\ufffd\u001cM{(\u000f\ufffd \ufffd:\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffd|qD\ufffdy\ufffd\u0003\u0004n t\ufffd\ufffd_\ufffd\ufffdZ]\ufffd\u0541S\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0d6f601285f9c687f6be8e1406c1255bd96aba6d",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003m\ufffd\ufffd\ufffd\u000bjc\ufffd\u02b5# \ufffdM\u074a\ufffd\ufffd<o\ufffd\ufffd\ufffdM\ufffd\u001cM{(\u000f\ufffd \ufffd:\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffd|qD\ufffdy\ufffd\u0003\u0004n t\ufffd\ufffd_\ufffd\ufffdZ]\ufffd\u0541S\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7000,
"service": "cassandra-jmx",
"service_label_fr": "CASSANDRA JMX"
},
"evidence_snippet": "\ufffd\ufffdm\ufffd\ufffd\ufffdjc\ufffd\u02b5# \ufffdM\u074a\ufffd\ufffd<o\ufffd\ufffd\ufffdM\ufffdM{(\ufffd \ufffd:\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffd|qD\ufffdy\ufffdn t\ufffd\ufffd_\ufffd\ufffdZ]\ufffd\u0541S&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via CASSANDRA JMX:7000 \u00b7 (reconnaissance)",
"target_port_label": "7000 \u00b7 CASSANDRA JMX",
"emulator_service": "cassandra-jmx",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CASSANDRA JMX \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "cassandra-jmx",
"service_label_fr": "CASSANDRA JMX",
"dst_port": 7000,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-cassandra-jmx",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003m\ufffd\ufffd\ufffd\u000bjc\ufffd\u02b5# \ufffdM\u074a\ufffd\ufffd<o\ufffd\ufffd\ufffdM\ufffd\u001cM{(\u000f\ufffd \ufffd:\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffd|qD\ufffdy\ufffd\u0003\u0004n t\ufffd\ufffd_\ufffd\ufffdZ]\ufffd\u0541S\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 7000,
"service": "cassandra-jmx",
"service_label_fr": "CASSANDRA JMX"
},
"attack_vector": "port scan syn \u00b7 via CASSANDRA JMX:7000 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdm\ufffd\ufffd\ufffdjc\ufffd\u02b5# \ufffdM\u074a\ufffd\ufffd<o\ufffd\ufffd\ufffdM\ufffdM{(\ufffd \ufffd:\ufffdm\ufffd\ufffd\ufffd\ufffd\ufffd|qD\ufffdy\ufffdn t\ufffd\ufffd_\ufffd\ufffdZ]\ufffd\u0541S&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "7000 \u00b7 CASSANDRA JMX",
"emulator_service": "cassandra-jmx",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "cassandra_jmx",
"service_banner": "honeypot-cassandra-jmx",
"service_os": "linux",
"dst_port": "7000"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 66.43,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"cassandra_emulated",
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8084 · HTTP ALT 8084
|
http-alt-8084
|
Scan de ports
port scan syn · via HTTP ALT 8084:8084 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8084
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8084
Chemin / cible
—
Service
HTTP ALT 8084
Payload
�����������.4� �m�c��ǽ�9Hd~�u�+8�,��0���-1 ��i ��N6|����P4=�/A�O�Ĥ�jUU��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������.4�
�m�c��ǽ�9Hd~�u�+8�,��0���-1 ��i ��N6|����P4=�/A�O�Ĥ�jUU��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������.4� �m�c��ǽ�9Hd~�u�+8�,��0���-1 ��i ��N6|����P4=�/A�O�Ĥ�jUU��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��7���?���k�l��W�z����f���m�T
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.864510471649359,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8084",
"app_proto": "http-alt-8084",
"asn": 396982,
"country": "US",
"dst_port": 8084,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.5,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "3d5024343fa7424304d8f83670ab52c567803d23",
"event_fingerprint": "9218c3a6103020d7b5cb681eb016f90f0e1a1b1b",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-8084",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "43fac423871cbe657e1c4145c1abf0c0",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8084,
"service": "http-alt-8084",
"service_name": "http-alt-8084",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003.4\ufffd\r\ufffdm\u000fc\ufffd\ufffd\u01fd\ufffd9Hd~\ufffdu\ufffd+8\ufffd,\ufffd\ufffd0\ufffd\ufffd\ufffd-1 \ufffd\u0001i \u0012\ufffdN6|\ufffd\ufffd\ufffd\u001aP4=\ufffd\/A\ufffdO\ufffd\u0124\u0019j\u0090UU\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003.4\ufffd\r\ufffdm\u000fc\ufffd\ufffd\u01fd\ufffd9Hd~\ufffdu\ufffd+8\ufffd,\ufffd\ufffd0\ufffd\ufffd\ufffd-1 \ufffd\u0001i \u0012\ufffdN6|\ufffd\ufffd\ufffd\u001aP4=\ufffd\/A\ufffdO\ufffd\u0124\u0019j\u0090UU\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd7\ufffd\ue7b7\ufffd\ufffd?\ufffd\ufffd\ufffdk\u0018l\ufffd\u0007W\u0004z\ufffd\u0013\ufffd\ufffdf\u001a\ufffd\ufffdm\u0018T",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003.4\ufffd\r\ufffdm\u000fc\ufffd\ufffd\u01fd\ufffd9Hd~\ufffdu\ufffd+8\ufffd,\ufffd\ufffd0\ufffd\ufffd\ufffd-1 \ufffd\u0001i \u0012\ufffdN6|\ufffd\ufffd\ufffd\u001aP4=\ufffd\/A\ufffdO\ufffd\u0124\u0019j\u0090UU\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f5cc4e12ad180fb3e9bc5c1e64edee81ff500dea",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003.4\ufffd\r\ufffdm\u000fc\ufffd\ufffd\u01fd\ufffd9Hd~\ufffdu\ufffd+8\ufffd,\ufffd\ufffd0\ufffd\ufffd\ufffd-1 \ufffd\u0001i \u0012\ufffdN6|\ufffd\ufffd\ufffd\u001aP4=\ufffd\/A\ufffdO\ufffd\u0124\u0019j\u0090UU\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8084,
"service": "http-alt-8084",
"service_label_fr": "HTTP ALT 8084"
},
"evidence_snippet": "\ufffd\ufffd.4\ufffd\r\ufffdmc\ufffd\ufffd\u01fd\ufffd9Hd~\ufffdu\ufffd+8\ufffd,\ufffd\ufffd0\ufffd\ufffd\ufffd-1 \ufffdi \ufffdN6|\ufffd\ufffd\ufffdP4=\ufffd\/A\ufffdO\ufffd\u0124j\u0090UU\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8084:8084 \u00b7 (reconnaissance)",
"target_port_label": "8084 \u00b7 HTTP ALT 8084",
"emulator_service": "http-alt-8084",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8084 \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8084",
"service_label_fr": "HTTP ALT 8084",
"dst_port": 8084,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8084",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003.4\ufffd\r\ufffdm\u000fc\ufffd\ufffd\u01fd\ufffd9Hd~\ufffdu\ufffd+8\ufffd,\ufffd\ufffd0\ufffd\ufffd\ufffd-1 \ufffd\u0001i \u0012\ufffdN6|\ufffd\ufffd\ufffd\u001aP4=\ufffd\/A\ufffdO\ufffd\u0124\u0019j\u0090UU\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8084,
"service": "http-alt-8084",
"service_label_fr": "HTTP ALT 8084"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8084:8084 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd.4\ufffd\r\ufffdmc\ufffd\ufffd\u01fd\ufffd9Hd~\ufffdu\ufffd+8\ufffd,\ufffd\ufffd0\ufffd\ufffd\ufffd-1 \ufffdi \ufffdN6|\ufffd\ufffd\ufffdP4=\ufffd\/A\ufffdO\ufffd\u0124j\u0090UU\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8084 \u00b7 HTTP ALT 8084",
"emulator_service": "http-alt-8084",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8084",
"service_banner": "honeypot-http-alt-8084",
"service_os": "linux",
"dst_port": "8084"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 66.18,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8088 · HTTP ALT 8088
|
http-alt-8088
|
Scan de ports
port scan syn · via HTTP ALT 8088:8088 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8088
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8088
Chemin / cible
—
Service
HTTP ALT 8088
Payload
������������w���OS�������h��8)S@��u�@�C��� P��id�(<������o�T9�Ne��w��(�4�R��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������w���OS�������h��8)S@��u�@�C��� P��id�(<������o�T9�Ne��w��(�4�R��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������w���OS�������h��8)S@��u�@�C��� P��id�(<������o�T9�Ne��w��(�4�R��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� "�����gm�²�R�n���oM`��� e[3(�AK
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.873259712436525,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8088",
"app_proto": "http-alt-8088",
"asn": 396982,
"country": "US",
"dst_port": 8088,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "9b310dfc153c1fa747b9b57e92ae91622522831d",
"event_fingerprint": "16ee8898bf0813cb9d5538fbd0265dee1881bda7",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-8088",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "8fcdfc6288b086a7e5f0bff1f684c761",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8088,
"service": "http-alt-8088",
"service_name": "http-alt-8088",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdw\ufffd\u000e\u0011OS\ufffd\ufffd\ufffd\u0017\ufffd\u0012\ufffdh\ufffd\ufffd8)S@\ufffd\ufffdu\ufffd@\ufffdC\ufffd\ufffd\ufffd P\ufffd\ufffdid\u0019(<\u0010\ufffd\u0006\ufffd\ufffd\ufffdo\ufffdT9\ufffdNe\ufffd\u001bw\u000f\u001a(\ufffd4\ufffdR\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdw\ufffd\u000e\u0011OS\ufffd\ufffd\ufffd\u0017\ufffd\u0012\ufffdh\ufffd\ufffd8)S@\ufffd\ufffdu\ufffd@\ufffdC\ufffd\ufffd\ufffd P\ufffd\ufffdid\u0019(<\u0010\ufffd\u0006\ufffd\ufffd\ufffdo\ufffdT9\ufffdNe\ufffd\u001bw\u000f\u001a(\ufffd4\ufffdR\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \"\ufffd\ufffd\ufffd\ufffd\u0010gm\ufffd\u00b2\ufffdR\ufffdn\ufffd\u001b\ufffdoM`\ufffd\ufffd\ufffd\re[3(\u0007AK",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdw\ufffd\u000e\u0011OS\ufffd\ufffd\ufffd\u0017\ufffd\u0012\ufffdh\ufffd\ufffd8)S@\ufffd\ufffdu\ufffd@\ufffdC\ufffd\ufffd\ufffd P\ufffd\ufffdid\u0019(<\u0010\ufffd\u0006\ufffd\ufffd\ufffdo\ufffdT9\ufffdNe\ufffd\u001bw\u000f\u001a(\ufffd4\ufffdR\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3f66eda2bf4e62c7342ff508f8ef2d046bd14fb3",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdw\ufffd\u000e\u0011OS\ufffd\ufffd\ufffd\u0017\ufffd\u0012\ufffdh\ufffd\ufffd8)S@\ufffd\ufffdu\ufffd@\ufffdC\ufffd\ufffd\ufffd P\ufffd\ufffdid\u0019(<\u0010\ufffd\u0006\ufffd\ufffd\ufffdo\ufffdT9\ufffdNe\ufffd\u001bw\u000f\u001a(\ufffd4\ufffdR\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8088,
"service": "http-alt-8088",
"service_label_fr": "HTTP ALT 8088"
},
"evidence_snippet": "\ufffd\ufffd\ufffdw\ufffdOS\ufffd\ufffd\ufffd\ufffd\ufffdh\ufffd\ufffd8)S@\ufffd\ufffdu\ufffd@\ufffdC\ufffd\ufffd\ufffd P\ufffd\ufffdid(<\ufffd\ufffd\ufffd\ufffdo\ufffdT9\ufffdNe\ufffdw(\ufffd4\ufffdR\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8088:8088 \u00b7 (reconnaissance)",
"target_port_label": "8088 \u00b7 HTTP ALT 8088",
"emulator_service": "http-alt-8088",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8088 \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8088",
"service_label_fr": "HTTP ALT 8088",
"dst_port": 8088,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8088",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdw\ufffd\u000e\u0011OS\ufffd\ufffd\ufffd\u0017\ufffd\u0012\ufffdh\ufffd\ufffd8)S@\ufffd\ufffdu\ufffd@\ufffdC\ufffd\ufffd\ufffd P\ufffd\ufffdid\u0019(<\u0010\ufffd\u0006\ufffd\ufffd\ufffdo\ufffdT9\ufffdNe\ufffd\u001bw\u000f\u001a(\ufffd4\ufffdR\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8088,
"service": "http-alt-8088",
"service_label_fr": "HTTP ALT 8088"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8088:8088 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffdw\ufffdOS\ufffd\ufffd\ufffd\ufffd\ufffdh\ufffd\ufffd8)S@\ufffd\ufffdu\ufffd@\ufffdC\ufffd\ufffd\ufffd P\ufffd\ufffdid(<\ufffd\ufffd\ufffd\ufffdo\ufffdT9\ufffdNe\ufffdw(\ufffd4\ufffdR\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8088 \u00b7 HTTP ALT 8088",
"emulator_service": "http-alt-8088",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8088",
"service_banner": "honeypot-http-alt-8088",
"service_os": "linux",
"dst_port": "8088"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 160,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 160,
"scan_velocity_ports_per_s": 65.95,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
9988 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:9988 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9988
Chemin / cible
—
Service
TLS
Payload
�����������d!�ͨl��n�Ia�p�s,$��r��V�xy-6�� ��4��y7;��jR��Y��8IP� �U�$���}���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������d!�ͨl��n�Ia�p�s,$��r��V�xy-6�� ��4��y7;��jR��Y��8IP� �U�$���}���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������d!�ͨl��n�Ia�p�s,$��r��V�xy-6�� ��4��y7;��jR��Y��8IP� �U�$���}���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �]8������蔘(��噕Z�-c/{�-ɹئ1E
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.943544512083472,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 9988,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "b9e7ecfcd0365894447c0ea57a9f927d17165e19",
"event_fingerprint": "731782d54f50b00ee6e663a4c6c25218a39d158e",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "fbede169474dd3ab3a9f4ac2029aee32",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 9988,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d!\ufffd\u0368l\ufffd\ufffdn\ufffdIa\ufffdp\ufffds,$\ufffd\ufffdr\ufffd\ufffdV\ufffdxy-6\u0000\u001f \ufffd\ufffd4\ufffd\ufffdy7;\ufffd\ufffdjR\ufffd\ufffdY\ufffd\ufffd8IP\ufffd\t\u001fU\ufffd$\ufffd\u001e\u001d}\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d!\ufffd\u0368l\ufffd\ufffdn\ufffdIa\ufffdp\ufffds,$\ufffd\ufffdr\ufffd\ufffdV\ufffdxy-6\u0000\u001f \ufffd\ufffd4\ufffd\ufffdy7;\ufffd\ufffdjR\ufffd\ufffdY\ufffd\ufffd8IP\ufffd\t\u001fU\ufffd$\ufffd\u001e\u001d}\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd]8\u001f\u0002\ufffd\u000f\ufffd\ufffd\u8518(\ufffd\u001b\u5655Z\ufffd-c\/{\ufffd-\u0279\u06261E",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d!\ufffd\u0368l\ufffd\ufffdn\ufffdIa\ufffdp\ufffds,$\ufffd\ufffdr\ufffd\ufffdV\ufffdxy-6\u0000\u001f \ufffd\ufffd4\ufffd\ufffdy7;\ufffd\ufffdjR\ufffd\ufffdY\ufffd\ufffd8IP\ufffd\t\u001fU\ufffd$\ufffd\u001e\u001d}\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2655b7c91e3bec06eddbd724920381cf51a76cf4",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d!\ufffd\u0368l\ufffd\ufffdn\ufffdIa\ufffdp\ufffds,$\ufffd\ufffdr\ufffd\ufffdV\ufffdxy-6\u0000\u001f \ufffd\ufffd4\ufffd\ufffdy7;\ufffd\ufffdjR\ufffd\ufffdY\ufffd\ufffd8IP\ufffd\t\u001fU\ufffd$\ufffd\u001e\u001d}\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9988,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdd!\ufffd\u0368l\ufffd\ufffdn\ufffdIa\ufffdp\ufffds,$\ufffd\ufffdr\ufffd\ufffdV\ufffdxy-6 \ufffd\ufffd4\ufffd\ufffdy7;\ufffd\ufffdjR\ufffd\ufffdY\ufffd\ufffd8IP\ufffd\tU\ufffd$\ufffd}\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:9988 \u00b7 (reconnaissance)",
"target_port_label": "9988 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 9988,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d!\ufffd\u0368l\ufffd\ufffdn\ufffdIa\ufffdp\ufffds,$\ufffd\ufffdr\ufffd\ufffdV\ufffdxy-6\u0000\u001f \ufffd\ufffd4\ufffd\ufffdy7;\ufffd\ufffdjR\ufffd\ufffdY\ufffd\ufffd8IP\ufffd\t\u001fU\ufffd$\ufffd\u001e\u001d}\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 9988,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:9988 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdd!\ufffd\u0368l\ufffd\ufffdn\ufffdIa\ufffdp\ufffds,$\ufffd\ufffdr\ufffd\ufffdV\ufffdxy-6 \ufffd\ufffd4\ufffd\ufffdy7;\ufffd\ufffdjR\ufffd\ufffdY\ufffd\ufffd8IP\ufffd\tU\ufffd$\ufffd}\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "9988 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "9988"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 66.17,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8089 · SPLUNK
|
splunk
|
Scan de ports
port scan syn · via SPLUNK:8089 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
SPLUNK
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8089
Chemin / cible
—
Service
SPLUNK
Payload
�����������bc.������7T��y�����5�W/ˡ� EF�� �z�*�L�t�gt��wܱ���J��P= �C�i����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������bc.������7T��y�����5�W/ˡ��EF�� �z�*�L�t�gt��wܱ���J��P= �C�i����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������bc.������7T��y�����5�W/ˡ� EF�� �z�*�L�t�gt��wܱ���J��P= �C�i����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ����q9%��5����`���!����خ�� eU
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.865896575519724,
"port_category": "registered",
"org": "Google LLC",
"service": "splunk",
"app_proto": "splunk",
"asn": 396982,
"country": "US",
"dst_port": 8089,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "92bf0acb24ea723d3a8f128bbce21e6054cac3e3",
"event_fingerprint": "cbc2550b26988a84e641846649408cb98ee64102",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "splunk",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "19f9e965dcb93cdf401f186c7e792277",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8089,
"service": "splunk",
"service_name": "splunk",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003bc.\ufffd\ufffd\ufffd\ufffd\u0019\ufffd7T\ufffd\ufffdy\ufffd\ufffd\ufffd\ufffd\u00135\u001bW\/\u02e1\ufffd\u000bEF\ufffd\u0010 \ufffdz\u000f*\ufffdL\ufffdt\ufffdgt\ufffd\u0007w\u0731\u0007\ufffd\ufffdJ\ufffd\ufffdP= \u001fC\u0015i\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003bc.\ufffd\ufffd\ufffd\ufffd\u0019\ufffd7T\ufffd\ufffdy\ufffd\ufffd\ufffd\ufffd\u00135\u001bW\/\u02e1\ufffd\u000bEF\ufffd\u0010 \ufffdz\u000f*\ufffdL\ufffdt\ufffdgt\ufffd\u0007w\u0731\u0007\ufffd\ufffdJ\ufffd\ufffdP= \u001fC\u0015i\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\u0010q9%\ufffd\u00135\ufffd\ufffd\ufffd\ufffd`\ufffd\b\ufffd!\ufffd\ufffd\ufffd\ufffd\u062e\u0016\ufffd\neU",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003bc.\ufffd\ufffd\ufffd\ufffd\u0019\ufffd7T\ufffd\ufffdy\ufffd\ufffd\ufffd\ufffd\u00135\u001bW\/\u02e1\ufffd\u000bEF\ufffd\u0010 \ufffdz\u000f*\ufffdL\ufffdt\ufffdgt\ufffd\u0007w\u0731\u0007\ufffd\ufffdJ\ufffd\ufffdP= \u001fC\u0015i\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e3b329e901c4f49b3b9f5ebdc47b303236b1e98e",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003bc.\ufffd\ufffd\ufffd\ufffd\u0019\ufffd7T\ufffd\ufffdy\ufffd\ufffd\ufffd\ufffd\u00135\u001bW\/\u02e1\ufffd\u000bEF\ufffd\u0010 \ufffdz\u000f*\ufffdL\ufffdt\ufffdgt\ufffd\u0007w\u0731\u0007\ufffd\ufffdJ\ufffd\ufffdP= \u001fC\u0015i\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8089,
"service": "splunk",
"service_label_fr": "SPLUNK"
},
"evidence_snippet": "\ufffd\ufffdbc.\ufffd\ufffd\ufffd\ufffd\ufffd7T\ufffd\ufffdy\ufffd\ufffd\ufffd\ufffd5W\/\u02e1\ufffdEF\ufffd \ufffdz*\ufffdL\ufffdt\ufffdgt\ufffdw\u0731\ufffd\ufffdJ\ufffd\ufffdP= Ci\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via SPLUNK:8089 \u00b7 (reconnaissance)",
"target_port_label": "8089 \u00b7 SPLUNK",
"emulator_service": "splunk",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SPLUNK \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "splunk",
"service_label_fr": "SPLUNK",
"dst_port": 8089,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-splunk",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003bc.\ufffd\ufffd\ufffd\ufffd\u0019\ufffd7T\ufffd\ufffdy\ufffd\ufffd\ufffd\ufffd\u00135\u001bW\/\u02e1\ufffd\u000bEF\ufffd\u0010 \ufffdz\u000f*\ufffdL\ufffdt\ufffdgt\ufffd\u0007w\u0731\u0007\ufffd\ufffdJ\ufffd\ufffdP= \u001fC\u0015i\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8089,
"service": "splunk",
"service_label_fr": "SPLUNK"
},
"attack_vector": "port scan syn \u00b7 via SPLUNK:8089 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdbc.\ufffd\ufffd\ufffd\ufffd\ufffd7T\ufffd\ufffdy\ufffd\ufffd\ufffd\ufffd5W\/\u02e1\ufffdEF\ufffd \ufffdz*\ufffdL\ufffdt\ufffdgt\ufffdw\u0731\ufffd\ufffdJ\ufffd\ufffdP= Ci\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8089 \u00b7 SPLUNK",
"emulator_service": "splunk",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "splunk",
"service_banner": "honeypot-splunk",
"service_os": "linux",
"dst_port": "8089"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 65.97,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8090 · HTTP ALT 8090
|
http-alt-8090
|
Scan de ports
port scan syn · via HTTP ALT 8090:8090 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
�������������q����������EA�����;;��<����V; ��gf�BC�٭�r���+�D��Ъ)�4�{+�b�G�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������q����������EA�����;;��<����V; ��gf�BC�٭�r���+�D��Ъ)�4�{+�b�G�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������q����������EA�����;;��<����V; ��gf�BC�٭�r���+�D��Ъ)�4�{+�b�G�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ����:⽷n�$�sR� ����dQ�� pI�Fd}"
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.851664484575723,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "US",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.5,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "77ca43667d991e00677fe6e4b0b6a2dd2ad4c8c6",
"event_fingerprint": "fa281e43a1524838258f20bc7430f72a1b8654b1",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b06301ba685bf46d91ee801c24667848",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdq\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\ufffdEA\ufffd\ufffd\u001f\u001c\ufffd;;\u0017\ufffd<\ufffd\ufffd\ufffd\ufffdV; \ufffd\ufffdgf\ufffdBC\ufffd\u066d\u0012r\ufffd\ufffd\ufffd+\u001bD\ufffd\ufffd\u042a)\ufffd4\ufffd{+\ufffdb\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdq\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\ufffdEA\ufffd\ufffd\u001f\u001c\ufffd;;\u0017\ufffd<\ufffd\ufffd\ufffd\ufffdV; \ufffd\ufffdgf\ufffdBC\ufffd\u066d\u0012r\ufffd\ufffd\ufffd+\u001bD\ufffd\ufffd\u042a)\ufffd4\ufffd{+\ufffdb\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\ufffd:\u2f77n\ufffd$\ufffdsR\ufffd\u000b\u0005\ufffd\ufffd\ufffddQ\ufffd\u001e pI\ufffdFd}\"",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdq\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\ufffdEA\ufffd\ufffd\u001f\u001c\ufffd;;\u0017\ufffd<\ufffd\ufffd\ufffd\ufffdV; \ufffd\ufffdgf\ufffdBC\ufffd\u066d\u0012r\ufffd\ufffd\ufffd+\u001bD\ufffd\ufffd\u042a)\ufffd4\ufffd{+\ufffdb\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f26ea74e035ea31c0d59e73f8068e17a8990967f",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdq\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\ufffdEA\ufffd\ufffd\u001f\u001c\ufffd;;\u0017\ufffd<\ufffd\ufffd\ufffd\ufffdV; \ufffd\ufffdgf\ufffdBC\ufffd\u066d\u0012r\ufffd\ufffd\ufffd+\u001bD\ufffd\ufffd\u042a)\ufffd4\ufffd{+\ufffdb\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdq\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdEA\ufffd\ufffd\ufffd;;\ufffd<\ufffd\ufffd\ufffd\ufffdV; \ufffd\ufffdgf\ufffdBC\ufffd\u066dr\ufffd\ufffd\ufffd+D\ufffd\ufffd\u042a)\ufffd4\ufffd{+\ufffdb\ufffdG&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8090:8090 \u00b7 (reconnaissance)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8090 \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdq\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0007\ufffd\ufffd\ufffdEA\ufffd\ufffd\u001f\u001c\ufffd;;\u0017\ufffd<\ufffd\ufffd\ufffd\ufffdV; \ufffd\ufffdgf\ufffdBC\ufffd\u066d\u0012r\ufffd\ufffd\ufffd+\u001bD\ufffd\ufffd\u042a)\ufffd4\ufffd{+\ufffdb\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8090:8090 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdq\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdEA\ufffd\ufffd\ufffd;;\ufffd<\ufffd\ufffd\ufffd\ufffdV; \ufffd\ufffdgf\ufffdBC\ufffd\u066dr\ufffd\ufffd\ufffd+D\ufffd\ufffd\u042a)\ufffd4\ufffd{+\ufffdb\ufffdG&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 65.78,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8091 · COUCHBASE
|
couchbase
|
Scan de ports
port scan syn · via COUCHBASE:8091 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
COUCHBASE
WAF
—
Recommandation
Surveiller
Tags
couchbase_emulated
couchbase_payload
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8091
Chemin / cible
—
Service
COUCHBASE
Payload
�����������Jhs|g̒ ���ū+YV���fն���Ez�/�6P ��%���8��M�,'�!'ƛ�CB�[���tv�#���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������Jhs|g̒
���ū+YV���fն���Ez�/�6P ��%���8��M�,'�!'ƛ�CB�[���tv�#���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������Jhs|g̒ ���ū+YV���fն���Ez�/�6P ��%���8��M�,'�!'ƛ�CB�[���tv�#���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���/+0V�-<��Q��^��Y~���s�J��n=9Q
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f7420636f7563686261736520726561647920706f72743d383039310d0a",
"emulator_response_len": 40,
"bytes_in": 239,
"payload_entropy": 5.814912781216854,
"port_category": "registered",
"org": "Google LLC",
"service": "couchbase",
"app_proto": "couchbase",
"asn": 396982,
"country": "US",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "bcb5e842476d62d23c66b74545d3e258079f51ec",
"event_fingerprint": "a032868a84f756125902e980581e4d9d67e60d5a",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "couchbase",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c79dfcb3c57cc7e541849a76e03806fa",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8091,
"service": "couchbase",
"service_name": "couchbase",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Jhs|g\u0312\r\u0005\ufffd\u0000\u016b+YV\ufffd\ufffd\ufffdf\u0576\ufffd\u0013\ufffdEz\ufffd\/\ufffd6P \u0003\u0010%\u0011\ufffd\ufffd8\ufffd\ufffdM\b,'\ufffd!'\u019b\ufffdCB\ufffd[\ufffd\ufffd\u0006tv\ufffd#\u0012\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Jhs|g\u0312\r\u0005\ufffd\u0000\u016b+YV\ufffd\ufffd\ufffdf\u0576\ufffd\u0013\ufffdEz\ufffd\/\ufffd6P \u0003\u0010%\u0011\ufffd\ufffd8\ufffd\ufffdM\b,'\ufffd!'\u019b\ufffdCB\ufffd[\ufffd\ufffd\u0006tv\ufffd#\u0012\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\/+0V\ufffd-<\u0007\ufffdQ\ufffd\ufffd^\ufffd\u001aY~\ufffd\u0007\ufffds\ufffdJ\ufffd\ufffdn=9Q",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Jhs|g\u0312\r\u0005\ufffd\u0000\u016b+YV\ufffd\ufffd\ufffdf\u0576\ufffd\u0013\ufffdEz\ufffd\/\ufffd6P \u0003\u0010%\u0011\ufffd\ufffd8\ufffd\ufffdM\b,'\ufffd!'\u019b\ufffdCB\ufffd[\ufffd\ufffd\u0006tv\ufffd#\u0012\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "07fcaed1a6ec821e2537d63252049372442f1c7a",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Jhs|g\u0312\r\u0005\ufffd\u0000\u016b+YV\ufffd\ufffd\ufffdf\u0576\ufffd\u0013\ufffdEz\ufffd\/\ufffd6P \u0003\u0010%\u0011\ufffd\ufffd8\ufffd\ufffdM\b,'\ufffd!'\u019b\ufffdCB\ufffd[\ufffd\ufffd\u0006tv\ufffd#\u0012\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8091,
"service": "couchbase",
"service_label_fr": "COUCHBASE"
},
"evidence_snippet": "\ufffd\ufffdJhs|g\u0312\r\ufffd\u016b+YV\ufffd\ufffd\ufffdf\u0576\ufffd\ufffdEz\ufffd\/\ufffd6P %\ufffd\ufffd8\ufffd\ufffdM,'\ufffd!'\u019b\ufffdCB\ufffd[\ufffd\ufffdtv\ufffd#\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via COUCHBASE:8091 \u00b7 (reconnaissance)",
"target_port_label": "8091 \u00b7 COUCHBASE",
"emulator_service": "couchbase",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via COUCHBASE \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "couchbase",
"service_label_fr": "COUCHBASE",
"dst_port": 8091,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-couchbase",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003Jhs|g\u0312\r\u0005\ufffd\u0000\u016b+YV\ufffd\ufffd\ufffdf\u0576\ufffd\u0013\ufffdEz\ufffd\/\ufffd6P \u0003\u0010%\u0011\ufffd\ufffd8\ufffd\ufffdM\b,'\ufffd!'\u019b\ufffdCB\ufffd[\ufffd\ufffd\u0006tv\ufffd#\u0012\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8091,
"service": "couchbase",
"service_label_fr": "COUCHBASE"
},
"attack_vector": "port scan syn \u00b7 via COUCHBASE:8091 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdJhs|g\u0312\r\ufffd\u016b+YV\ufffd\ufffd\ufffdf\u0576\ufffd\ufffdEz\ufffd\/\ufffd6P %\ufffd\ufffd8\ufffd\ufffdM,'\ufffd!'\u019b\ufffdCB\ufffd[\ufffd\ufffdtv\ufffd#\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8091 \u00b7 COUCHBASE",
"emulator_service": "couchbase",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "couchbase",
"service_banner": "honeypot-couchbase",
"service_os": "linux",
"dst_port": "8091"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 65.6,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"couchbase_emulated",
"couchbase_payload",
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
81 · HTTP ALT 81
|
http-alt-81
|
Scan de ports
port scan syn · via HTTP ALT 81:81 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-81
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
81
Chemin / cible
—
Service
HTTP ALT 81
Payload
�������������?+�Do'�������@�j_���������*�� �Ϡ�s˸����s��If��2���7�ug�"U�=�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������?+�Do'�������@�j_���������*�� �Ϡ�s˸����s��If��2���7�ug�"U�=�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������?+�Do'�������@�j_���������*�� �Ϡ�s˸����s��If��2���7�ug�"U�=�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���A��{����s����A� ༭v95�s����$
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.819607543131118,
"port_category": "well_known",
"org": "Google LLC",
"service": "http-alt-81",
"app_proto": "http-alt-81",
"asn": 396982,
"country": "US",
"dst_port": 81,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.7,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "202161fa5e529d82ad07242251047213c17ac292",
"event_fingerprint": "05a8788ba4dc4ecdcb3ae0f829f2cd9677ad672f",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-81",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d662b39082747486f89f20dafc007806",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 81,
"service": "http-alt-81",
"service_name": "http-alt-81",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffd?+\ufffdDo'\u0002\u001c\ufffd\ufffd\ufffd\u0019\ufffd@\ufffdj_\ufffd\u0015\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd*\ufffd\ufffd \ufffd\u03e0\u0011s\u02f8\ufffd\ufffd\u0010\ufffds\u0006\u0005If\ufffd\ufffd2\ufffd\ufffd\ufffd7\ufffdug\ufffd\"U\ufffd=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffd?+\ufffdDo'\u0002\u001c\ufffd\ufffd\ufffd\u0019\ufffd@\ufffdj_\ufffd\u0015\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd*\ufffd\ufffd \ufffd\u03e0\u0011s\u02f8\ufffd\ufffd\u0010\ufffds\u0006\u0005If\ufffd\ufffd2\ufffd\ufffd\ufffd7\ufffdug\ufffd\"U\ufffd=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffdA\ufffd\b{\ufffd\u0011\ufffd\ufffds\ufffd\u0006\ufffd\ufffdA\ufffd\u000b\u0f2dv95\ufffds\ufffd\ufffd\u0015\ufffd$",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffd?+\ufffdDo'\u0002\u001c\ufffd\ufffd\ufffd\u0019\ufffd@\ufffdj_\ufffd\u0015\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd*\ufffd\ufffd \ufffd\u03e0\u0011s\u02f8\ufffd\ufffd\u0010\ufffds\u0006\u0005If\ufffd\ufffd2\ufffd\ufffd\ufffd7\ufffdug\ufffd\"U\ufffd=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "26a50002da9f6b990faaa100014b57c3c85ace66",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffd?+\ufffdDo'\u0002\u001c\ufffd\ufffd\ufffd\u0019\ufffd@\ufffdj_\ufffd\u0015\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd*\ufffd\ufffd \ufffd\u03e0\u0011s\u02f8\ufffd\ufffd\u0010\ufffds\u0006\u0005If\ufffd\ufffd2\ufffd\ufffd\ufffd7\ufffdug\ufffd\"U\ufffd=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 81,
"service": "http-alt-81",
"service_label_fr": "HTTP ALT 81"
},
"evidence_snippet": "\ufffd\ufffd\ufffd?+\ufffdDo'\ufffd\ufffd\ufffd\ufffd@\ufffdj_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd*\ufffd\ufffd \ufffd\u03e0s\u02f8\ufffd\ufffd\ufffdsIf\ufffd\ufffd2\ufffd\ufffd\ufffd7\ufffdug\ufffd\"U\ufffd=&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 81:81 \u00b7 (reconnaissance)",
"target_port_label": "81 \u00b7 HTTP ALT 81",
"emulator_service": "http-alt-81",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 81 \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-81",
"service_label_fr": "HTTP ALT 81",
"dst_port": 81,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-81",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffd?+\ufffdDo'\u0002\u001c\ufffd\ufffd\ufffd\u0019\ufffd@\ufffdj_\ufffd\u0015\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd*\ufffd\ufffd \ufffd\u03e0\u0011s\u02f8\ufffd\ufffd\u0010\ufffds\u0006\u0005If\ufffd\ufffd2\ufffd\ufffd\ufffd7\ufffdug\ufffd\"U\ufffd=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 81,
"service": "http-alt-81",
"service_label_fr": "HTTP ALT 81"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 81:81 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd?+\ufffdDo'\ufffd\ufffd\ufffd\ufffd@\ufffdj_\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd*\ufffd\ufffd \ufffd\u03e0s\u02f8\ufffd\ufffd\ufffdsIf\ufffd\ufffd2\ufffd\ufffd\ufffd7\ufffdug\ufffd\"U\ufffd=&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "81 \u00b7 HTTP ALT 81",
"emulator_service": "http-alt-81",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_81",
"service_banner": "honeypot-http-alt-81",
"service_os": "linux",
"dst_port": "81"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 65.41,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8099 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8099 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8099
Chemin / cible
—
Service
TLS
Payload
��������������4a���+?Xn ��>t�83 ���+;b��Ye� PM鎘̖��Qmc��C�f6�p�����Ϫ���G�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������4a���+?Xn ��>t�83
���+;b��Ye� PM鎘̖��Qmc��C�f6�p�����Ϫ���G�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������4a���+?Xn ��>t�83 ���+;b��Ye� PM鎘̖��Qmc��C�f6�p�����Ϫ���G�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �������8�6�n������ ;; 5�4��[���
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.832570179751306,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8099,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "d4ba6743a0e1c5720fdbb3e28f39a5f4ec63bc8f",
"event_fingerprint": "47d43c45a70f26552dc78059bc6d0904c03202f2",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "4a672d122a62633a852bfcf1510ccaf6",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8099,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd4a\ufffd\ufffd\ufffd+?Xn\t\ufffd\ufffd>t\ufffd83\n\ufffd\u0003\ufffd+;b\ufffd\ufffdYe\ufffd PM\u9398\u0316\ufffd\ufffdQmc\u001f\ufffdC\ufffdf6\ufffdp\ufffd\ufffd\ufffd\ufffd\u0005\u03ea\ufffd\ufffd\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd4a\ufffd\ufffd\ufffd+?Xn\t\ufffd\ufffd>t\ufffd83\n\ufffd\u0003\ufffd+;b\ufffd\ufffdYe\ufffd PM\u9398\u0316\ufffd\ufffdQmc\u001f\ufffdC\ufffdf6\ufffdp\ufffd\ufffd\ufffd\ufffd\u0005\u03ea\ufffd\ufffd\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\u000e\ufffd\b\u00158\ufffd6\ufffdn\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\n;;\n5\ufffd4\ufffd\ufffd[\u0014\ufffd\u0004",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd4a\ufffd\ufffd\ufffd+?Xn\t\ufffd\ufffd>t\ufffd83\n\ufffd\u0003\ufffd+;b\ufffd\ufffdYe\ufffd PM\u9398\u0316\ufffd\ufffdQmc\u001f\ufffdC\ufffdf6\ufffdp\ufffd\ufffd\ufffd\ufffd\u0005\u03ea\ufffd\ufffd\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a87959f97f3a3604f528343ec287048c049b0f54",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd4a\ufffd\ufffd\ufffd+?Xn\t\ufffd\ufffd>t\ufffd83\n\ufffd\u0003\ufffd+;b\ufffd\ufffdYe\ufffd PM\u9398\u0316\ufffd\ufffdQmc\u001f\ufffdC\ufffdf6\ufffdp\ufffd\ufffd\ufffd\ufffd\u0005\u03ea\ufffd\ufffd\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8099,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd4a\ufffd\ufffd\ufffd+?Xn\t\ufffd\ufffd>t\ufffd83\n\ufffd\ufffd+;b\ufffd\ufffdYe\ufffd PM\u9398\u0316\ufffd\ufffdQmc\ufffdC\ufffdf6\ufffdp\ufffd\ufffd\ufffd\ufffd\u03ea\ufffd\ufffd\ufffdG&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8099 \u00b7 (reconnaissance)",
"target_port_label": "8099 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8099,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd4a\ufffd\ufffd\ufffd+?Xn\t\ufffd\ufffd>t\ufffd83\n\ufffd\u0003\ufffd+;b\ufffd\ufffdYe\ufffd PM\u9398\u0316\ufffd\ufffdQmc\u001f\ufffdC\ufffdf6\ufffdp\ufffd\ufffd\ufffd\ufffd\u0005\u03ea\ufffd\ufffd\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8099,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8099 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd4a\ufffd\ufffd\ufffd+?Xn\t\ufffd\ufffd>t\ufffd83\n\ufffd\ufffd+;b\ufffd\ufffdYe\ufffd PM\u9398\u0316\ufffd\ufffdQmc\ufffdC\ufffdf6\ufffdp\ufffd\ufffd\ufffd\ufffd\u03ea\ufffd\ufffd\ufffdG&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8099 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8099"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 65.24,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8100 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8100 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8100
Chemin / cible
—
Service
TLS
Payload
������������=Y9�7�ܝiƉ���ƾ�d�v����n��A+ Ǚ���+���X*��*���~��%J(�č��U%.�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������=Y9�7�ܝiƉ���ƾ�d�v����n��A+ Ǚ���+���X*��*���~��%J(�č��U%.�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������=Y9�7�ܝiƉ���ƾ�d�v����n��A+ Ǚ���+���X*��*���~��%J(�č��U%.�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� Glܼő}'z4�,t�W����s��+���$�
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.842533175472267,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8100,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "14654718cf388677e90ccea9d5e191cf72ded367",
"event_fingerprint": "a0c93ddd5f196b938943b7c7992063ba41ab2f41",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "d2ce5fa133b9580059c5df3ef0831a4f",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8100,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd=Y9\ufffd7\ufffd\u071di\u0189\ufffd\ufffd\ufffd\u01be\bd\ufffdv\ufffd\u0013\u0000\ufffdn\u0014\ufffdA+ \u01d9\ufffd\b\ufffd+\u0011\ufffd\ufffdX*\ufffd\ufffd*\ufffd\ufffd\u001c~\ufffd\ufffd%J(\ufffd\u010d\ufffd\u0019U%.\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd=Y9\ufffd7\ufffd\u071di\u0189\ufffd\ufffd\ufffd\u01be\bd\ufffdv\ufffd\u0013\u0000\ufffdn\u0014\ufffdA+ \u01d9\ufffd\b\ufffd+\u0011\ufffd\ufffdX*\ufffd\ufffd*\ufffd\ufffd\u001c~\ufffd\ufffd%J(\ufffd\u010d\ufffd\u0019U%.\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 Gl\u073c\u0151}'z4\ufffd,t\u001dW\ufffd\ufffd\ufffd\ufffds\ufffd\ufffd+\ufffd\u0012\ufffd$\ufffd\u000b",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd=Y9\ufffd7\ufffd\u071di\u0189\ufffd\ufffd\ufffd\u01be\bd\ufffdv\ufffd\u0013\u0000\ufffdn\u0014\ufffdA+ \u01d9\ufffd\b\ufffd+\u0011\ufffd\ufffdX*\ufffd\ufffd*\ufffd\ufffd\u001c~\ufffd\ufffd%J(\ufffd\u010d\ufffd\u0019U%.\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "24d01a2988b7063d89ded5d40c89706c1123797e",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd=Y9\ufffd7\ufffd\u071di\u0189\ufffd\ufffd\ufffd\u01be\bd\ufffdv\ufffd\u0013\u0000\ufffdn\u0014\ufffdA+ \u01d9\ufffd\b\ufffd+\u0011\ufffd\ufffdX*\ufffd\ufffd*\ufffd\ufffd\u001c~\ufffd\ufffd%J(\ufffd\u010d\ufffd\u0019U%.\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8100,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd=Y9\ufffd7\ufffd\u071di\u0189\ufffd\ufffd\ufffd\u01bed\ufffdv\ufffd\ufffdn\ufffdA+ \u01d9\ufffd\ufffd+\ufffd\ufffdX*\ufffd\ufffd*\ufffd\ufffd~\ufffd\ufffd%J(\ufffd\u010d\ufffdU%.&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8100 \u00b7 (reconnaissance)",
"target_port_label": "8100 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8100,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd=Y9\ufffd7\ufffd\u071di\u0189\ufffd\ufffd\ufffd\u01be\bd\ufffdv\ufffd\u0013\u0000\ufffdn\u0014\ufffdA+ \u01d9\ufffd\b\ufffd+\u0011\ufffd\ufffdX*\ufffd\ufffd*\ufffd\ufffd\u001c~\ufffd\ufffd%J(\ufffd\u010d\ufffd\u0019U%.\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8100,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8100 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd=Y9\ufffd7\ufffd\u071di\u0189\ufffd\ufffd\ufffd\u01bed\ufffdv\ufffd\ufffdn\ufffdA+ \u01d9\ufffd\ufffd+\ufffd\ufffdX*\ufffd\ufffd*\ufffd\ufffd~\ufffd\ufffd%J(\ufffd\u010d\ufffdU%.&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8100 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 65.02,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8110 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8110 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8110
Chemin / cible
—
Service
TLS
Payload
������������� -D�.e�`;'uE��l����eHZ�\*bgn�| ��҇Bc�l�C(�ed�����8���G{����#|��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������-D�.e�`;'uE��l����eHZ�\*bgn�| ��҇Bc�l�C(�ed�����8���G{����#|��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������� -D�.e�`;'uE��l����eHZ�\*bgn�| ��҇Bc�l�C(�ed�����8���G{����#|��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� )m�����Ō|����Xt��3�[�Uh�~e9���
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.914193747720185,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8110,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "c219980b2366ba8656ef64fbd0cd3ef915aec050",
"event_fingerprint": "7d43b1b647a6e6d031e429addd5cead839b00dd6",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "ba80164a02582da49c669de157cc1112",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8110,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u000b-D\u0006.e\ufffd`;'uE\ufffd\ufffdl\ufffd\ufffd\u001f\ufffdeHZ\ufffd\\*bgn\u0017| \u000f\b\u0487Bc\ufffdl\ufffdC(\ufffded\ufffd\ufffd\ufffd\u0006\ufffd8\ufffd\ufffd\u001dG{\ufffd\ufffd\ufffd\ufffd#|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u000b-D\u0006.e\ufffd`;'uE\ufffd\ufffdl\ufffd\ufffd\u001f\ufffdeHZ\ufffd\\*bgn\u0017| \u000f\b\u0487Bc\ufffdl\ufffdC(\ufffded\ufffd\ufffd\ufffd\u0006\ufffd8\ufffd\ufffd\u001dG{\ufffd\ufffd\ufffd\ufffd#|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 )m\ufffd\ufffd\u001f\ufffd\ufffd\u014c|\ufffd\ufffd\ufffd\u0006Xt\ufffd\ufffd3\ufffd[\ufffdUh\ufffd~e9\ufffd\ufffd\u0001",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u000b-D\u0006.e\ufffd`;'uE\ufffd\ufffdl\ufffd\ufffd\u001f\ufffdeHZ\ufffd\\*bgn\u0017| \u000f\b\u0487Bc\ufffdl\ufffdC(\ufffded\ufffd\ufffd\ufffd\u0006\ufffd8\ufffd\ufffd\u001dG{\ufffd\ufffd\ufffd\ufffd#|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b15734aba0c0335fa725c80c1e2d2994a5d9ab22",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u000b-D\u0006.e\ufffd`;'uE\ufffd\ufffdl\ufffd\ufffd\u001f\ufffdeHZ\ufffd\\*bgn\u0017| \u000f\b\u0487Bc\ufffdl\ufffdC(\ufffded\ufffd\ufffd\ufffd\u0006\ufffd8\ufffd\ufffd\u001dG{\ufffd\ufffd\ufffd\ufffd#|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8110,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd-D.e\ufffd`;'uE\ufffd\ufffdl\ufffd\ufffd\ufffdeHZ\ufffd\\*bgn| \u0487Bc\ufffdl\ufffdC(\ufffded\ufffd\ufffd\ufffd\ufffd8\ufffd\ufffdG{\ufffd\ufffd\ufffd\ufffd#|\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8110 \u00b7 (reconnaissance)",
"target_port_label": "8110 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8110,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u000b-D\u0006.e\ufffd`;'uE\ufffd\ufffdl\ufffd\ufffd\u001f\ufffdeHZ\ufffd\\*bgn\u0017| \u000f\b\u0487Bc\ufffdl\ufffdC(\ufffded\ufffd\ufffd\ufffd\u0006\ufffd8\ufffd\ufffd\u001dG{\ufffd\ufffd\ufffd\ufffd#|\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8110,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8110 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd-D.e\ufffd`;'uE\ufffd\ufffdl\ufffd\ufffd\ufffdeHZ\ufffd\\*bgn| \u0487Bc\ufffdl\ufffdC(\ufffded\ufffd\ufffd\ufffd\ufffd8\ufffd\ufffdG{\ufffd\ufffd\ufffd\ufffd#|\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8110 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8110"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 64.83,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8150 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8150 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8150
Chemin / cible
—
Service
TLS
Payload
�����������A����P�.��|�����Xւ����w2�]t�2 ��<���xe�5�Gc�'�u���081��+Q\�z���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������A����P�.��|�����Xւ����w2�]t�2 ��<���xe�5�Gc�'�u���081��+Q\�z���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������A����P�.��|�����Xւ����w2�]t�2 ��<���xe�5�Gc�'�u���081��+Q\�z���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �Yzzi�����>��)'fw��#���T��\��T�x
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.840374125853991,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8150,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "266ac8ce170e6004ed671c48493e9bdea98b77c6",
"event_fingerprint": "c66ade5e6330d2fb2e3e05e2f1aeade543f9dc92",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "07b90846b0e710a8b47b25e2dbcce149",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8150,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd\ufffd\ufffd\u0007P\ufffd.\ufffd\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffdX\u0582\ufffd\u0013\ufffd\ufffdw2\ufffd]t\ufffd2 \ufffd\ufffd<\ufffd\u0004\ufffdxe\u00105\u0006Gc\ufffd'\ufffdu\ufffd\ufffd\u001e081\ufffd\ufffd+Q\\\ufffdz\ufffd\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd\ufffd\ufffd\u0007P\ufffd.\ufffd\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffdX\u0582\ufffd\u0013\ufffd\ufffdw2\ufffd]t\ufffd2 \ufffd\ufffd<\ufffd\u0004\ufffdxe\u00105\u0006Gc\ufffd'\ufffdu\ufffd\ufffd\u001e081\ufffd\ufffd+Q\\\ufffdz\ufffd\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdYzzi\u0016\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd)'fw\u001f\u0012#\ufffd\u0018\u0006T\ufffd\ufffd\\\ufffd\ufffdT\ufffdx",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd\ufffd\ufffd\u0007P\ufffd.\ufffd\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffdX\u0582\ufffd\u0013\ufffd\ufffdw2\ufffd]t\ufffd2 \ufffd\ufffd<\ufffd\u0004\ufffdxe\u00105\u0006Gc\ufffd'\ufffdu\ufffd\ufffd\u001e081\ufffd\ufffd+Q\\\ufffdz\ufffd\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "21db39013b2f6ac1cea81bbd1141de1bcacaf7a4",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd\ufffd\ufffd\u0007P\ufffd.\ufffd\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffdX\u0582\ufffd\u0013\ufffd\ufffdw2\ufffd]t\ufffd2 \ufffd\ufffd<\ufffd\u0004\ufffdxe\u00105\u0006Gc\ufffd'\ufffdu\ufffd\ufffd\u001e081\ufffd\ufffd+Q\\\ufffdz\ufffd\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8150,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdA\ufffd\ufffd\ufffdP\ufffd.\ufffd\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffdX\u0582\ufffd\ufffd\ufffdw2\ufffd]t\ufffd2 \ufffd\ufffd<\ufffd\ufffdxe5Gc\ufffd'\ufffdu\ufffd\ufffd081\ufffd\ufffd+Q\\\ufffdz\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8150 \u00b7 (reconnaissance)",
"target_port_label": "8150 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8150,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd\ufffd\ufffd\u0007P\ufffd.\ufffd\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffdX\u0582\ufffd\u0013\ufffd\ufffdw2\ufffd]t\ufffd2 \ufffd\ufffd<\ufffd\u0004\ufffdxe\u00105\u0006Gc\ufffd'\ufffdu\ufffd\ufffd\u001e081\ufffd\ufffd+Q\\\ufffdz\ufffd\u000e\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8150,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8150 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdA\ufffd\ufffd\ufffdP\ufffd.\ufffd\ufffd|\ufffd\ufffd\ufffd\ufffd\ufffdX\u0582\ufffd\ufffd\ufffdw2\ufffd]t\ufffd2 \ufffd\ufffd<\ufffd\ufffdxe5Gc\ufffd'\ufffdu\ufffd\ufffd081\ufffd\ufffd+Q\\\ufffdz\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8150 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8150"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 64.59,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8120 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8120 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8120
Chemin / cible
—
Service
TLS
Payload
������������ 4��W�*�wA�����pQɰb2U�*\�� N:� [��B�м�Ë�<ʆ�a�5�Z���8'���(S��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������4��W�*�wA�����pQɰb2U�*\�� N:� [��B�м�Ë�<ʆ�a�5�Z���8'���(S��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������ 4��W�*�wA�����pQɰb2U�*\�� N:� [��B�м�Ë�<ʆ�a�5�Z���8'���(S��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� %����b �[���h�K6 ��5P���P�$5��r.
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.867626479753472,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8120,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "f2fe03fdaa955fa901e6f25ff840ed3202a8a7a9",
"event_fingerprint": "7349e968ddc22addef8789a1fce803fe66eb14f8",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "6aa36e3050c746c7f3a92eab7941a726",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8120,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000b4\u0013\ufffdW\ufffd*\ufffdwA\u0010\ufffd\ufffd\ufffd\ufffdpQ\u0270b2U\ufffd*\\\ufffd\ufffd\tN:\ufffd [\ufffd\ufffdB\ufffd\u043c\u0011\u00cb\ufffd<\u0286\ufffda\ufffd5\ufffdZ\ufffd\ufffd\ufffd8'\ufffd\ufffd\u0002(S\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000b4\u0013\ufffdW\ufffd*\ufffdwA\u0010\ufffd\ufffd\ufffd\ufffdpQ\u0270b2U\ufffd*\\\ufffd\ufffd\tN:\ufffd [\ufffd\ufffdB\ufffd\u043c\u0011\u00cb\ufffd<\u0286\ufffda\ufffd5\ufffdZ\ufffd\ufffd\ufffd8'\ufffd\ufffd\u0002(S\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 %\ufffd\u0010\ufffd\u0004b\n\u0004[\ufffd\ufffd\ufffdh\ufffdK6 \ufffd\ufffd5P\u0018\ufffd\u001aP\ufffd$5\ufffd\ufffdr.",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000b4\u0013\ufffdW\ufffd*\ufffdwA\u0010\ufffd\ufffd\ufffd\ufffdpQ\u0270b2U\ufffd*\\\ufffd\ufffd\tN:\ufffd [\ufffd\ufffdB\ufffd\u043c\u0011\u00cb\ufffd<\u0286\ufffda\ufffd5\ufffdZ\ufffd\ufffd\ufffd8'\ufffd\ufffd\u0002(S\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "b5750ec87f7c991dbae39e076cc9304559f4fd53",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000b4\u0013\ufffdW\ufffd*\ufffdwA\u0010\ufffd\ufffd\ufffd\ufffdpQ\u0270b2U\ufffd*\\\ufffd\ufffd\tN:\ufffd [\ufffd\ufffdB\ufffd\u043c\u0011\u00cb\ufffd<\u0286\ufffda\ufffd5\ufffdZ\ufffd\ufffd\ufffd8'\ufffd\ufffd\u0002(S\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8120,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd4\ufffdW\ufffd*\ufffdwA\ufffd\ufffd\ufffd\ufffdpQ\u0270b2U\ufffd*\\\ufffd\ufffd\tN:\ufffd [\ufffd\ufffdB\ufffd\u043c\u00cb\ufffd<\u0286\ufffda\ufffd5\ufffdZ\ufffd\ufffd\ufffd8'\ufffd\ufffd(S\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8120 \u00b7 (reconnaissance)",
"target_port_label": "8120 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8120,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u000b4\u0013\ufffdW\ufffd*\ufffdwA\u0010\ufffd\ufffd\ufffd\ufffdpQ\u0270b2U\ufffd*\\\ufffd\ufffd\tN:\ufffd [\ufffd\ufffdB\ufffd\u043c\u0011\u00cb\ufffd<\u0286\ufffda\ufffd5\ufffdZ\ufffd\ufffd\ufffd8'\ufffd\ufffd\u0002(S\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8120,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8120 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd4\ufffdW\ufffd*\ufffdwA\ufffd\ufffd\ufffd\ufffdpQ\u0270b2U\ufffd*\\\ufffd\ufffd\tN:\ufffd [\ufffd\ufffdB\ufffd\u043c\u00cb\ufffd<\u0286\ufffda\ufffd5\ufffdZ\ufffd\ufffd\ufffd8'\ufffd\ufffd(S\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8120 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8120"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 64.41,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8160 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8160 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8160
Chemin / cible
—
Service
TLS
Payload
����������� �r(CPț������pK���E>��W��l�� �vb�{�>��3�o���$Z��9���?Yo���f���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������r(CPț������pK���E>��W��l�� �vb�{�>��3�o���$Z��9���?Yo���f���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
����������� �r(CPț������pK���E>��W��l�� �vb�{�>��3�o���$Z��9���?Yo���f���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �.��` $F��X�,Ԇ3�-<h� fX`�؟`t:
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.868172612342661,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8160,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "787358794ecf2a8683f849b6effbf60b7fe0a89f",
"event_fingerprint": "03ef00102333988dfc4f23799f13a599fee7825a",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "6eed04b1dd07893b912a4f43a65caabb",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8160,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\f\u0017r(CP\u021b\u0015\ufffd\ufffd\ufffd\u0012\ufffdpK\ufffd\ufffd\ufffdE>\ufffd\ufffdW\u000f\ufffdl\ufffd\ufffd \u0003vb\u001c{\ufffd>\ufffd\ufffd3\ufffdo\ufffd\u0013\ufffd$Z\u0015\ufffd9\ufffd\u0018\ufffd?Yo\ufffd\ufffd\ufffdf\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\f\u0017r(CP\u021b\u0015\ufffd\ufffd\ufffd\u0012\ufffdpK\ufffd\ufffd\ufffdE>\ufffd\ufffdW\u000f\ufffdl\ufffd\ufffd \u0003vb\u001c{\ufffd>\ufffd\ufffd3\ufffdo\ufffd\u0013\ufffd$Z\u0015\ufffd9\ufffd\u0018\ufffd?Yo\ufffd\ufffd\ufffdf\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd.\ufffd\ufffd`\r$F\ufffd\ufffdX\u0013,\u05063\ufffd-<h\ufffd\u000bfX`\ufffd\u061f`t:",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\f\u0017r(CP\u021b\u0015\ufffd\ufffd\ufffd\u0012\ufffdpK\ufffd\ufffd\ufffdE>\ufffd\ufffdW\u000f\ufffdl\ufffd\ufffd \u0003vb\u001c{\ufffd>\ufffd\ufffd3\ufffdo\ufffd\u0013\ufffd$Z\u0015\ufffd9\ufffd\u0018\ufffd?Yo\ufffd\ufffd\ufffdf\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8fddb0f44c21283b46c6c0526993221f0ff34018",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\f\u0017r(CP\u021b\u0015\ufffd\ufffd\ufffd\u0012\ufffdpK\ufffd\ufffd\ufffdE>\ufffd\ufffdW\u000f\ufffdl\ufffd\ufffd \u0003vb\u001c{\ufffd>\ufffd\ufffd3\ufffdo\ufffd\u0013\ufffd$Z\u0015\ufffd9\ufffd\u0018\ufffd?Yo\ufffd\ufffd\ufffdf\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8160,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdr(CP\u021b\ufffd\ufffd\ufffd\ufffdpK\ufffd\ufffd\ufffdE>\ufffd\ufffdW\ufffdl\ufffd\ufffd vb{\ufffd>\ufffd\ufffd3\ufffdo\ufffd\ufffd$Z\ufffd9\ufffd\ufffd?Yo\ufffd\ufffd\ufffdf\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8160 \u00b7 (reconnaissance)",
"target_port_label": "8160 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8160,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\f\u0017r(CP\u021b\u0015\ufffd\ufffd\ufffd\u0012\ufffdpK\ufffd\ufffd\ufffdE>\ufffd\ufffdW\u000f\ufffdl\ufffd\ufffd \u0003vb\u001c{\ufffd>\ufffd\ufffd3\ufffdo\ufffd\u0013\ufffd$Z\u0015\ufffd9\ufffd\u0018\ufffd?Yo\ufffd\ufffd\ufffdf\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8160,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8160 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdr(CP\u021b\ufffd\ufffd\ufffd\ufffdpK\ufffd\ufffd\ufffdE>\ufffd\ufffdW\ufffdl\ufffd\ufffd vb{\ufffd>\ufffd\ufffd3\ufffdo\ufffd\ufffd$Z\ufffd9\ufffd\ufffd?Yo\ufffd\ufffd\ufffdf\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8160 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8160"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 64.24,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8161 · ACTIVEMQ CONSOLE
|
activemq-console
|
Scan de ports
port scan syn · via ACTIVEMQ CONSOLE:8161 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
ACTIVEMQ-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
activemq_emulated
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8161
Chemin / cible
—
Service
ACTIVEMQ CONSOLE
Payload
�������������Ą]� �Ip�X�Bs�0`�(��m6y����b2� m�D����1�����d-�m�� ��N3�'����B��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������Ą]�
�Ip�X�Bs�0`�(��m6y����b2� m�D����1�����d-�m�����N3�'����B��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������Ą]� �Ip�X�Bs�0`�(��m6y����b2� m�D����1�����d-�m�� ��N3�'����B��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� KP��Uh��a���u\���`��h�h��f�D �xV
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204a657474792f392e34204163746976654d512f352e31380d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2034390d0a0d0a3c68746d6c3e3c626f64793e417061636865204163746976654d5120436f6e",
"emulator_response_len": 146,
"bytes_in": 239,
"payload_entropy": 5.894741148697888,
"port_category": "registered",
"org": "Google LLC",
"service": "activemq-console",
"app_proto": "activemq-console",
"asn": 396982,
"country": "US",
"dst_port": 8161,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "e2070523b3a62e207cca23e33d49725db01d8df2",
"event_fingerprint": "f6e7c06ec1ad589c2af27624ce948d9655864024",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "activemq-console",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "64c1666083258ff9c659be267944c72a",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8161,
"service": "activemq-console",
"service_name": "activemq-console",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0104]\ufffd\r\ufffdIp\ufffdX\ufffdBs\ufffd0`\ufffd(\ufffd\ufffdm6y\ufffd\ufffd\ufffd\ufffdb2\ufffd m\ufffdD\ufffd\ufffd\ufffd\ufffd1\ufffd\ufffd\ufffd\u0007\ufffdd-\ufffdm\ufffd\ufffd\f\u0004\ufffdN3\ufffd'\ufffd\ufffd\ufffd\ufffdB\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0104]\ufffd\r\ufffdIp\ufffdX\ufffdBs\ufffd0`\ufffd(\ufffd\ufffdm6y\ufffd\ufffd\ufffd\ufffdb2\ufffd m\ufffdD\ufffd\ufffd\ufffd\ufffd1\ufffd\ufffd\ufffd\u0007\ufffdd-\ufffdm\ufffd\ufffd\f\u0004\ufffdN3\ufffd'\ufffd\ufffd\ufffd\ufffdB\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 KP\ufffd\ufffdUh\u0017\ufffda\u000e\ufffd\u0004u\\\ufffd\ufffd\u0004`\ufffd\ufffdh\ufffdh\u001b\ufffdf\u0019D\u000b\ufffdxV",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0104]\ufffd\r\ufffdIp\ufffdX\ufffdBs\ufffd0`\ufffd(\ufffd\ufffdm6y\ufffd\ufffd\ufffd\ufffdb2\ufffd m\ufffdD\ufffd\ufffd\ufffd\ufffd1\ufffd\ufffd\ufffd\u0007\ufffdd-\ufffdm\ufffd\ufffd\f\u0004\ufffdN3\ufffd'\ufffd\ufffd\ufffd\ufffdB\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "87cc55ec34a573bf52499ccc0bfea91be1b5975b",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0104]\ufffd\r\ufffdIp\ufffdX\ufffdBs\ufffd0`\ufffd(\ufffd\ufffdm6y\ufffd\ufffd\ufffd\ufffdb2\ufffd m\ufffdD\ufffd\ufffd\ufffd\ufffd1\ufffd\ufffd\ufffd\u0007\ufffdd-\ufffdm\ufffd\ufffd\f\u0004\ufffdN3\ufffd'\ufffd\ufffd\ufffd\ufffdB\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8161,
"service": "activemq-console",
"service_label_fr": "ACTIVEMQ CONSOLE"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\u0104]\ufffd\r\ufffdIp\ufffdX\ufffdBs\ufffd0`\ufffd(\ufffd\ufffdm6y\ufffd\ufffd\ufffd\ufffdb2\ufffd m\ufffdD\ufffd\ufffd\ufffd\ufffd1\ufffd\ufffd\ufffd\ufffdd-\ufffdm\ufffd\ufffd\ufffdN3\ufffd'\ufffd\ufffd\ufffd\ufffdB\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via ACTIVEMQ CONSOLE:8161 \u00b7 (reconnaissance)",
"target_port_label": "8161 \u00b7 ACTIVEMQ CONSOLE",
"emulator_service": "activemq-console",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via ACTIVEMQ CONSOLE \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "activemq-console",
"service_label_fr": "ACTIVEMQ CONSOLE",
"dst_port": 8161,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-activemq-console",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0104]\ufffd\r\ufffdIp\ufffdX\ufffdBs\ufffd0`\ufffd(\ufffd\ufffdm6y\ufffd\ufffd\ufffd\ufffdb2\ufffd m\ufffdD\ufffd\ufffd\ufffd\ufffd1\ufffd\ufffd\ufffd\u0007\ufffdd-\ufffdm\ufffd\ufffd\f\u0004\ufffdN3\ufffd'\ufffd\ufffd\ufffd\ufffdB\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8161,
"service": "activemq-console",
"service_label_fr": "ACTIVEMQ CONSOLE"
},
"attack_vector": "port scan syn \u00b7 via ACTIVEMQ CONSOLE:8161 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\u0104]\ufffd\r\ufffdIp\ufffdX\ufffdBs\ufffd0`\ufffd(\ufffd\ufffdm6y\ufffd\ufffd\ufffd\ufffdb2\ufffd m\ufffdD\ufffd\ufffd\ufffd\ufffd1\ufffd\ufffd\ufffd\ufffdd-\ufffdm\ufffd\ufffd\ufffdN3\ufffd'\ufffd\ufffd\ufffd\ufffdB\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8161 \u00b7 ACTIVEMQ CONSOLE",
"emulator_service": "activemq-console",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "activemq_console",
"service_banner": "honeypot-activemq-console",
"service_os": "linux",
"dst_port": "8161"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 64.06,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"activemq_emulated",
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8170 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8170 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8170
Chemin / cible
—
Service
TLS
Payload
�������������J�yB4���^=U�sͯ���l��d�F��wt� |c\�k�O���"�.���-���c ?�~�_{�:��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������J�yB4���^=U�sͯ���l��d�F��wt� |c\�k�O���"�.���-���c�?�~�_{�:��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������J�yB4���^=U�sͯ���l��d�F��wt� |c\�k�O���"�.���-���c ?�~�_{�:��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� |8N@�P?tR�������o�א�gf�.��D�]
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.896839093287568,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8170,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "30f80d48f911c8f14c08ffa9e13de6ddfafd0e6c",
"event_fingerprint": "05e619a35c5f8c662874dd66979043989b80bc82",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "c82acea104fe5ddd216c2cdeded9dd2e",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8170,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdJ\u000eyB4\ufffd\ufffd\u0017^=U\ufffds\u036f\ufffd\ufffd\u001el\ufffd\u0018d\ufffdF\ufffd\ufffdwt\ufffd |c\\\ufffdk\ufffdO\ufffd\ufffd\ufffd\"\ufffd.\ufffd\ufffd\ufffd-\u0013\ufffd\ufffdc\u000b?\ufffd~\ufffd_{\ufffd:\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdJ\u000eyB4\ufffd\ufffd\u0017^=U\ufffds\u036f\ufffd\ufffd\u001el\ufffd\u0018d\ufffdF\ufffd\ufffdwt\ufffd |c\\\ufffdk\ufffdO\ufffd\ufffd\ufffd\"\ufffd.\ufffd\ufffd\ufffd-\u0013\ufffd\ufffdc\u000b?\ufffd~\ufffd_{\ufffd:\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 |8N@\ufffdP?tR\ufffd\u001e\ufffd\u0019\u0018\ufffd\ufffdo\ufffd\u05d0\ufffdgf\ufffd.\ufffd\ufffdD\ufffd]",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdJ\u000eyB4\ufffd\ufffd\u0017^=U\ufffds\u036f\ufffd\ufffd\u001el\ufffd\u0018d\ufffdF\ufffd\ufffdwt\ufffd |c\\\ufffdk\ufffdO\ufffd\ufffd\ufffd\"\ufffd.\ufffd\ufffd\ufffd-\u0013\ufffd\ufffdc\u000b?\ufffd~\ufffd_{\ufffd:\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0e1ad44a21423b5d8fe002eb75ded3bdc219e191",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdJ\u000eyB4\ufffd\ufffd\u0017^=U\ufffds\u036f\ufffd\ufffd\u001el\ufffd\u0018d\ufffdF\ufffd\ufffdwt\ufffd |c\\\ufffdk\ufffdO\ufffd\ufffd\ufffd\"\ufffd.\ufffd\ufffd\ufffd-\u0013\ufffd\ufffdc\u000b?\ufffd~\ufffd_{\ufffd:\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8170,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdJyB4\ufffd\ufffd^=U\ufffds\u036f\ufffd\ufffdl\ufffdd\ufffdF\ufffd\ufffdwt\ufffd |c\\\ufffdk\ufffdO\ufffd\ufffd\ufffd\"\ufffd.\ufffd\ufffd\ufffd-\ufffd\ufffdc?\ufffd~\ufffd_{\ufffd:\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8170 \u00b7 (reconnaissance)",
"target_port_label": "8170 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8170,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdJ\u000eyB4\ufffd\ufffd\u0017^=U\ufffds\u036f\ufffd\ufffd\u001el\ufffd\u0018d\ufffdF\ufffd\ufffdwt\ufffd |c\\\ufffdk\ufffdO\ufffd\ufffd\ufffd\"\ufffd.\ufffd\ufffd\ufffd-\u0013\ufffd\ufffdc\u000b?\ufffd~\ufffd_{\ufffd:\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8170,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8170 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdJyB4\ufffd\ufffd^=U\ufffds\u036f\ufffd\ufffdl\ufffdd\ufffdF\ufffd\ufffdwt\ufffd |c\\\ufffdk\ufffdO\ufffd\ufffd\ufffd\"\ufffd.\ufffd\ufffd\ufffd-\ufffd\ufffdc?\ufffd~\ufffd_{\ufffd:\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8170 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8170"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 63.89,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8190 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8190 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
��������������3o�#x�Q���pRv�Fv�� ����щ�}� s����N����t�y�����������7�&!�uM��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������3o�#x�Q���pRv�Fv�������щ�}� s����N����t�y�����������7�&!�uM��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������3o�#x�Q���pRv�Fv�� ����щ�}� s����N����t�y�����������7�&!�uM��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� l=�Yg�`�Y��1�4E�����|{�=��.��2��
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.859568044277106,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "596799af50097443210230f7cce9b445dc5e62d5",
"event_fingerprint": "d85bd7111e4ce1724622e46c53355c96e62ee321",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "7f2ad418d299dcec63af6f279d16e6ed",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u00123o\ufffd#x\u0006Q\ufffd\ufffd\ufffdpRv\ufffdFv\ufffd\ufffd\u000b\ufffd\ufffd\ufffd\ufffd\u0449\ufffd}\ufffd s\ufffd\u0016\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffdt\ufffdy\ufffd\ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\u001a\u0006\ufffd7\ufffd&!\ufffduM\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u00123o\ufffd#x\u0006Q\ufffd\ufffd\ufffdpRv\ufffdFv\ufffd\ufffd\u000b\ufffd\ufffd\ufffd\ufffd\u0449\ufffd}\ufffd s\ufffd\u0016\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffdt\ufffdy\ufffd\ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\u001a\u0006\ufffd7\ufffd&!\ufffduM\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 l=\ufffdYg\ufffd`\bY\ufffd\ufffd1\ufffd4E\ufffd\ufffd\b\ufffd\ufffd|{\ufffd=\ufffd\ufffd.\u0012\ufffd2\ufffd\u001e",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u00123o\ufffd#x\u0006Q\ufffd\ufffd\ufffdpRv\ufffdFv\ufffd\ufffd\u000b\ufffd\ufffd\ufffd\ufffd\u0449\ufffd}\ufffd s\ufffd\u0016\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffdt\ufffdy\ufffd\ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\u001a\u0006\ufffd7\ufffd&!\ufffduM\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8ee21df166052a9298d880e3cb54fbe9a095d43e",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u00123o\ufffd#x\u0006Q\ufffd\ufffd\ufffdpRv\ufffdFv\ufffd\ufffd\u000b\ufffd\ufffd\ufffd\ufffd\u0449\ufffd}\ufffd s\ufffd\u0016\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffdt\ufffdy\ufffd\ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\u001a\u0006\ufffd7\ufffd&!\ufffduM\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd3o\ufffd#xQ\ufffd\ufffd\ufffdpRv\ufffdFv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0449\ufffd}\ufffd s\ufffd\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffdt\ufffdy\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd7\ufffd&!\ufffduM&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8190 \u00b7 (reconnaissance)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u00123o\ufffd#x\u0006Q\ufffd\ufffd\ufffdpRv\ufffdFv\ufffd\ufffd\u000b\ufffd\ufffd\ufffd\ufffd\u0449\ufffd}\ufffd s\ufffd\u0016\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffdt\ufffdy\ufffd\ufffd\ufffd\u000f\ufffd\ufffd\ufffd\ufffd\u001a\u0006\ufffd7\ufffd&!\ufffduM\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8190 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd3o\ufffd#xQ\ufffd\ufffd\ufffdpRv\ufffdFv\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0449\ufffd}\ufffd s\ufffd\ufffd\ufffdN\ufffd\ufffd\ufffd\ufffdt\ufffdy\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd7\ufffd&!\ufffduM&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 63.72,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
82 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:82 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
82
Chemin / cible
—
Service
TLS
Payload
�����������k nl2��VSuk+���h��[� @i�)%��;�� ����� �z��Ԩ�hm�P�����2�Е�c�=l��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������k�nl2��VSuk+���h��[� @i�)%��;�� �����
�z��Ԩ�hm�P�����2�Е�c�=l��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������k nl2��VSuk+���h��[� @i�)%��;�� ����� �z��Ԩ�hm�P�����2�Е�c�=l��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �X1�Ȓ���,�:�a�����"��"��8�j�R�]
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.9310159178182005,
"port_category": "well_known",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 82,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "22064a2c9cca1a74634d58dd89b8e91a7eae64c3",
"event_fingerprint": "01d98cb16ed923b5ca230dc4a1a9e3abb7f4b536",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "5c979f478596381a1b9145d2f52136bc",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 82,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003k\u000bnl2\u0003\ufffdVSuk+\ufffd\ufffd\ufffdh\ufffd\ufffd[\ufffd\t@i\ufffd)%\ufffd\ufffd;\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\r\ufffdz\ufffd\ufffd\u0528\ufffdhm\ufffdP\ufffd\ufffd\ufffd\ufffd\ufffd2\ufffd\u0415\ufffdc\ufffd=l\u000f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003k\u000bnl2\u0003\ufffdVSuk+\ufffd\ufffd\ufffdh\ufffd\ufffd[\ufffd\t@i\ufffd)%\ufffd\ufffd;\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\r\ufffdz\ufffd\ufffd\u0528\ufffdhm\ufffdP\ufffd\ufffd\ufffd\ufffd\ufffd2\ufffd\u0415\ufffdc\ufffd=l\u000f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdX1\ufffd\u0212\ufffd\ufffd\ufffd,\ufffd:\u0017a\ufffd\ufffd\ufffd\ufffd\ufffd\"\ufffd\ufffd\"\ufffd\ufffd8\ufffdj\ufffdR\ufffd]",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003k\u000bnl2\u0003\ufffdVSuk+\ufffd\ufffd\ufffdh\ufffd\ufffd[\ufffd\t@i\ufffd)%\ufffd\ufffd;\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\r\ufffdz\ufffd\ufffd\u0528\ufffdhm\ufffdP\ufffd\ufffd\ufffd\ufffd\ufffd2\ufffd\u0415\ufffdc\ufffd=l\u000f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d59a0580c1542d256d10e9a46138013a8301d72e",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003k\u000bnl2\u0003\ufffdVSuk+\ufffd\ufffd\ufffdh\ufffd\ufffd[\ufffd\t@i\ufffd)%\ufffd\ufffd;\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\r\ufffdz\ufffd\ufffd\u0528\ufffdhm\ufffdP\ufffd\ufffd\ufffd\ufffd\ufffd2\ufffd\u0415\ufffdc\ufffd=l\u000f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 82,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdknl2\ufffdVSuk+\ufffd\ufffd\ufffdh\ufffd\ufffd[\ufffd\t@i\ufffd)%\ufffd\ufffd;\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\r\ufffdz\ufffd\ufffd\u0528\ufffdhm\ufffdP\ufffd\ufffd\ufffd\ufffd\ufffd2\ufffd\u0415\ufffdc\ufffd=l&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:82 \u00b7 (reconnaissance)",
"target_port_label": "82 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 82,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003k\u000bnl2\u0003\ufffdVSuk+\ufffd\ufffd\ufffdh\ufffd\ufffd[\ufffd\t@i\ufffd)%\ufffd\ufffd;\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\r\ufffdz\ufffd\ufffd\u0528\ufffdhm\ufffdP\ufffd\ufffd\ufffd\ufffd\ufffd2\ufffd\u0415\ufffdc\ufffd=l\u000f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 82,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:82 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdknl2\ufffdVSuk+\ufffd\ufffd\ufffdh\ufffd\ufffd[\ufffd\t@i\ufffd)%\ufffd\ufffd;\ufffd\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\r\ufffdz\ufffd\ufffd\u0528\ufffdhm\ufffdP\ufffd\ufffd\ufffd\ufffd\ufffd2\ufffd\u0415\ufffdc\ufffd=l&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "82 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "82"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 63.54,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8230 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8230 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8230
Chemin / cible
—
Service
TLS
Payload
��������������P����*�ϥ��������<�؞���u�� �DQ����I�0���Kl����,��X���t��!l �&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������P����*�ϥ��������<�؞���u�� �DQ����I�0���Kl����,��X���t��!l
�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������P����*�ϥ��������<�؞���u�� �DQ����I�0���Kl����,��X���t��!l �&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� A������^�e�(�z�8���.�B��j�(��c�Y
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.946830856756922,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8230,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "69fbc962cc5bfabeefe7be3bc7faafffba0c72fc",
"event_fingerprint": "8732af8a92b581cdef98ea6f0b1f2498fedfb750",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "a8f48647ae823467cf7028c403da286d",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8230,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdP\ufffd\ufffd\ufffd\u0011*\ufffd\u03e5\ufffd\u001c\ufffd\ufffd\ufffd\u0013\ufffd\u0010<\ufffd\u061e\ufffd\u0010\ufffdu\u000e\ufffd \ufffdDQ\ufffd\ufffd\u0017\ufffdI\ufffd0\ufffd\ufffd\ufffdKl\ufffd\ufffd\ufffd\ufffd,\ufffd\u001eX\ufffd\ufffd\ufffdt\ufffd\ufffd!l\r\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdP\ufffd\ufffd\ufffd\u0011*\ufffd\u03e5\ufffd\u001c\ufffd\ufffd\ufffd\u0013\ufffd\u0010<\ufffd\u061e\ufffd\u0010\ufffdu\u000e\ufffd \ufffdDQ\ufffd\ufffd\u0017\ufffdI\ufffd0\ufffd\ufffd\ufffdKl\ufffd\ufffd\ufffd\ufffd,\ufffd\u001eX\ufffd\ufffd\ufffdt\ufffd\ufffd!l\r\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 A\ufffd\ufffd\u0001\u001b\ufffd\ufffd^\ufffde\u0016(\ufffdz\ufffd8\u000f\ufffd\ufffd.\ufffdB\ufffd\ufffdj\ufffd(\u0007\ufffdc\ufffdY",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdP\ufffd\ufffd\ufffd\u0011*\ufffd\u03e5\ufffd\u001c\ufffd\ufffd\ufffd\u0013\ufffd\u0010<\ufffd\u061e\ufffd\u0010\ufffdu\u000e\ufffd \ufffdDQ\ufffd\ufffd\u0017\ufffdI\ufffd0\ufffd\ufffd\ufffdKl\ufffd\ufffd\ufffd\ufffd,\ufffd\u001eX\ufffd\ufffd\ufffdt\ufffd\ufffd!l\r\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "be1b9997b8152350dbb7883501414b63dd367440",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdP\ufffd\ufffd\ufffd\u0011*\ufffd\u03e5\ufffd\u001c\ufffd\ufffd\ufffd\u0013\ufffd\u0010<\ufffd\u061e\ufffd\u0010\ufffdu\u000e\ufffd \ufffdDQ\ufffd\ufffd\u0017\ufffdI\ufffd0\ufffd\ufffd\ufffdKl\ufffd\ufffd\ufffd\ufffd,\ufffd\u001eX\ufffd\ufffd\ufffdt\ufffd\ufffd!l\r\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8230,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdP\ufffd\ufffd\ufffd*\ufffd\u03e5\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\u061e\ufffd\ufffdu\ufffd \ufffdDQ\ufffd\ufffd\ufffdI\ufffd0\ufffd\ufffd\ufffdKl\ufffd\ufffd\ufffd\ufffd,\ufffdX\ufffd\ufffd\ufffdt\ufffd\ufffd!l\r&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8230 \u00b7 (reconnaissance)",
"target_port_label": "8230 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8230,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdP\ufffd\ufffd\ufffd\u0011*\ufffd\u03e5\ufffd\u001c\ufffd\ufffd\ufffd\u0013\ufffd\u0010<\ufffd\u061e\ufffd\u0010\ufffdu\u000e\ufffd \ufffdDQ\ufffd\ufffd\u0017\ufffdI\ufffd0\ufffd\ufffd\ufffdKl\ufffd\ufffd\ufffd\ufffd,\ufffd\u001eX\ufffd\ufffd\ufffdt\ufffd\ufffd!l\r\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8230,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8230 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdP\ufffd\ufffd\ufffd*\ufffd\u03e5\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\u061e\ufffd\ufffdu\ufffd \ufffdDQ\ufffd\ufffd\ufffdI\ufffd0\ufffd\ufffd\ufffdKl\ufffd\ufffd\ufffd\ufffd,\ufffdX\ufffd\ufffd\ufffdt\ufffd\ufffd!l\r&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8230 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8230"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 63.31,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8220 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8220 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8220
Chemin / cible
—
Service
TLS
Payload
������������ħ�� ��X i1�@���R1� �s���>�3[] <X�?�g ���o�Q]�ލ9o=��+IsX�E��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������ħ�����X�i1�@���R1�
�s���>�3[] <X�?�g����o�Q]�ލ9o=��+IsX�E��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������ħ�� ��X i1�@���R1� �s���>�3[] <X�?�g ���o�Q]�ލ9o=��+IsX�E��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���Y]��W�����m��`�'5~�bH�)���
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.819510942351604,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8220,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "d955cc5a5fbcba0b9d76c88bd3e408f9c2d0cf3b",
"event_fingerprint": "4c755ff9c830beef2666a87ceed2a0ae8c57cd03",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "6577914b73d9d64e382cebe235bfad16",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8220,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0127\ufffd\ufffd\f\u0013\ufffdX\fi1\u0006@\u0010\ufffd\ufffdR1\ufffd\n\ufffds\ufffd\ufffd\ufffd>\u001b3[] <X\ufffd?\ufffdg\f\ufffd\u001e\ufffdo\uea65\ufffdQ]\u0007\u078d9o=\u0013\u0014+IsX\ufffdE\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0127\ufffd\ufffd\f\u0013\ufffdX\fi1\u0006@\u0010\ufffd\ufffdR1\ufffd\n\ufffds\ufffd\ufffd\ufffd>\u001b3[] <X\ufffd?\ufffdg\f\ufffd\u001e\ufffdo\uea65\ufffdQ]\u0007\u078d9o=\u0013\u0014+IsX\ufffdE\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u001a\u07b8\ufffd\ufffdY]\ufffd\ufffdW\ufffd\ufffd\u001d\ufffd\ufffdm\ufffd\ufffd`\ufffd'5~\ufffdbH\ufffd)\ufffd\ufffd\u0001\n",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0127\ufffd\ufffd\f\u0013\ufffdX\fi1\u0006@\u0010\ufffd\ufffdR1\ufffd\n\ufffds\ufffd\ufffd\ufffd>\u001b3[] <X\ufffd?\ufffdg\f\ufffd\u001e\ufffdo\uea65\ufffdQ]\u0007\u078d9o=\u0013\u0014+IsX\ufffdE\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "917594e08249fa6d95d4f9a54ed751e9777c10a7",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0127\ufffd\ufffd\f\u0013\ufffdX\fi1\u0006@\u0010\ufffd\ufffdR1\ufffd\n\ufffds\ufffd\ufffd\ufffd>\u001b3[] <X\ufffd?\ufffdg\f\ufffd\u001e\ufffdo\uea65\ufffdQ]\u0007\u078d9o=\u0013\u0014+IsX\ufffdE\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8220,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\u0127\ufffd\ufffd\ufffdXi1@\ufffd\ufffdR1\ufffd\n\ufffds\ufffd\ufffd\ufffd>3[] <X\ufffd?\ufffdg\ufffd\ufffdo\uea65\ufffdQ]\u078d9o=+IsX\ufffdE\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8220 \u00b7 (reconnaissance)",
"target_port_label": "8220 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8220,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0127\ufffd\ufffd\f\u0013\ufffdX\fi1\u0006@\u0010\ufffd\ufffdR1\ufffd\n\ufffds\ufffd\ufffd\ufffd>\u001b3[] <X\ufffd?\ufffdg\f\ufffd\u001e\ufffdo\uea65\ufffdQ]\u0007\u078d9o=\u0013\u0014+IsX\ufffdE\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8220,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8220 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\u0127\ufffd\ufffd\ufffdXi1@\ufffd\ufffdR1\ufffd\n\ufffds\ufffd\ufffd\ufffd>3[] <X\ufffd?\ufffdg\ufffd\ufffdo\uea65\ufffdQ]\u078d9o=+IsX\ufffdE\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8220 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8220"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 63.05,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8240 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8240 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8240
Chemin / cible
—
Service
TLS
Payload
�����������iﱃT��8���+��b��]?�x�'�A<�� {�F �:ےtW����IfW�*�7����4}�����(r���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������iﱃT��8���+��b��]?�x�'�A<��
{�F �:ےtW����IfW�*�7����4}�����(r���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������iﱃT��8���+��b��]?�x�'�A<�� {�F �:ےtW����IfW�*�7����4}�����(r���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� 5�cJ�����Q�}Ds�{�4>ݽR�����s[/�=
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.923959350656622,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8240,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "f05d31570325cd8a2460af6845443b31eef65d16",
"event_fingerprint": "a3357ea4c75e0bb6a89d0d70ca01bbee91ca8202",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "e847660604f8c5b980971231e03f77e0",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8240,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ufc43T\ufffd\u00068\ufffd\ufffd\u0000+\ufffd\ufffdb\ufffd\ufffd]?\ufffdx\u001c'\u0011A<\ufffd\ufffd\r{\ufffdF \ufffd:\u06d2tW\ufffd\ufffd\ufffd\ufffdIfW\ufffd*\ufffd7\ufffd\u000e\ufffd\u001e4}\ufffd\ufffd\u0011\ufffd\b(r\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ufc43T\ufffd\u00068\ufffd\ufffd\u0000+\ufffd\ufffdb\ufffd\ufffd]?\ufffdx\u001c'\u0011A<\ufffd\ufffd\r{\ufffdF \ufffd:\u06d2tW\ufffd\ufffd\ufffd\ufffdIfW\ufffd*\ufffd7\ufffd\u000e\ufffd\u001e4}\ufffd\ufffd\u0011\ufffd\b(r\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 5\ufffdcJ\ufffd\ufffd\ufffd\ufffd\u0016Q\u001f}Ds\ufffd{\ufffd4>\u077dR\ufffd\ufffd\ufffd\u0011\ufffds[\/\u0004=",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ufc43T\ufffd\u00068\ufffd\ufffd\u0000+\ufffd\ufffdb\ufffd\ufffd]?\ufffdx\u001c'\u0011A<\ufffd\ufffd\r{\ufffdF \ufffd:\u06d2tW\ufffd\ufffd\ufffd\ufffdIfW\ufffd*\ufffd7\ufffd\u000e\ufffd\u001e4}\ufffd\ufffd\u0011\ufffd\b(r\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6da78828f552761813941c98adc5f8aae9c1b3c1",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ufc43T\ufffd\u00068\ufffd\ufffd\u0000+\ufffd\ufffdb\ufffd\ufffd]?\ufffdx\u001c'\u0011A<\ufffd\ufffd\r{\ufffdF \ufffd:\u06d2tW\ufffd\ufffd\ufffd\ufffdIfW\ufffd*\ufffd7\ufffd\u000e\ufffd\u001e4}\ufffd\ufffd\u0011\ufffd\b(r\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8240,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdi\ufc43T\ufffd8\ufffd\ufffd+\ufffd\ufffdb\ufffd\ufffd]?\ufffdx'A<\ufffd\ufffd\r{\ufffdF \ufffd:\u06d2tW\ufffd\ufffd\ufffd\ufffdIfW\ufffd*\ufffd7\ufffd\ufffd4}\ufffd\ufffd\ufffd(r\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8240 \u00b7 (reconnaissance)",
"target_port_label": "8240 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8240,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003i\ufc43T\ufffd\u00068\ufffd\ufffd\u0000+\ufffd\ufffdb\ufffd\ufffd]?\ufffdx\u001c'\u0011A<\ufffd\ufffd\r{\ufffdF \ufffd:\u06d2tW\ufffd\ufffd\ufffd\ufffdIfW\ufffd*\ufffd7\ufffd\u000e\ufffd\u001e4}\ufffd\ufffd\u0011\ufffd\b(r\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8240,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8240 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdi\ufc43T\ufffd8\ufffd\ufffd+\ufffd\ufffdb\ufffd\ufffd]?\ufffdx'A<\ufffd\ufffd\r{\ufffdF \ufffd:\u06d2tW\ufffd\ufffd\ufffd\ufffdIfW\ufffd*\ufffd7\ufffd\ufffd4}\ufffd\ufffd\ufffd(r\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8240 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8240"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 62.9,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8250 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8250 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8250
Chemin / cible
—
Service
TLS
Payload
������������ߋ��YR�b�1}/쾥�X��"�� �m'7��� O�L]]p�L�9_s��s%E����5�����M��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������ߋ��YR�b�1}/쾥�X��"��
�m'7��� O�L]]p�L�9_s��s%E����5�����M��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������ߋ��YR�b�1}/쾥�X��"�� �m'7��� O�L]]p�L�9_s��s%E����5�����M��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� S̄������ч�Mjp[�A����J̗�߯��
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.860602020649544,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8250,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "7974b5af226acc82635c787d5bc409020de3c700",
"event_fingerprint": "17b3916b5de73d42c5cb3db9267125cf3a2669bf",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "7e07237256af63770297b4ff3acae1f9",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8250,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u07cb\ufffd\ufffdYR\ufffdb\ufffd1}\/\ucfa5\ufffdX\ufffd\ufffd\"\u001b\ufffd\n\u0011m'7\ufffd\ufffd\ufffd O\ufffdL]]p\ufffdL\ufffd9_s\ufffd\ufffds%E\ufffd\u0013\ufffd\u00035\u008d\ufffd\ufffd\ufffd\u001d\ufffdM\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u07cb\ufffd\ufffdYR\ufffdb\ufffd1}\/\ucfa5\ufffdX\ufffd\ufffd\"\u001b\ufffd\n\u0011m'7\ufffd\ufffd\ufffd O\ufffdL]]p\ufffdL\ufffd9_s\ufffd\ufffds%E\ufffd\u0013\ufffd\u00035\u008d\ufffd\ufffd\ufffd\u001d\ufffdM\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 S\u0304\ufffd\ufffd\ufffd\u001c\ufffd\ufffd\u0447\ufffdMjp[\ufffdA\u000f\ufffd\ufffd\ufffdJ\u0317\u038d\u0012\u07ef\ufffd\u001d",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u07cb\ufffd\ufffdYR\ufffdb\ufffd1}\/\ucfa5\ufffdX\ufffd\ufffd\"\u001b\ufffd\n\u0011m'7\ufffd\ufffd\ufffd O\ufffdL]]p\ufffdL\ufffd9_s\ufffd\ufffds%E\ufffd\u0013\ufffd\u00035\u008d\ufffd\ufffd\ufffd\u001d\ufffdM\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "21f67285afe9d256936b3d0c5e59ba8c0af2b000",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u07cb\ufffd\ufffdYR\ufffdb\ufffd1}\/\ucfa5\ufffdX\ufffd\ufffd\"\u001b\ufffd\n\u0011m'7\ufffd\ufffd\ufffd O\ufffdL]]p\ufffdL\ufffd9_s\ufffd\ufffds%E\ufffd\u0013\ufffd\u00035\u008d\ufffd\ufffd\ufffd\u001d\ufffdM\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8250,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\u07cb\ufffd\ufffdYR\ufffdb\ufffd1}\/\ucfa5\ufffdX\ufffd\ufffd\"\ufffd\nm'7\ufffd\ufffd\ufffd O\ufffdL]]p\ufffdL\ufffd9_s\ufffd\ufffds%E\ufffd\ufffd5\u008d\ufffd\ufffd\ufffd\ufffdM\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8250 \u00b7 (reconnaissance)",
"target_port_label": "8250 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8250,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u07cb\ufffd\ufffdYR\ufffdb\ufffd1}\/\ucfa5\ufffdX\ufffd\ufffd\"\u001b\ufffd\n\u0011m'7\ufffd\ufffd\ufffd O\ufffdL]]p\ufffdL\ufffd9_s\ufffd\ufffds%E\ufffd\u0013\ufffd\u00035\u008d\ufffd\ufffd\ufffd\u001d\ufffdM\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8250,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8250 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\u07cb\ufffd\ufffdYR\ufffdb\ufffd1}\/\ucfa5\ufffdX\ufffd\ufffd\"\ufffd\nm'7\ufffd\ufffd\ufffd O\ufffdL]]p\ufffdL\ufffd9_s\ufffd\ufffds%E\ufffd\ufffd5\u008d\ufffd\ufffd\ufffd\ufffdM\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8250 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8250"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 62.74,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8280 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8280 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8280
Chemin / cible
—
Service
TLS
Payload
����������� ���X}�ӆc[tVk��|���a������P��� 2�鮬��3ӣ�����ϐ/٦�CD0W��gR�J=�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����������� ���X}�ӆc[tVk��|���a������P��� 2�鮬��3ӣ�����ϐ/٦�CD0W��gR�J=�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
����������� ���X}�ӆc[tVk��|���a������P��� 2�鮬��3ӣ�����ϐ/٦�CD0W��gR�J=�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� 쪠�a�23`�λ��5��[���#I�,�H�{��)
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.9067938035984575,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8280,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1.9,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "3ec871cf770a6b7d96b78b970026576a3e6180d9",
"event_fingerprint": "2feaf17194bff54ebb076beba244f625cf519159",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "283e098faa0578fe95e6ae0e80cddc43",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8280,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\t\ufffd\ufffd\ufffdX}\ufffd\u04c6c[tVk\ufffd\ufffd|\ufffd\ufffd\ufffda\ufffd\ufffd\u001b\ufffd\ufffd\u0017P\u0016\ufffd\ufffd 2\ufffd\u9bac\ufffd\ufffd3\u04e3\ufffd\ufffd\ufffd\ufffd\ufffd\u03d0\/\u0666\ufffdCD0W\ufffd\ufffdgR\ufffdJ=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\t\ufffd\ufffd\ufffdX}\ufffd\u04c6c[tVk\ufffd\ufffd|\ufffd\ufffd\ufffda\ufffd\ufffd\u001b\ufffd\ufffd\u0017P\u0016\ufffd\ufffd 2\ufffd\u9bac\ufffd\ufffd3\u04e3\ufffd\ufffd\ufffd\ufffd\ufffd\u03d0\/\u0666\ufffdCD0W\ufffd\ufffdgR\ufffdJ=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ucaa0\ufffda\u001823`\ufffd\u03bb\ufffd\ufffd5\ufffd\ufffd[\ufffd\u001c\ufffd#I\ufffd,\ufffdH\ufffd{\ufffd\ufffd)",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\t\ufffd\ufffd\ufffdX}\ufffd\u04c6c[tVk\ufffd\ufffd|\ufffd\ufffd\ufffda\ufffd\ufffd\u001b\ufffd\ufffd\u0017P\u0016\ufffd\ufffd 2\ufffd\u9bac\ufffd\ufffd3\u04e3\ufffd\ufffd\ufffd\ufffd\ufffd\u03d0\/\u0666\ufffdCD0W\ufffd\ufffdgR\ufffdJ=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "67acf83e60ddedde27ef71a94f34a48727759d74",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\t\ufffd\ufffd\ufffdX}\ufffd\u04c6c[tVk\ufffd\ufffd|\ufffd\ufffd\ufffda\ufffd\ufffd\u001b\ufffd\ufffd\u0017P\u0016\ufffd\ufffd 2\ufffd\u9bac\ufffd\ufffd3\u04e3\ufffd\ufffd\ufffd\ufffd\ufffd\u03d0\/\u0666\ufffdCD0W\ufffd\ufffdgR\ufffdJ=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8280,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\t\ufffd\ufffd\ufffdX}\ufffd\u04c6c[tVk\ufffd\ufffd|\ufffd\ufffd\ufffda\ufffd\ufffd\ufffd\ufffdP\ufffd\ufffd 2\ufffd\u9bac\ufffd\ufffd3\u04e3\ufffd\ufffd\ufffd\ufffd\ufffd\u03d0\/\u0666\ufffdCD0W\ufffd\ufffdgR\ufffdJ=&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8280 \u00b7 (reconnaissance)",
"target_port_label": "8280 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8280,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\t\ufffd\ufffd\ufffdX}\ufffd\u04c6c[tVk\ufffd\ufffd|\ufffd\ufffd\ufffda\ufffd\ufffd\u001b\ufffd\ufffd\u0017P\u0016\ufffd\ufffd 2\ufffd\u9bac\ufffd\ufffd3\u04e3\ufffd\ufffd\ufffd\ufffd\ufffd\u03d0\/\u0666\ufffdCD0W\ufffd\ufffdgR\ufffdJ=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8280,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8280 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\t\ufffd\ufffd\ufffdX}\ufffd\u04c6c[tVk\ufffd\ufffd|\ufffd\ufffd\ufffda\ufffd\ufffd\ufffd\ufffdP\ufffd\ufffd 2\ufffd\u9bac\ufffd\ufffd3\u04e3\ufffd\ufffd\ufffd\ufffd\ufffd\u03d0\/\u0666\ufffdCD0W\ufffd\ufffdgR\ufffdJ=&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8280 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8280"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 61.57,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|