Renseignement sur les menaces

États-Unis

136.112.73.222

FAI Google LLC Première vue 13/06/2026 19:19 UTC Dernière vue 13/06/2026 19:22 UTC Risque Élevé

Période analysée : 2026-06-09 → 2026-06-16

Activité suspecte — risque 53/100 (Moyen) — MITRE T1046 — confiance 100 % — via POSTGRES — multi-protocole (78 protocoles · 5 min)

Campagne multi-ports détectée sur une fenêtre courte

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

Élevé · Risque max (7j) Élevé

Synthèse exécutive

Profil de menace

Score de risque 66/100 Élevé

Première observation 13/06/2026 19:19 UTC

Dernière observation 13/06/2026 19:22 UTC

Événements (période) 563

MITRE ATT&CK principal T1046 559 occurrences

Activité suspecte — risque 53/100 (Moyen) — MITRE T1046 — confiance 100 % — via POSTGRES — multi-protocole (78 protocoles · 5 min)

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Rafale d'authentification SSH · confiance 100%

Confiance 100 % — Score WAF 8 · Bonus corrélation +23

Comparaison ASN / FAI

ASN 396982 · 136.112.0.0/13 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 563 événements sur la période pour cette IP.

34.78.23.28 Sonde port 2226/TCP 16/06/2026 07:51 UTC
34.14.117.1 Sonde port 21285/TCP 16/06/2026 07:50 UTC
34.38.195.167 Sonde port 8172/TCP 16/06/2026 07:50 UTC
35.203.211.12 Scanner web 16/06/2026 07:48 UTC
34.34.178.22 Sonde WinRM 16/06/2026 07:48 UTC
34.79.87.63 Sonde port 9179/TCP 16/06/2026 07:48 UTC
34.79.151.177 Sonde port 5237/TCP 16/06/2026 07:48 UTC
35.240.3.145 Sonde port 18101/TCP 16/06/2026 07:47 UTC

Événements (filtres)

563

Première observation

13/06/2026 19:19 UTC

Dernière observation

13/06/2026 19:22 UTC

Dernière activité (filtres)

13/06/2026 19:22 UTC

Événements 7j

563

Ports distincts (7j)

161

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

TLS TCP 160 HTTP TCP 125 HTTPS TCP 9 REDIS TCP 7 CASSANDRA JMX TCP 6 TOR OR TCP 6 RTSP TCP 6 DOCKER TLS TCP 6 MEMCACHED ALT TCP 6 POSTGRES TCP 6 CLICKHOUSE NATIVE TCP 6 UPNP TCP TCP 6 GAME UNREAL TCP 6 MONGODB SHARD TCP 6 RTSP ALT TCP 6 X11 TCP 6 JETDIRECT TCP 6 VNC TCP 6 GITHUB WEBHOOK TCP 6 NEO4J HTTP TCP 6

TLS

160

HTTP

125

HTTPS

REDIS

CASSANDRA JMX

TOR OR

Géolocalisation

Origine réseau déclarée

États-Unis unknown unknown

FAI / réseau

Opérateur et dernière activité ban

Google LLC 0 Port 10001 postgres_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Reconnaissance

Chaîne d'attaque

Reconnaissance

Vecteur d'attaque

port scan syn · via POSTGRES:5432 · (reconnaissance)

Détails protocole

PostgreSQL: Handshake PostgreSQL (startup)

Aperçu payload

GET / HTTP/1.1 Host: 62.3.50.33:5432 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, li

Port / service

5432 · POSTGRES

Service émulé

POSTGRES

Raison confiance

Confiance 100 % — 5 signal(aux) capteur

Technique MITRE

T1046

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min)

Recommandation

Investiguer

Rôle capteur

Renseignement menaces

Signaux de précision

MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S

Confiance

100% Corrélation +23

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

563 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

563 événement(s) — page 9/12

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
13/06/2026 19:19:56 UTC	TCP	2083 · CPANEL SSL	cpanel-ssl	Scan de ports port scan syn · via CPANEL SSL:2083 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur CPANEL-SSL WAF — Recommandation Surveiller Tags cpanel_ssl_emulated net_port_scan_fast tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2083 Chemin / cible — Service CPANEL SSL Payload ��A��~��^M�909�q��`��V��1hl(kK�� MN�B�@�䢬t�L��=��f ��A�G&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��A��~��^M�909�q��`��V��1hl(kK�� MN�B�@�䢬t�L��=��f��A�G&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��A��~��^M�909�q��`��V��1hl(kK�� MN�B�@�䢬t�L��=��f ��A�G&�+�/�,�0̨̩� �� /5� w �+3&$ ��m5� Q�\|\�]��T��bd=U��h Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "bytes_in": 239, "payload_entropy": 5.918592209742533, "port_category": "registered", "org": "Google LLC", "service": "cpanel-ssl", "app_proto": "cpanel-ssl", "asn": 396982, "country": "US", "dst_port": 2083, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ac1f6b26c8b962f8ada6b4f2d5c056406bb2e963", "event_fingerprint": "31d5b24aac948e8aef4b292af6d8bcb64f5a3442", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "cpanel-ssl", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1b000027b5695cfd790e78adbe911fb2", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2083, "service": "cpanel-ssl", "service_name": "cpanel-ssl", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd\ufffd~\ufffd\ufffd^\u0017M\ufffd909\ufffdq\ufffd\ufffd`\ufffd\ufffdV\ufffd\ufffd\ufffd1hl(kK\ufffd\ufffd \ufffd\ufffdMN\ufffdB\ufffd\u0010@\ufffd\u48act\ufffdL\ufffd\u0006\ufffd=\u001c\ufffd\ufffdf\f\ufffd\ufffd\u0017\ufffdA\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd\ufffd~\ufffd\ufffd^\u0017M\ufffd909\ufffdq\ufffd\ufffd`\ufffd\ufffdV\ufffd\ufffd\ufffd1hl(kK\ufffd\ufffd \ufffd\ufffdMN\ufffdB\ufffd\u0010@\ufffd\u48act\ufffdL\ufffd\u0006\ufffd=\u001c\ufffd\ufffdf\f\ufffd\ufffd\u0017\ufffdA\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdm5\ufffd\tQ\ufffd\|\\\ufffd]\ufffd\u0011\ufffdT\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdbd=U\ufffd\u0011\ufffdh", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd\ufffd~\ufffd\ufffd^\u0017M\ufffd909\ufffdq\ufffd\ufffd`\ufffd\ufffdV\ufffd\ufffd\ufffd1hl(kK\ufffd\ufffd \ufffd\ufffdMN\ufffdB\ufffd\u0010@\ufffd\u48act\ufffdL\ufffd\u0006\ufffd=\u001c\ufffd\ufffdf\f\ufffd\ufffd\u0017\ufffdA\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "018fd2fa8f9e55f33918d28d7fd54845686a0918", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd\ufffd~\ufffd\ufffd^\u0017M\ufffd909\ufffdq\ufffd\ufffd`\ufffd\ufffdV\ufffd\ufffd\ufffd1hl(kK\ufffd\ufffd \ufffd\ufffdMN\ufffdB\ufffd\u0010@\ufffd\u48act\ufffdL\ufffd\u0006\ufffd=\u001c\ufffd\ufffdf\f\ufffd\ufffd\u0017\ufffdA\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2083, "service": "cpanel-ssl", "service_label_fr": "CPANEL SSL" }, "evidence_snippet": "\ufffd\ufffdA\ufffd\ufffd~\ufffd\ufffd^M\ufffd909\ufffdq\ufffd\ufffd`\ufffd\ufffdV\ufffd\ufffd\ufffd1hl(kK\ufffd\ufffd \ufffd\ufffdMN\ufffdB\ufffd@\ufffd\u48act\ufffdL\ufffd\ufffd=\ufffd\ufffdf\ufffd\ufffd\ufffdA\ufffdG&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via CPANEL SSL:2083 \u00b7 (reconnaissance)", "target_port_label": "2083 \u00b7 CPANEL SSL", "emulator_service": "cpanel-ssl", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CPANEL SSL \u2014 multi-protocole (59 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "cpanel-ssl", "service_label_fr": "CPANEL SSL", "dst_port": 2083, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cpanel-ssl", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003A\ufffd\ufffd~\ufffd\ufffd^\u0017M\ufffd909\ufffdq\ufffd\ufffd`\ufffd\ufffdV\ufffd\ufffd\ufffd1hl(kK\ufffd\ufffd \ufffd\ufffdMN\ufffdB\ufffd\u0010@\ufffd\u48act\ufffdL\ufffd\u0006\ufffd=\u001c\ufffd\ufffdf\f\ufffd\ufffd\u0017\ufffdA\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2083, "service": "cpanel-ssl", "service_label_fr": "CPANEL SSL" }, "attack_vector": "port scan syn \u00b7 via CPANEL SSL:2083 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffdA\ufffd\ufffd~\ufffd\ufffd^M\ufffd909\ufffdq\ufffd\ufffd`\ufffd\ufffdV\ufffd\ufffd\ufffd1hl(kK\ufffd\ufffd \ufffd\ufffdMN\ufffdB\ufffd@\ufffd\u48act\ufffdL\ufffd\ufffd=\ufffd\ufffdf\ufffd\ufffd\ufffdA\ufffdG&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2083 \u00b7 CPANEL SSL", "emulator_service": "cpanel-ssl", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cpanel_ssl", "service_banner": "honeypot-cpanel-ssl", "service_os": "linux", "dst_port": "2083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 107, "port_scan_ports_sample": [ 81, 82, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095, 2096, 2375, 2376 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 107, "scan_velocity_ports_per_s": 75.28, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 59, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "couchbase", "couchdb", "cpanel", "cpanel-ssl", "cpanel-whm" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "cpanel_ssl_emulated", "net_port_scan_fast", "tls_clienthello" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	83 · TLS	tls	Scan de ports port scan syn · via TLS:83 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 83 Chemin / cible — Service TLS Payload ��Iݬ�F��u�}��]��\%�<��O u{h�ڼ+z��17Z��%�K m I��ќ>� &�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Iݬ�F��u�}��]��\%�<��O u{h�ڼ+z��17Z��%�Km I��ќ>�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Iݬ�F��u�}��]��\%�<��O u{h�ڼ+z��17Z��%�K m I��ќ>� &�+�/�,�0̨̩� �� /5� w �+3&$ ��b��g�ی>��,.�Z��g%b��F� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.7450445507632635, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 83, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "74497f359ddae03c454045790e3d3f8f9eb7db22", "event_fingerprint": "b88008650322c39307101abdc6062ae98fba8e96", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "3ebd977209b92f9e51f8cc43c726fddf", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 83, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdI\u076c\ufffdF\ufffd\u0001\ufffd\ufffd\ufffdu\ufffd}\ufffd\ufffd\ufffd]\u001f\ufffd\u0014\ufffd\\%\u000f\ufffd<\ufffd\u0002\u0017\ufffdO u{h\ufffd\u06bc+\u001fz\ufffd\ufffd17Z\ufffd\ufffd%\u0018\ufffdK\u000e\fm\rI\ufffd\ufffd\u045c>\ufffd\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdI\u076c\ufffdF\ufffd\u0001\ufffd\ufffd\ufffdu\ufffd}\ufffd\ufffd\ufffd]\u001f\ufffd\u0014\ufffd\\%\u000f\ufffd<\ufffd\u0002\u0017\ufffdO u{h\ufffd\u06bc+\u001fz\ufffd\ufffd17Z\ufffd\ufffd%\u0018\ufffdK\u000e\fm\rI\ufffd\ufffd\u045c>\ufffd\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \r\ufffd\ufffdb\ufffd\ufffd\b\ufffdg\ufffd\u06cc>\ufffd\ufffd,.\ufffdZ\u001e\ufffd\ufffd\ufffdg%b\ufffd\ufffdF\b\ufffd\u0003", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdI\u076c\ufffdF\ufffd\u0001\ufffd\ufffd\ufffdu\ufffd}\ufffd\ufffd\ufffd]\u001f\ufffd\u0014\ufffd\\%\u000f\ufffd<\ufffd\u0002\u0017\ufffdO u{h\ufffd\u06bc+\u001fz\ufffd\ufffd17Z\ufffd\ufffd%\u0018\ufffdK\u000e\fm\rI\ufffd\ufffd\u045c>\ufffd\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "be684eae758a9233f57d03f13971db21ac1ae23a", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdI\u076c\ufffdF\ufffd\u0001\ufffd\ufffd\ufffdu\ufffd}\ufffd\ufffd\ufffd]\u001f\ufffd\u0014\ufffd\\%\u000f\ufffd<\ufffd\u0002\u0017\ufffdO u{h\ufffd\u06bc+\u001fz\ufffd\ufffd17Z\ufffd\ufffd%\u0018\ufffdK\u000e\fm\rI\ufffd\ufffd\u045c>\ufffd\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 83, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffdI\u076c\ufffdF\ufffd\ufffd\ufffd\ufffdu\ufffd}\ufffd\ufffd\ufffd]\ufffd\ufffd\\%\ufffd<\ufffd\ufffdO u{h\ufffd\u06bc+z\ufffd\ufffd17Z\ufffd\ufffd%\ufffdKm\rI\ufffd\ufffd\u045c>\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:83 \u00b7 (reconnaissance)", "target_port_label": "83 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 83, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdI\u076c\ufffdF\ufffd\u0001\ufffd\ufffd\ufffdu\ufffd}\ufffd\ufffd\ufffd]\u001f\ufffd\u0014\ufffd\\%\u000f\ufffd<\ufffd\u0002\u0017\ufffdO u{h\ufffd\u06bc+\u001fz\ufffd\ufffd17Z\ufffd\ufffd%\u0018\ufffdK\u000e\fm\rI\ufffd\ufffd\u045c>\ufffd\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 83, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:83 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffdI\u076c\ufffdF\ufffd\ufffd\ufffd\ufffdu\ufffd}\ufffd\ufffd\ufffd]\ufffd\ufffd\\%\ufffd<\ufffd\ufffdO u{h\ufffd\u06bc+z\ufffd\ufffd17Z\ufffd\ufffd%\ufffdKm\rI\ufffd\ufffd\u045c>\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "83 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "83" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 108, "port_scan_ports_sample": [ 81, 82, 83, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095, 2096, 2375 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 108, "scan_velocity_ports_per_s": 75.6, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 59, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "couchbase", "couchdb", "cpanel", "cpanel-ssl", "cpanel-whm" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	2095 · TLS	tls	Scan de ports port scan syn · via TLS:2095 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2095 Chemin / cible — Service TLS Payload ��QʲH,�?�o��c�� Ţ�LJ�=b ��A�XnG1��J4�eGl�0�P��N��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��QʲH,�?�o��c�� Ţ�LJ�=b ��A�XnG1��J4�eGl�0�P��N��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��QʲH,�?�o��c�� Ţ�LJ�=b ��A�XnG1��J4�eGl�0�P��N��&�+�/�,�0̨̩� �� /5� w �+3&$ �=��Y�]GKq��!nY��U�z ��_z3 Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.827964911612799, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 2095, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "cff78fc109efa3d7c203d7aa5a7b313d86ddfd76", "event_fingerprint": "da7e45665d0408ef825beb022729b3ec80515849", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "d6753e915512354ac62642f7b64b61bd", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2095, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdQ\u02b2H,\ufffd?\ufffdo\ufffd\ufffd\ufffd\u000e\ufffdc\ufffd\ufffd\ufffd\t\u0162\ufffdLJ\ufffd\u001e=b \ufffd\ufffd\ufffdA\ufffdXnG1\ufffd\b\ufffd\u0003\u0006J4\ufffdeGl\ufffd0\ufffdP\ufffd\ufffd\u0018\ufffdN\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdQ\u02b2H,\ufffd?\ufffdo\ufffd\ufffd\ufffd\u000e\ufffdc\ufffd\ufffd\ufffd\t\u0162\ufffdLJ\ufffd\u001e=b \ufffd\ufffd\ufffdA\ufffdXnG1\ufffd\b\ufffd\u0003\u0006J4\ufffdeGl\ufffd0\ufffdP\ufffd\ufffd\u0018\ufffdN\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd=\ufffd\u0002\u0006\ufffdY\ufffd]\u001d\u0019GKq\ufffd\ufffd!nY\ufffd\ufffdU\ufffdz\f\ufffd\ufffd\ufffd_z\u00123", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdQ\u02b2H,\ufffd?\ufffdo\ufffd\ufffd\ufffd\u000e\ufffdc\ufffd\ufffd\ufffd\t\u0162\ufffdLJ\ufffd\u001e=b \ufffd\ufffd\ufffdA\ufffdXnG1\ufffd\b\ufffd\u0003\u0006J4\ufffdeGl\ufffd0\ufffdP\ufffd\ufffd\u0018\ufffdN\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0be7f899a5971f0c8a474a5563060fa3f1a63866", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdQ\u02b2H,\ufffd?\ufffdo\ufffd\ufffd\ufffd\u000e\ufffdc\ufffd\ufffd\ufffd\t\u0162\ufffdLJ\ufffd\u001e=b \ufffd\ufffd\ufffdA\ufffdXnG1\ufffd\b\ufffd\u0003\u0006J4\ufffdeGl\ufffd0\ufffdP\ufffd\ufffd\u0018\ufffdN\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2095, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffdQ\u02b2H,\ufffd?\ufffdo\ufffd\ufffd\ufffd\ufffdc\ufffd\ufffd\ufffd\t\u0162\ufffdLJ\ufffd=b \ufffd\ufffd\ufffdA\ufffdXnG1\ufffd\ufffdJ4\ufffdeGl\ufffd0\ufffdP\ufffd\ufffd\ufffdN\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:2095 \u00b7 (reconnaissance)", "target_port_label": "2095 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2095, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdQ\u02b2H,\ufffd?\ufffdo\ufffd\ufffd\ufffd\u000e\ufffdc\ufffd\ufffd\ufffd\t\u0162\ufffdLJ\ufffd\u001e=b \ufffd\ufffd\ufffdA\ufffdXnG1\ufffd\b\ufffd\u0003\u0006J4\ufffdeGl\ufffd0\ufffdP\ufffd\ufffd\u0018\ufffdN\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2095, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:2095 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffdQ\u02b2H,\ufffd?\ufffdo\ufffd\ufffd\ufffd\ufffdc\ufffd\ufffd\ufffd\t\u0162\ufffdLJ\ufffd=b \ufffd\ufffd\ufffdA\ufffdXnG1*\ufffd\ufffdJ4\ufffdeGl\ufffd0\ufffdP\ufffd\ufffd\ufffdN\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2095 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2095" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 108, "port_scan_ports_sample": [ 81, 82, 83, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095, 2096, 2375 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 108, "scan_velocity_ports_per_s": 75.23, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 59, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "couchbase", "couchdb", "cpanel", "cpanel-ssl", "cpanel-whm" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	8300 · CONSUL SERVER	consul-server	Scan de ports port scan syn · via CONSUL SERVER:8300 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur CONSUL-SERVER WAF — Recommandation Surveiller Tags net_port_scan_fast tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8300 Chemin / cible — Service CONSUL SERVER Payload �� u��,��k�!��X�~SA��4�� 3��U��ơa�� s2�RJw�u�S� ;�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��u��,��k�!��X�~SA��4�� 3��U��ơa�� s2�RJw�u�S� ;�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) �� u��,��k�!��X�~SA��4�� 3��U��ơa�� s2�RJw�u�S� ;�&�+�/�,�0̨̩� �� /5� w �+3&$ .�xܽ2k�Jt͊��2�o1�nՄ�س&f9 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.818686546270312, "port_category": "registered", "org": "Google LLC", "service": "consul-server", "app_proto": "consul-server", "asn": 396982, "country": "US", "dst_port": 8300, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "ae2692156eeb1c7e38827c456b87ca9d70426022", "event_fingerprint": "c86c7e2f76327b82359fa7ed84472755e3616b62", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "consul-server", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "904f07acef593c89c9fc3acb26b9e80e", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8300, "service": "consul-server", "service_name": "consul-server", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001d\ufffd\u000bu\ufffd\u0000\ufffd,\u0006\ufffd\u0001\ufffdk\ufffd!\u0012\ufffd\ufffdX\ufffd~SA\ufffd\ufffd4\ufffd\ufffd \ufffd3\ufffd\u0011\ufffdU\ufffd\u001a\ufffd\u01a1a\ufffd\ufffd \ufffd\ufffds2\ufffdRJw\u000f\ufffdu\ufffdS\ufffd\n;\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001d\ufffd\u000bu\ufffd\u0000\ufffd,\u0006\ufffd\u0001\ufffdk\ufffd!\u0012\ufffd\ufffdX\ufffd~SA\ufffd\ufffd4\ufffd\ufffd \ufffd3\ufffd\u0011\ufffdU\ufffd\u001a\ufffd\u01a1a\ufffd\ufffd \ufffd\ufffds2\ufffdRJw\u000f\ufffdu\ufffdS\ufffd\n;\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 .\ufffdx\u0016\u073d2k\ufffdJt\u034a\ufffd\ufffd\ufffd2\u001f\ufffdo1\ufffdn\u0544\ufffd\u001f\u0633&f9", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001d\ufffd\u000bu\ufffd\u0000\ufffd,\u0006\ufffd\u0001\ufffdk\ufffd!\u0012\ufffd\ufffdX\ufffd~SA\ufffd\ufffd4\ufffd\ufffd \ufffd3\ufffd\u0011\ufffdU\ufffd\u001a\ufffd\u01a1a\ufffd\ufffd \ufffd\ufffds2\ufffdRJw\u000f\ufffdu\ufffdS\ufffd\n;\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "659c78839ee2774489625996672e55321316e70c", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001d\ufffd\u000bu\ufffd\u0000\ufffd,\u0006\ufffd\u0001\ufffdk\ufffd!\u0012\ufffd\ufffdX\ufffd~SA\ufffd\ufffd4\ufffd\ufffd \ufffd3\ufffd\u0011\ufffdU\ufffd\u001a\ufffd\u01a1a\ufffd\ufffd \ufffd\ufffds2\ufffdRJw\u000f\ufffdu\ufffdS\ufffd\n;\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8300, "service": "consul-server", "service_label_fr": "CONSUL SERVER" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu\ufffd\ufffd,\ufffd\ufffdk\ufffd!\ufffd\ufffdX\ufffd~SA\ufffd\ufffd4\ufffd\ufffd \ufffd3\ufffd\ufffdU\ufffd\ufffd\u01a1a\ufffd\ufffd \ufffd\ufffds2\ufffdRJw\ufffdu\ufffdS\ufffd\n;\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via CONSUL SERVER:8300 \u00b7 (reconnaissance)", "target_port_label": "8300 \u00b7 CONSUL SERVER", "emulator_service": "consul-server", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CONSUL SERVER \u2014 multi-protocole (60 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "consul-server", "service_label_fr": "CONSUL SERVER", "dst_port": 8300, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-consul-server", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u001d\ufffd\u000bu\ufffd\u0000\ufffd,\u0006\ufffd\u0001\ufffdk\ufffd!\u0012\ufffd\ufffdX\ufffd~SA\ufffd\ufffd4\ufffd\ufffd \ufffd3\ufffd\u0011\ufffdU\ufffd\u001a\ufffd\u01a1a\ufffd\ufffd \ufffd\ufffds2\ufffdRJw\u000f\ufffdu\ufffdS\ufffd\n;\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8300, "service": "consul-server", "service_label_fr": "CONSUL SERVER" }, "attack_vector": "port scan syn \u00b7 via CONSUL SERVER:8300 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdu\ufffd\ufffd,*\ufffd\ufffdk\ufffd!\ufffd\ufffdX\ufffd~SA\ufffd\ufffd4\ufffd\ufffd \ufffd3\ufffd\ufffdU\ufffd\ufffd\u01a1a\ufffd\ufffd \ufffd\ufffds2\ufffdRJw\ufffdu\ufffdS\ufffd\n;\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8300 \u00b7 CONSUL SERVER", "emulator_service": "consul-server", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "consul_server", "service_banner": "honeypot-consul-server", "service_os": "linux", "dst_port": "8300" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 109, "port_scan_ports_sample": [ 81, 82, 83, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095, 2096, 2375 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 109, "scan_velocity_ports_per_s": 75.56, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 60, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "couchbase", "couchdb", "cpanel", "cpanel-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_clienthello" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	2087 · CPANEL WHM	cpanel-whm	Scan de ports port scan syn · via CPANEL WHM:2087 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur CPANEL-WHM WAF — Recommandation Surveiller Tags cpanel_whm_emulated cpanel_whm_payload net_port_scan_fast tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2087 Chemin / cible — Service CPANEL WHM Payload ��j��qا��c��.�A�`'��u&$�XT� L e'�,��q�a.��v�\əc]}�r=&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��j��qا��c��.�A�`'��u&$�XT� L e'�,��q�a.��v�\əc]}�r=&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��j��qا��c��.�A�`'��u&$�XT� L e'�,��q�a.��v�\əc]}�r=&�+�/�,�0̨̩� �� /5� w �+3&$ Z�];��+��[wgz7�I[�E�;��X} Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e", "emulator_response_len": 125, "bytes_in": 239, "payload_entropy": 5.838740822399753, "port_category": "registered", "org": "Google LLC", "service": "cpanel-whm", "app_proto": "cpanel-whm", "asn": 396982, "country": "US", "dst_port": 2087, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "888817ce8144beda6c110b610862caa0eb6b053e", "event_fingerprint": "fb87598111f173bf4fc6bdd78ad81d4252d9ea7b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "cpanel-whm", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3f2e4cc0ce75deb9ddd992a8d922ccf7", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2087, "service": "cpanel-whm", "service_name": "cpanel-whm", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdj\ufffd\ufffdq\u0627\ufffd\ufffdc\ufffd\ufffd\ufffd.\u0011\ufffdA\ufffd`'\b\ufffd\ufffdu&$\ufffdXT\ufffd L\ne'\u0015\ufffd,\u001f\ufffd\ufffdq\ufffda.\ufffd\ufffd\ufffd\u0018v\ufffd\\\u0011\u0259c]}\ufffdr=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdj\ufffd\ufffdq\u0627\ufffd\ufffdc\ufffd\ufffd\ufffd.\u0011\ufffdA\ufffd`'\b\ufffd\ufffdu&$\ufffdXT\ufffd L\ne'\u0015\ufffd,\u001f\ufffd\ufffdq\ufffda.\ufffd\ufffd\ufffd\u0018v\ufffd\\\u0011\u0259c]}\ufffdr=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 Z\ufffd];\ufffd\ufffd+\ufffd\ufffd\ufffd\ufffd\ufffd\u001a[wgz7\ufffdI[\ufffdE\ufffd;\ufffd\ufffd\ufffdX}", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdj\ufffd\ufffdq\u0627\ufffd\ufffdc\ufffd\ufffd\ufffd.\u0011\ufffdA\ufffd`'\b\ufffd\ufffdu&$\ufffdXT\ufffd L\ne'\u0015\ufffd,\u001f\ufffd\ufffdq\ufffda.\ufffd\ufffd\ufffd\u0018v\ufffd\\\u0011\u0259c]}\ufffdr=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6881eaee7ae42b1ce4bd3c6477ac1d0163e2bf0a", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdj\ufffd\ufffdq\u0627\ufffd\ufffdc\ufffd\ufffd\ufffd.\u0011\ufffdA\ufffd`'\b\ufffd\ufffdu&$\ufffdXT\ufffd L\ne'\u0015\ufffd,\u001f\ufffd\ufffdq\ufffda.\ufffd\ufffd\ufffd\u0018v\ufffd\\\u0011\u0259c]}\ufffdr=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2087, "service": "cpanel-whm", "service_label_fr": "CPANEL WHM" }, "evidence_snippet": "\ufffd\ufffd\ufffdj\ufffd\ufffdq\u0627\ufffd\ufffdc\ufffd\ufffd\ufffd.\ufffdA\ufffd`'\ufffd\ufffdu&$\ufffdXT\ufffd L\ne'\ufffd,\ufffd\ufffdq\ufffda.\ufffd\ufffd\ufffdv\ufffd\\\u0259c]}\ufffdr=&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via CPANEL WHM:2087 \u00b7 (reconnaissance)", "target_port_label": "2087 \u00b7 CPANEL WHM", "emulator_service": "cpanel-whm", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CPANEL WHM \u2014 multi-protocole (60 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "cpanel-whm", "service_label_fr": "CPANEL WHM", "dst_port": 2087, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-cpanel-whm", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdj\ufffd\ufffdq\u0627\ufffd\ufffdc\ufffd\ufffd\ufffd.\u0011\ufffdA\ufffd`'\b\ufffd\ufffdu&$\ufffdXT\ufffd L\ne'\u0015\ufffd,\u001f\ufffd\ufffdq\ufffda.\ufffd\ufffd\ufffd\u0018v\ufffd\\\u0011\u0259c]}\ufffdr=\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2087, "service": "cpanel-whm", "service_label_fr": "CPANEL WHM" }, "attack_vector": "port scan syn \u00b7 via CPANEL WHM:2087 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffdj\ufffd\ufffdq\u0627\ufffd\ufffdc\ufffd\ufffd\ufffd.\ufffdA\ufffd`'\ufffd\ufffdu&$\ufffdXT\ufffd L\ne'\ufffd,\ufffd\ufffdq\ufffda.\ufffd\ufffd\ufffdv\ufffd\\\u0259c]}\ufffdr=&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2087 \u00b7 CPANEL WHM", "emulator_service": "cpanel-whm", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "cpanel_whm", "service_banner": "honeypot-cpanel-whm", "service_os": "linux", "dst_port": "2087" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 109, "port_scan_ports_sample": [ 81, 82, 83, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095, 2096, 2375 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 109, "scan_velocity_ports_per_s": 75.2, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 60, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "couchbase", "couchdb", "cpanel", "cpanel-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "cpanel_whm_emulated", "cpanel_whm_payload", "net_port_scan_fast", "tls_clienthello" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	2086 · TLS	tls	Scan de ports port scan syn · via TLS:2086 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2086 Chemin / cible — Service TLS Payload ��O0��9KD� �~ �9� �d��+� �N'�Y�<u �w��L�W+=�xK�h� N��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��O0��9KD� �~ �9��d��+� �N'�Y�<u�w��L�W+=�xK�h� N��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��O0��9KD� �~ �9� �d��+� �N'�Y�<u �w��L�W+=�xK�h� N��&�+�/�,�0̨̩� �� /5� w �+3&$ ��f͆�Es��ӄ�kY�j�O��u�)��N�: Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.848131518593702, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 2086, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "e72aff1905d67fc9f4d6af2ae5c024d2fd2f2be4", "event_fingerprint": "92e882da32ac46aad35d65b13ab43dfda2a6bf56", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "9270557ed767bb6ade6bd5ad416aa1ae", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2086, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdO0\ufffd\ufffd\ufffd\ufffd9KD\ufffd\t\ufffd~\n\ufffd9\ufffd\u000b\u001d\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd \ufffdN'\ufffdY\ufffd\u001d<u\u000b\ufffdw\ufffd\ufffd\ufffdL\ufffdW+=\u0011\ufffdxK\ufffdh\ufffd\rN\b\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdO0\ufffd\ufffd\ufffd\ufffd9KD\ufffd\t\ufffd~\n\ufffd9\ufffd\u000b\u001d\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd \ufffdN'\ufffdY\ufffd\u001d<u\u000b\ufffdw\ufffd\ufffd\ufffdL\ufffdW+=\u0011\ufffdxK\ufffdh\ufffd\rN\b\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdf\u0346\ufffdEs\ufffd\ufffd\u0003\u04c4\ufffdkY\ufffdj\ufffdO\ufffd\ufffdu\ufffd)\u0012\ufffd\u0013\ufffdN\ufffd:", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdO0\ufffd\ufffd\ufffd\ufffd9KD\ufffd\t\ufffd~\n\ufffd9\ufffd\u000b\u001d\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd \ufffdN'\ufffdY\ufffd\u001d<u\u000b\ufffdw\ufffd\ufffd\ufffdL\ufffdW+=\u0011\ufffdxK\ufffdh\ufffd\rN\b\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "05c2853c46db3b7c6dd18a63d269655a0396ce90", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdO0\ufffd\ufffd\ufffd\ufffd9KD\ufffd\t\ufffd~\n\ufffd9\ufffd\u000b\u001d\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd \ufffdN'\ufffdY\ufffd\u001d<u\u000b\ufffdw\ufffd\ufffd\ufffdL\ufffdW+=\u0011\ufffdxK\ufffdh\ufffd\rN\b\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2086, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdO0\ufffd\ufffd\ufffd\ufffd9KD\ufffd\t\ufffd~\n\ufffd9\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd \ufffdN'\ufffdY\ufffd<u\ufffdw\ufffd\ufffd\ufffdL\ufffdW+=\ufffdxK\ufffdh\ufffd\rN\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:2086 \u00b7 (reconnaissance)", "target_port_label": "2086 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (60 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2086, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdO0\ufffd\ufffd\ufffd\ufffd9KD\ufffd\t\ufffd~\n\ufffd9\ufffd\u000b\u001d\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd \ufffdN'\ufffdY\ufffd\u001d<u\u000b\ufffdw\ufffd\ufffd\ufffdL\ufffdW+=\u0011\ufffdxK\ufffdh\ufffd\rN\b\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2086, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:2086 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdO0\ufffd\ufffd\ufffd\ufffd9KD\ufffd\t\ufffd~\n\ufffd9\ufffd\ufffdd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd+\ufffd \ufffdN'\ufffdY\ufffd<u\ufffdw\ufffd\ufffd\ufffdL\ufffdW+=\ufffdxK\ufffdh\ufffd\rN\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2086 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2086" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 109, "port_scan_ports_sample": [ 81, 82, 83, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095, 2096, 2375 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 109, "scan_velocity_ports_per_s": 74.85, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 60, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "couchbase", "couchdb", "cpanel", "cpanel-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	8383 · TLS	tls	Scan de ports port scan syn · via TLS:8383 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8383 Chemin / cible — Service TLS Payload ��杅 ,.��Jauf��Cު˘ڸ��>��0� �ɶ��\�iy,��"ɹt9ȥ�l7rd�Hڞ��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��杅,.��Jauf��Cު˘ڸ��>��0� �ɶ��\�iy,��"ɹt9ȥ�l7rd�Hڞ��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��杅 ,.��Jauf��Cު˘ڸ��>��0� �ɶ��\�iy,��"ɹt9ȥ�l7rd�Hڞ��&�+�/�,�0̨̩� �� /5� w �+3&$ [-�!w>�� V�d?�h��"��dy� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.83337179733444, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 8383, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 3.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "3072fa6c4f058b1de6e3a659240e8539fe622ebb", "event_fingerprint": "1e7a54f0c80de1143f12157201caa43ad135917d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "75202334467852fa6625f98ed780ece8", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8383, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0019\u6745\f,.\ufffd\ufffdJauf\ufffd\ufffdC\u07aa\u02d8\u06b8\ufffd\ufffd>\ufffd\u001b\ufffd0\ufffd \u0000\ufffd\u0276\ufffd\ufffd\\\ufffdiy,\ufffd\ufffd\"\u0279t9\u0225\ufffdl7rd\ufffdH\u069e\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0019\u6745\f,.\ufffd\ufffdJauf\ufffd\ufffdC\u07aa\u02d8\u06b8\ufffd\ufffd>\ufffd\u001b\ufffd0\ufffd \u0000\ufffd\u0276\ufffd\ufffd\\\ufffdiy,\ufffd\ufffd\"\u0279t9\u0225\ufffdl7rd\ufffdH\u069e\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 [-\ufffd!w>\u001e\u0014\ufffd\ufffd\ufffd\r\ufffdV\ufffdd?\ufffdh\ufffd\ufffd\ufffd\ufffd\u0001\ufffd\"\ufffd\ufffddy\ufffd\n", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0019\u6745\f,.\ufffd\ufffdJauf\ufffd\ufffdC\u07aa\u02d8\u06b8\ufffd\ufffd>\ufffd\u001b\ufffd0\ufffd \u0000\ufffd\u0276\ufffd\ufffd\\\ufffdiy,\ufffd\ufffd\"\u0279t9\u0225\ufffdl7rd\ufffdH\u069e\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5171fe567d4910e50d3fc5537bc45d7b29ebe14e", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0019\u6745\f,.\ufffd\ufffdJauf\ufffd\ufffdC\u07aa\u02d8\u06b8\ufffd\ufffd>\ufffd\u001b\ufffd0\ufffd \u0000\ufffd\u0276\ufffd\ufffd\\\ufffdiy,\ufffd\ufffd\"\u0279t9\u0225\ufffdl7rd\ufffdH\u069e\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8383, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\u6745,.\ufffd\ufffdJauf\ufffd\ufffdC\u07aa\u02d8\u06b8\ufffd\ufffd>\ufffd\ufffd0\ufffd \ufffd\u0276\ufffd\ufffd\\\ufffdiy,\ufffd\ufffd\"\u0279t9\u0225\ufffdl7rd\ufffdH\u069e\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:8383 \u00b7 (reconnaissance)", "target_port_label": "8383 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (60 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8383, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0019\u6745\f,.\ufffd\ufffdJauf\ufffd\ufffdC\u07aa\u02d8\u06b8\ufffd\ufffd>\ufffd\u001b\ufffd0\ufffd \u0000\ufffd\u0276\ufffd\ufffd\\\ufffdiy,\ufffd\ufffd\"\u0279t9\u0225\ufffdl7rd\ufffdH\u069e\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8383, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:8383 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd\u6745,.\ufffd\ufffdJauf\ufffd*\ufffdC\u07aa\u02d8\u06b8\ufffd\ufffd>\ufffd\ufffd0\ufffd \ufffd\u0276\ufffd\ufffd\\\ufffdiy,\ufffd\ufffd\"\u0279t9\u0225\ufffdl7rd\ufffdH\u069e\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8383 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8383" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 110, "port_scan_ports_sample": [ 81, 82, 83, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095, 2096, 2375 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 110, "scan_velocity_ports_per_s": 75.1, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 60, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "couchbase", "couchdb", "cpanel", "cpanel-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	84 · TLS	tls	Scan de ports port scan syn · via TLS:84 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 84 Chemin / cible — Service TLS Payload ��]E��b��-��-�t�ׇL��k'�� M,=qݽ\2�V�+T��g�@��_�n�M䩪&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��]E��b��-��-�t�ׇL��k'�� M,=qݽ\2�V�+T��g�@��_�n�M䩪&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��]E��b��-��-�t�ׇL��k'�� M,=qݽ\2�V�+T��g�@��_�n�M䩪&�+�/�,�0̨̩� �� /5� w �+3&$ .]�I��$��gq3�?X��e赇��\R* Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.829330783930073, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 84, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "86a5aa4f2841d9bfa987179322d646d8aa99ded1", "event_fingerprint": "caa98a45b003d6539b7d0cbedfc660e9e4b88ffb", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "05cab29f016e9cd4cc6b68718156f70f", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 84, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd]E\ufffd\ufffdb\ufffd\ufffd\ufffd-\ufffd\ufffd-\ufffdt\ufffd\u05c7L\ufffd\ufffdk\u0003'\ufffd\ufffd\ufffd\u0002 \u0003M,=q\u077d\\2\ufffdV\ufffd+T\ufffd\ufffd\ufffdg\ufffd@\ufffd\ufffd_\ufffdn\ufffd\u0016M\u4a6a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd]E\ufffd\ufffdb\ufffd\ufffd\ufffd-\ufffd\ufffd-\ufffdt\ufffd\u05c7L\ufffd\ufffdk\u0003'\ufffd\ufffd\ufffd\u0002 \u0003M,=q\u077d\\2\ufffdV\ufffd+T\ufffd\ufffd\ufffdg\ufffd@\ufffd\ufffd_\ufffdn\ufffd\u0016M\u4a6a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 .]\ufffdI\ufffd\ufffd$\ufffd\ufffdgq3\ufffd?X\u0011\ufffd\ufffd\ufffde\u8d47\ufffd\ufffd\\\u0000R*", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd]E\ufffd\ufffdb\ufffd\ufffd\ufffd-\ufffd\ufffd-\ufffdt\ufffd\u05c7L\ufffd\ufffdk\u0003'\ufffd\ufffd\ufffd\u0002 \u0003M,=q\u077d\\2\ufffdV\ufffd+T\ufffd\ufffd\ufffdg\ufffd@\ufffd\ufffd_\ufffdn\ufffd\u0016M\u4a6a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b527254a4e4ac441f3775779939e7f48304f6558", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd]E\ufffd\ufffdb\ufffd\ufffd\ufffd-\ufffd\ufffd-\ufffdt\ufffd\u05c7L\ufffd\ufffdk\u0003'\ufffd\ufffd\ufffd\u0002 \u0003M,=q\u077d\\2\ufffdV\ufffd+T\ufffd\ufffd\ufffdg\ufffd@\ufffd\ufffd_\ufffdn\ufffd\u0016M\u4a6a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 84, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd]E\ufffd\ufffdb\ufffd\ufffd\ufffd-\ufffd\ufffd-\ufffdt\ufffd\u05c7L\ufffd\ufffdk'\ufffd\ufffd\ufffd M,=q\u077d\\2\ufffdV\ufffd+T\ufffd\ufffd\ufffdg\ufffd@\ufffd\ufffd_\ufffdn\ufffdM\u4a6a&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:84 \u00b7 (reconnaissance)", "target_port_label": "84 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (60 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 84, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd]E\ufffd\ufffdb\ufffd\ufffd\ufffd-\ufffd\ufffd-\ufffdt\ufffd\u05c7L\ufffd\ufffdk\u0003'\ufffd\ufffd\ufffd\u0002 \u0003M,=q\u077d\\2\ufffdV\ufffd+T\ufffd\ufffd\ufffdg\ufffd@\ufffd\ufffd_\ufffdn\ufffd\u0016M\u4a6a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 84, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:84 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd]E\ufffd\ufffdb\ufffd\ufffd\ufffd-\ufffd\ufffd-\ufffdt\ufffd\u05c7L\ufffd\ufffdk'\ufffd\ufffd\ufffd M,=q\u077d\\2\ufffdV\ufffd+T\ufffd\ufffd\ufffdg\ufffd@\ufffd\ufffd_\ufffdn\ufffdM\u4a6a&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "84 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "84" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 111, "port_scan_ports_sample": [ 81, 82, 83, 84, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 111, "scan_velocity_ports_per_s": 75.25, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 60, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "couchbase", "couchdb", "cpanel", "cpanel-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	2375 · DOCKER	docker	Scan de ports port scan syn · via DOCKER:2375 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER WAF — Recommandation Surveiller Tags docker_api_probe docker_emulated docker_payload net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2375 Chemin / cible — Service DOCKER Payload ��-,2%[�L��1��\��_�O ��=2� ��L�k3�+��{ӿC@HA ��Z�l̋�_�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��-,2%[�L��1��\��_�O ��=2� ��L�k3�+��{ӿC@HA��Z�l̋�_�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��-,2%[�L��1��\��_�O ��=2� ��L�k3�+��{ӿC@HA ��Z�l̋�_�&�+�/�,�0̨̩� �� /5� w �+3&$ ��H��ŕN��8��J��ݠa�y��u?�w Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a5365727665723a20446f636b65722f32342e302e350d0a436f6e74656e742d4c656e6774683a2036380d0a0d0a7b2241706956657273696f6e223a22312e3431222c2256657273696f6e223a223234", "emulator_response_len": 162, "bytes_in": 239, "payload_entropy": 5.827800664553857, "port_category": "registered", "org": "Google LLC", "service": "docker", "app_proto": "docker", "asn": 396982, "country": "US", "dst_port": 2375, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 0, "campaign_key": "623808625009878072f44fefd8b49cda3d052ce4", "event_fingerprint": "47f80acaf5e81cf022568fb908f725e169422055", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "docker", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "1fd6651c28d84b9c9b4e5eb4e8ad1f6c", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2375, "service": "docker", "service_name": "docker", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd-,2%[\ufffdL\ufffd\u0001\ufffd\ufffd\u0002\ufffd1\ufffd\ufffd\\\ufffd\ufffd_\ufffdO \ufffd\ufffd\ufffd\u0004=2\ufffd \ufffd\ufffd\u0005\ufffdL\ufffdk3\u0004\ufffd+\ufffd\ufffd{\u04ffC@HA\u000b\ufffd\ufffdZ\ufffdl\u030b\ufffd_\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd-,2%[\ufffdL\ufffd\u0001\ufffd\ufffd\u0002\ufffd1\ufffd\ufffd\\\ufffd\ufffd_\ufffdO \ufffd\ufffd\ufffd\u0004=2\ufffd \ufffd\ufffd\u0005\ufffdL\ufffdk3\u0004\ufffd+\ufffd\ufffd{\u04ffC@HA\u000b\ufffd\ufffdZ\ufffdl\u030b\ufffd_\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u001b\ufffd\ufffdH\ufffd\ufffd\ufffd\u0155N\ufffd\u0018\ufffd8\ufffd\ufffdJ\ufffd\ufffd\u0760a\ufffdy\ufffd\ufffd\u000eu\u0010?\ufffdw", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd-,2%[\ufffdL\ufffd\u0001\ufffd\ufffd\u0002\ufffd1\ufffd\ufffd\\\ufffd\ufffd_\ufffdO \ufffd\ufffd\ufffd\u0004=2\ufffd \ufffd\ufffd\u0005\ufffdL\ufffdk3\u0004\ufffd+\ufffd\ufffd{\u04ffC@HA\u000b\ufffd\ufffdZ\ufffdl\u030b\ufffd_\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d081a5b4733f60487d7dca853e03dca4e9eb7754", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd-,2%[\ufffdL\ufffd\u0001\ufffd\ufffd\u0002\ufffd1\ufffd\ufffd\\\ufffd\ufffd_\ufffdO \ufffd\ufffd\ufffd\u0004=2\ufffd \ufffd\ufffd\u0005\ufffdL\ufffdk3\u0004\ufffd+\ufffd\ufffd{\u04ffC@HA\u000b\ufffd\ufffdZ\ufffdl\u030b\ufffd_\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "evidence_snippet": "\ufffd\ufffd\ufffd-,2%[\ufffdL\ufffd\ufffd\ufffd\ufffd1\ufffd\ufffd\\\ufffd\ufffd_\ufffdO \ufffd\ufffd\ufffd=2\ufffd \ufffd\ufffd\ufffdL\ufffdk3\ufffd+\ufffd\ufffd{\u04ffC@HA\ufffd\ufffdZ\ufffdl\u030b\ufffd_\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via DOCKER:2375 \u00b7 (reconnaissance)", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via DOCKER \u2014 multi-protocole (60 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "docker", "service_label_fr": "DOCKER", "dst_port": 2375, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "Docker 24.0.5", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd-,2%[\ufffdL\ufffd\u0001\ufffd\ufffd\u0002\ufffd1\ufffd\ufffd\\\ufffd\ufffd_\ufffdO \ufffd\ufffd\ufffd\u0004=2\ufffd \ufffd\ufffd\u0005\ufffdL\ufffdk3\u0004\ufffd+\ufffd\ufffd{\u04ffC@HA\u000b\ufffd\ufffdZ\ufffdl\u030b\ufffd_\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2375, "service": "docker", "service_label_fr": "DOCKER" }, "attack_vector": "port scan syn \u00b7 via DOCKER:2375 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd-,2%[\ufffdL\ufffd\ufffd\ufffd\ufffd1\ufffd\ufffd\\\ufffd\ufffd_\ufffdO \ufffd\ufffd\ufffd=2\ufffd \ufffd\ufffd\ufffdL\ufffdk3\ufffd+\ufffd\ufffd{\u04ffC@HA\ufffd\ufffdZ\ufffdl\u030b\ufffd_\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2375 \u00b7 DOCKER", "emulator_service": "docker", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker", "service_banner": "Docker 24.0.5", "service_os": "linux", "dst_port": "2375" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 111, "port_scan_ports_sample": [ 81, 82, 83, 84, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 111, "scan_velocity_ports_per_s": 74.93, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 60, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "couchbase", "couchdb", "cpanel", "cpanel-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_emulated", "docker_payload", "net_port_scan_fast", "tls_clienthello" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	2096 · TLS	tls	Scan de ports port scan syn · via TLS:2096 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2096 Chemin / cible — Service TLS Payload ��O�/�Gt`�?ٝ��̕`%�6_E�k�Ʌ��G� +B��>��'�#�]l�0kݪ�� U&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��O�/�Gt`�?ٝ��̕`%�6_E�k�Ʌ��G� +B��>��'�#�]l�0kݪ�� U&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��O�/�Gt`�?ٝ��̕`%�6_E�k�Ʌ��G� +B��>��'�#�]l�0kݪ�� U&�+�/�,�0̨̩� �� /5� w �+3&$ o��^��j�㨜f]�C"g��rZ@ڻC Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.891097778809696, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 2096, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "cfc869c4181a8f145fbaa006f0726c3941744735", "event_fingerprint": "eb0451bdb53f2b783dc9708b806b97a682bd5089", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "b7b31bef7453df0fd345d0f6cbd361ad", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2096, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdO\ufffd\/\ufffdGt`\ufffd?\u065d\ufffd\ufffd\u0315`%\ufffd6_\u001bE\ufffdk\ufffd\u0245\ufffd\ufffdG\ufffd \u000b\u001b+B\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffd\u001a\ufffd'\ufffd#\ufffd]l\ufffd0k\u076a\ufffd\ufffd\n\ufffdU\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdO\ufffd\/\ufffdGt`\ufffd?\u065d\ufffd\ufffd\u0315`%\ufffd6_\u001bE\ufffdk\ufffd\u0245\ufffd\ufffdG\ufffd \u000b\u001b+B\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffd\u001a\ufffd'\ufffd#\ufffd]l\ufffd0k\u076a\ufffd\ufffd\n\ufffdU\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 o\u000f\ufffd\ufffd^\ufffd\ufffdj\ufffd\u3a1cf]\ufffdC\"g\ufffd\u0005\ufffd\ufffdrZ\u0019\u001b@\u06bbC", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdO\ufffd\/\ufffdGt`\ufffd?\u065d\ufffd\ufffd\u0315`%\ufffd6_\u001bE\ufffdk\ufffd\u0245\ufffd\ufffdG\ufffd \u000b\u001b+B\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffd\u001a\ufffd'\ufffd#\ufffd]l\ufffd0k\u076a\ufffd\ufffd\n\ufffdU\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8710e6c982b6feaa4625a93605f9a3ca61391812", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdO\ufffd\/\ufffdGt`\ufffd?\u065d\ufffd\ufffd\u0315`%\ufffd6_\u001bE\ufffdk\ufffd\u0245\ufffd\ufffdG\ufffd \u000b\u001b+B\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffd\u001a\ufffd'\ufffd#\ufffd]l\ufffd0k\u076a\ufffd\ufffd\n\ufffdU\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2096, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffdO\ufffd\/\ufffdGt`\ufffd?\u065d\ufffd\ufffd\u0315`%\ufffd6_E\ufffdk\ufffd\u0245\ufffd\ufffdG\ufffd +B\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd'\ufffd#\ufffd]l\ufffd0k\u076a\ufffd\ufffd\n\ufffdU&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:2096 \u00b7 (reconnaissance)", "target_port_label": "2096 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (60 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2096, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdO\ufffd\/\ufffdGt`\ufffd?\u065d\ufffd\ufffd\u0315`%\ufffd6_\u001bE\ufffdk\ufffd\u0245\ufffd\ufffdG\ufffd \u000b\u001b+B\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffd\u001a\ufffd'\ufffd#\ufffd]l\ufffd0k\u076a\ufffd\ufffd\n\ufffdU\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2096, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:2096 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffdO\ufffd\/\ufffdGt`\ufffd?\u065d\ufffd\ufffd\u0315`%\ufffd6_E\ufffdk\ufffd\u0245\ufffd\ufffdG\ufffd +B\ufffd\ufffd\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd'\ufffd#\ufffd]l\ufffd0k\u076a\ufffd\ufffd\n\ufffdU&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2096 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2096" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 111, "port_scan_ports_sample": [ 81, 82, 83, 84, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 111, "scan_velocity_ports_per_s": 74.58, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 60, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "couchbase", "couchdb", "cpanel", "cpanel-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	8400 · TLS	tls	Scan de ports port scan syn · via TLS:8400 · (reconnaissance)	Élevée	Moyen · 43
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8400 Chemin / cible — Service TLS Payload ��̹��.��k�i��F(��1��W'Ψ� ^�0�) �}�ɂ{�3c�n/��1>��N4�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 43 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��̹��.��k�i��F(��1��W'Ψ� ^�0�) �}�ɂ{�3c�n/��1>��N4�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��̹��.��k�i��F(��1��W'Ψ� ^�0�) �}�ɂ{�3c�n/��1>��N4�&�+�/�,�0̨̩� �� /5� w �+3&$ ��ܨ�ԗ�i�.�CN��?��Y��r[�O Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.847931958569891, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 8400, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 6.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 43, "tag_count": 4, "anomaly_count": 0, "campaign_key": "7482193b2c4c98a92f786d2133f85e79d6e16a6e", "event_fingerprint": "d994203c11badeb2d348d16341295a6a38de748a", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 43, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "d8b68a4c2a89658345afbb7f1f0a1852", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8400, "service": "tls", "service_name": "tls", "risk_score": 43 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0339\ufffd\ufffd.\ufffd\ufffdk\ufffdi\ufffd\ufffd\ufffdF(\ufffd\ufffd1\ufffd\ufffd\ufffd\ufffd\u0011W'\u03a8\u0013\ufffd ^\ufffd0\ufffd)\u001b\n\ufffd}\ufffd\u0242{\ufffd3c\ufffd\u0005\u001en\/\ufffd\ufffd1>\ufffd\ufffd\ufffdN4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0339\ufffd\ufffd.\ufffd\ufffdk\ufffdi\ufffd\ufffd\ufffdF(\ufffd\ufffd1\ufffd\ufffd\ufffd\ufffd\u0011W'\u03a8\u0013\ufffd ^\ufffd0\ufffd)\u001b\n\ufffd}\ufffd\u0242{\ufffd3c\ufffd\u0005\u001en\/\ufffd\ufffd1>\ufffd\ufffd\ufffdN4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0001\ufffd\ufffd\u0728\ufffd\u000f\u0019\u0517\u0003\ufffdi\ufffd.\ufffdCN\b\ufffd\ufffd?\ufffd\ufffdY\ufffd\ufffd\ufffdr[\ufffdO", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0339\ufffd\ufffd.\ufffd\ufffdk\ufffdi\ufffd\ufffd\ufffdF(\ufffd\ufffd1\ufffd\ufffd\ufffd\ufffd\u0011W'\u03a8\u0013\ufffd ^\ufffd0\ufffd)\u001b\n\ufffd}\ufffd\u0242{\ufffd3c\ufffd\u0005\u001en\/\ufffd\ufffd1>\ufffd\ufffd\ufffdN4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "639552ededeafd8e46d4a72ea0867df6a78017bd", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0339\ufffd\ufffd.\ufffd\ufffdk\ufffdi\ufffd\ufffd\ufffdF(\ufffd\ufffd1\ufffd\ufffd\ufffd\ufffd\u0011W'\u03a8\u0013\ufffd ^\ufffd0\ufffd)\u001b\n\ufffd}\ufffd\u0242{\ufffd3c\ufffd\u0005\u001en\/\ufffd\ufffd1>\ufffd\ufffd\ufffdN4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8400, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\u0339\ufffd\ufffd.\ufffd\ufffdk\ufffdi\ufffd\ufffd\ufffdF(\ufffd\ufffd1\ufffd\ufffd\ufffd\ufffdW'\u03a8\ufffd ^\ufffd0\ufffd)\n\ufffd}\ufffd\u0242{\ufffd3c\ufffdn\/\ufffd\ufffd1>\ufffd\ufffd\ufffdN4\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:8400 \u00b7 (reconnaissance)", "target_port_label": "8400 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (60 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 43, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 43, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8400, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0339\ufffd\ufffd.\ufffd\ufffdk\ufffdi\ufffd\ufffd\ufffdF(\ufffd\ufffd1\ufffd\ufffd\ufffd\ufffd\u0011W'\u03a8\u0013\ufffd ^\ufffd0\ufffd)\u001b\n\ufffd}\ufffd\u0242{\ufffd3c\ufffd\u0005\u001en\/\ufffd\ufffd1>\ufffd\ufffd\ufffdN4\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8400, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:8400 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd\u0339\ufffd\ufffd.\ufffd\ufffdk\ufffdi\ufffd\ufffd\ufffdF(\ufffd\ufffd1\ufffd\ufffd\ufffd\ufffdW'\u03a8\ufffd ^\ufffd0\ufffd)\n\ufffd}\ufffd\u0242{\ufffd3c\ufffdn\/\ufffd\ufffd1>\ufffd\ufffd\ufffdN4\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8400 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8400" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 112, "port_scan_ports_sample": [ 81, 82, 83, 84, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 112, "scan_velocity_ports_per_s": 74.93, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 60, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "couchbase", "couchdb", "cpanel", "cpanel-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	8443 · HTTPS	https	Scan de ports port scan syn · via HTTPS:8443 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_port_scan_fast tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Payload ��cr�W��$�'��c�H�7��(��KL � \�SF`9:9��>��z� �G�%g&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��cr�W��$�'��c�H�7��(��KL � \�SF`9:9��>��z��G�%g&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��cr�W��$�'��c�H�7��(��KL � \�SF`9:9��>��z� �G�%g&�+�/�,�0̨̩� �� /5� w �+3&$ �u(��Md� PGla-�~�}d�I��~�\ Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.79612476305959, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "US", "dst_port": 8443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "82e7005f91727a126e0d4c319fff2fcb94ce35d5", "event_fingerprint": "ebbf50493a5cd01037444d3e811aea60318e67dd", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "904f73b2fc629e8e9258d89886f38689", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0005cr\ufffdW\u0006\ufffd\u0017\ufffd$\ufffd'\ufffd\ufffdc\ufffdH\ufffd\b7\u001a\ufffd\ufffd(\ufffd\u000e\ufffd\ufffdKL \ufffd\t\\\ufffdSF`9\u0014:9\ufffd\ufffd\u001c\u0001>\ufffd\ufffd\ufffdz\ufffd\u0018\u0018\u0006\u000b\u0014\ufffdG\u0006\ufffd%g\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0005cr\ufffdW\u0006\ufffd\u0017\ufffd$\ufffd'\ufffd\ufffdc\ufffdH\ufffd\b7\u001a\ufffd\ufffd(\ufffd\u000e\ufffd\ufffdKL \ufffd\t\\\ufffdSF`9\u0014:9\ufffd\ufffd\u001c\u0001>\ufffd\ufffd\ufffdz\ufffd\u0018\u0018\u0006\u000b\u0014\ufffdG\u0006\ufffd%g\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdu(\u0006\ufffd\ufffd\ufffd\ufffdMd\ufffd PGla-\ufffd~\u0014\ufffd}d\ufffdI\ufffd\ufffd~\ufffd\\", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0005cr\ufffdW\u0006\ufffd\u0017\ufffd$\ufffd'\ufffd\ufffdc\ufffdH\ufffd\b7\u001a\ufffd\ufffd(\ufffd\u000e\ufffd\ufffdKL \ufffd\t\\\ufffdSF`9\u0014:9\ufffd\ufffd\u001c\u0001>\ufffd\ufffd\ufffdz\ufffd\u0018\u0018\u0006\u000b\u0014\ufffdG\u0006\ufffd%g\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7ba0a0a3e6bdd0f409ca9c081230e3b5e1722af6", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0005cr\ufffdW\u0006\ufffd\u0017\ufffd$\ufffd'\ufffd\ufffdc\ufffdH\ufffd\b7\u001a\ufffd\ufffd(\ufffd\u000e\ufffd\ufffdKL \ufffd\t\\\ufffdSF`9\u0014:9\ufffd\ufffd\u001c\u0001>\ufffd\ufffd\ufffdz\ufffd\u0018\u0018\u0006\u000b\u0014\ufffdG\u0006\ufffd%g\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdcr\ufffdW\ufffd\ufffd$\ufffd'\ufffd\ufffdc\ufffdH\ufffd7\ufffd\ufffd(\ufffd\ufffd\ufffdKL \ufffd\t\\\ufffdSF`9:9\ufffd\ufffd>\ufffd\ufffd\ufffdz\ufffd\ufffdG\ufffd%g&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTPS \u2014 multi-protocole (60 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0005cr\ufffdW\u0006\ufffd\u0017\ufffd$\ufffd'\ufffd\ufffdc\ufffdH\ufffd\b7\u001a\ufffd\ufffd(\ufffd\u000e\ufffd\ufffdKL \ufffd\t\\\ufffdSF`9\u0014:9\ufffd\ufffd\u001c\u0001>\ufffd\ufffd\ufffdz\ufffd\u0018\u0018\u0006\u000b\u0014\ufffdG\u0006\ufffd%g\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "port scan syn \u00b7 via HTTPS:8443 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdcr\ufffdW\ufffd\ufffd$\ufffd'\ufffd\ufffdc\ufffdH\ufffd7\ufffd\ufffd(\ufffd\ufffd\ufffdKL \ufffd\t\\\ufffdSF`9:9\ufffd\ufffd>\ufffd\ufffd\ufffdz\ufffd\ufffdG\ufffd%g&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 113, "port_scan_ports_sample": [ 81, 82, 83, 84, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 113, "scan_velocity_ports_per_s": 75.27, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 60, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "couchbase", "couchdb", "cpanel", "cpanel-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_port_scan_fast", "tls_clienthello" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	8445 · TLS	tls	Scan de ports port scan syn · via TLS:8445 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8445 Chemin / cible — Service TLS Payload ��Ƚ�U��#z00TM�J�T��(�� C��Se^��"�ݜ0��gIpG[��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Ƚ�U��#z00TM�J�T��(�� C��Se^��"�ݜ0��gIpG[��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��Ƚ�U��#z00TM�J�T��(�� C��Se^��"�ݜ0��gIpG[��&�+�/�,�0̨̩� �� /5� w �+3&$ T�^��'ѿ$h��J4�J&�p�}28 �q��S Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.756613638851219, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 8445, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 3.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "1dcacc7c548c5690e874446462ef303106a7003b", "event_fingerprint": "859cde863843e2974c486e4997b6fb3fb479e82c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "a764f0eed8266d7e6f242f2f548a25e9", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8445, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0005\u023d\ufffdU\ufffd\u0001\ufffd\ufffd\ufffd\ufffd\ufffd\u0011\ufffd#\u0001z00TM\ufffdJ\ufffdT\ufffd\ufffd(\ufffd\ufffd\ufffd\ufffd \ufffd\ufffdC\ufffd\ufffdSe^\ufffd\ufffd\ufffd\"\u001c\ufffd\u0011\u075c0\ufffd\u0012\ufffd\ufffdgIpG[\u0015\u0014\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0005\u023d\ufffdU\ufffd\u0001\ufffd\ufffd\ufffd\ufffd\ufffd\u0011\ufffd#\u0001z00TM\ufffdJ\ufffdT\ufffd\ufffd(\ufffd\ufffd\ufffd\ufffd \ufffd\ufffdC\ufffd\ufffdSe^\ufffd\ufffd\ufffd\"\u001c\ufffd\u0011\u075c0\ufffd\u0012\ufffd\ufffdgIpG[\u0015\u0014\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 T\u0019\ufffd^\ufffd\ufffd'\u047f$h\ufffd\ufffdJ4\ufffdJ&\ufffdp\ufffd}28\n\ufffdq\u0005\ufffd\ufffd\u0011S", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0005\u023d\ufffdU\ufffd\u0001\ufffd\ufffd\ufffd\ufffd\ufffd\u0011\ufffd#\u0001z00TM\ufffdJ\ufffdT\ufffd\ufffd(\ufffd\ufffd\ufffd\ufffd \ufffd\ufffdC\ufffd\ufffdSe^\ufffd\ufffd\ufffd\"\u001c\ufffd\u0011\u075c0\ufffd\u0012\ufffd\ufffdgIpG[\u0015\u0014\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2300d631cf6cc0930e2f1b9c18d39cafa3676f86", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0005\u023d\ufffdU\ufffd\u0001\ufffd\ufffd\ufffd\ufffd\ufffd\u0011\ufffd#\u0001z00TM\ufffdJ\ufffdT\ufffd\ufffd(\ufffd\ufffd\ufffd\ufffd \ufffd\ufffdC\ufffd\ufffdSe^\ufffd\ufffd\ufffd\"\u001c\ufffd\u0011\u075c0\ufffd\u0012\ufffd\ufffdgIpG[\u0015\u0014\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8445, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\u023d\ufffdU\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd#z00TM\ufffdJ\ufffdT\ufffd\ufffd(\ufffd\ufffd\ufffd\ufffd \ufffd\ufffdC\ufffd\ufffdSe^\ufffd\ufffd\ufffd\"\ufffd\u075c0\ufffd\ufffd\ufffdgIpG[\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:8445 \u00b7 (reconnaissance)", "target_port_label": "8445 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (60 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8445, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0005\u023d\ufffdU\ufffd\u0001\ufffd\ufffd\ufffd\ufffd\ufffd\u0011\ufffd#\u0001z00TM\ufffdJ\ufffdT\ufffd\ufffd(\ufffd\ufffd\ufffd\ufffd \ufffd\ufffdC\ufffd\ufffdSe^\ufffd\ufffd\ufffd\"\u001c\ufffd\u0011\u075c0\ufffd\u0012\ufffd\ufffdgIpG[\u0015\u0014\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8445, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:8445 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\u023d\ufffdU\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd#z00TM\ufffdJ\ufffdT\ufffd\ufffd(\ufffd\ufffd\ufffd\ufffd \ufffd\ufffdC\ufffd\ufffdSe^\ufffd\ufffd\ufffd\"\ufffd\u075c0\ufffd\ufffd\ufffdgIpG[\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8445 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8445" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 114, "port_scan_ports_sample": [ 81, 82, 83, 84, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 114, "scan_velocity_ports_per_s": 75.61, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 60, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "couchbase", "couchdb", "cpanel", "cpanel-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	8447 · TLS	tls	Scan de ports port scan syn · via TLS:8447 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8447 Chemin / cible — Service TLS Payload ��zab��Щ�Jz��8؜[��E��G�Jr ��n�N�5W��y^��v��K��$⮦&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��zab��Щ�Jz��8؜[��E��G�Jr ��n�N�5W��y^��v��K��$⮦&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��zab��Щ�Jz��8؜[��E��G�Jr ��n�N�5W��y^��v��K��$⮦&�+�/�,�0̨̩� �� /5� w �+3&$ N��"�1��A`"f\x�+#�2�ͅ5 L Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.840239257121571, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 8447, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "0e922ab71b695231987f6a2283eacd9ecfadb5c8", "event_fingerprint": "d4eafa23da660786e9930bea0dbe51dc8ec63918", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "a79c50d33b56cf918cb1ae43f775b5dc", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8447, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0000\u0002za\u0016b\ufffd\ufffd\u0429\ufffdJz\ufffd\ufffd8\u061c[\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffdJr \u000e\r\ufffd\ufffdn\u000f\ufffd\u0014N\ufffd\u001c5W\ufffd\ufffd\u000ey^\ufffd\ufffdv\ufffd\ufffdK\ufffd\ufffd$\u2ba6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0000\u0002za\u0016b\ufffd\ufffd\u0429\ufffdJz\ufffd\ufffd8\u061c[\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffdJr \u000e\r\ufffd\ufffdn\u000f\ufffd\u0014N\ufffd\u001c5W\ufffd\ufffd\u000ey^\ufffd\ufffdv\ufffd\ufffdK\ufffd\ufffd$\u2ba6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 N\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\ufffd1\ufffd\ufffdA`\"f\\x\ufffd+#\ufffd2\ufffd\u03455 L", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0000\u0002za\u0016b\ufffd\ufffd\u0429\ufffdJz\ufffd\ufffd8\u061c[\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffdJr \u000e\r\ufffd\ufffdn\u000f\ufffd\u0014N\ufffd\u001c5W\ufffd\ufffd\u000ey^\ufffd\ufffdv\ufffd\ufffdK\ufffd\ufffd$\u2ba6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fd98f894e16d251136fbb5386f0b5cd3228bc2e4", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0000\u0002za\u0016b\ufffd\ufffd\u0429\ufffdJz\ufffd\ufffd8\u061c[\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffdJr \u000e\r\ufffd\ufffdn\u000f\ufffd\u0014N\ufffd\u001c5W\ufffd\ufffd\u000ey^\ufffd\ufffdv\ufffd\ufffdK\ufffd\ufffd$\u2ba6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8447, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffdzab\ufffd\ufffd\u0429\ufffdJz\ufffd\ufffd8\u061c[\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffdJr \r\ufffd\ufffdn\ufffdN\ufffd5W\ufffd\ufffdy^\ufffd\ufffdv\ufffd\ufffdK\ufffd\ufffd$\u2ba6&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:8447 \u00b7 (reconnaissance)", "target_port_label": "8447 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (60 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8447, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0000\u0002za\u0016b\ufffd\ufffd\u0429\ufffdJz\ufffd\ufffd8\u061c[\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffdJr \u000e\r\ufffd\ufffdn\u000f\ufffd\u0014N\ufffd\u001c5W\ufffd\ufffd\u000ey^\ufffd\ufffdv\ufffd\ufffdK\ufffd\ufffd$\u2ba6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8447, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:8447 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffdzab\ufffd\ufffd\u0429\ufffdJz\ufffd\ufffd8\u061c[\ufffd\ufffdE\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffdJr \r\ufffd\ufffdn\ufffdN\ufffd5W\ufffd\ufffdy^\ufffd\ufffdv\ufffd\ufffdK\ufffd\ufffd$\u2ba6&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8447 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8447" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 115, "port_scan_ports_sample": [ 81, 82, 83, 84, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 115, "scan_velocity_ports_per_s": 75.94, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 60, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "couchbase", "couchdb", "cpanel", "cpanel-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	2376 · DOCKER TLS	docker-tls	Scan de ports port scan syn · via DOCKER TLS:2376 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur DOCKER-TLS WAF — Recommandation Surveiller Tags docker_api_probe docker_tls_emulated docker_tls_payload net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2376 Chemin / cible — Service DOCKER TLS Payload ��hy��W^�Et3�Lh��Oս�`��ʉ7X, ^3��<��pYl~�p��lA��N��H��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��hy��W^�Et3�Lh��Oս�`��ʉ7X, ^3��<��pYl~�p��lA��N��H��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��hy��W^�Et3�Lh��Oս�`��ʉ7X, ^3��<��pYl~�p��lA��N��H��&�+�/�,�0̨̩� �� /5� w �+3&$ u� c��@�go'jd)O�<� R�憖��A=C Meta JSON brut { "protocol_emulated": true, "emulator_response": "15030300020228", "emulator_response_len": 7, "bytes_in": 239, "payload_entropy": 5.855488522302645, "port_category": "registered", "org": "Google LLC", "service": "docker-tls", "app_proto": "docker-tls", "asn": 396982, "country": "US", "dst_port": 2376, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 0, "campaign_key": "71fbf70477a66316649ee1707ff12bdc56b7b492", "event_fingerprint": "2934eaa6e03002fa8b30d0603e83341e6028eb9b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "docker-tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "21439194b9b6a63feeaf06b059ffea05", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2376, "service": "docker-tls", "service_name": "docker-tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdhy\ufffd\ufffdW^\ufffdEt\u0011\u001f3\ufffdLh\ufffd\ufffd\ufffdO\u057d\b\ufffd`\ufffd\ufffd\u02897X, ^3\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\ufffdpYl~\ufffdp\ufffd\ufffdlA\ufffd\u0019\ufffdN\ufffd\u0000\ufffdH\u0016\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdhy\ufffd\ufffdW^\ufffdEt\u0011\u001f3\ufffdLh\ufffd\ufffd\ufffdO\u057d\b\ufffd`\ufffd\ufffd\u02897X, ^3\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\ufffdpYl~\ufffdp\ufffd\ufffdlA\ufffd\u0019\ufffdN\ufffd\u0000\ufffdH\u0016\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0016u\ufffd\u000bc\ufffd\ufffd@\ufffdgo'jd)O\ufffd<\ufffd\fR\ufffd\u6196\ufffd\u001a\ufffdA\u001d=C", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdhy\ufffd\ufffdW^\ufffdEt\u0011\u001f3\ufffdLh\ufffd\ufffd\ufffdO\u057d\b\ufffd`\ufffd\ufffd\u02897X, ^3\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\ufffdpYl~\ufffdp\ufffd\ufffdlA\ufffd\u0019\ufffdN\ufffd\u0000\ufffdH\u0016\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "13c033e5816acc3f829bc6d4bace5e85706d10db", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdhy\ufffd\ufffdW^\ufffdEt\u0011\u001f3\ufffdLh\ufffd\ufffd\ufffdO\u057d\b\ufffd`\ufffd\ufffd\u02897X, ^3\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\ufffdpYl~\ufffdp\ufffd\ufffdlA\ufffd\u0019\ufffdN\ufffd\u0000\ufffdH\u0016\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2376, "service": "docker-tls", "service_label_fr": "DOCKER TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffdhy\ufffd\ufffdW^\ufffdEt3\ufffdLh\ufffd\ufffd\ufffdO\u057d\ufffd`\ufffd\ufffd\u02897X, ^3\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\ufffdpYl~\ufffdp\ufffd\ufffdlA\ufffd\ufffdN\ufffd\ufffdH\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via DOCKER TLS:2376 \u00b7 (reconnaissance)", "target_port_label": "2376 \u00b7 DOCKER TLS", "emulator_service": "docker-tls", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via DOCKER TLS \u2014 multi-protocole (60 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "docker-tls", "service_label_fr": "DOCKER TLS", "dst_port": 2376, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-docker-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdhy\ufffd\ufffdW^\ufffdEt\u0011\u001f3\ufffdLh\ufffd\ufffd\ufffdO\u057d\b\ufffd`\ufffd\ufffd\u02897X, ^3\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\ufffdpYl~\ufffdp\ufffd\ufffdlA\ufffd\u0019\ufffdN\ufffd\u0000\ufffdH\u0016\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2376, "service": "docker-tls", "service_label_fr": "DOCKER TLS" }, "attack_vector": "port scan syn \u00b7 via DOCKER TLS:2376 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffdhy\ufffd\ufffdW^\ufffdEt3\ufffdLh\ufffd\ufffd\ufffdO\u057d\ufffd`\ufffd\ufffd\u02897X, ^3\ufffd\ufffd\ufffd\ufffd\ufffd<\ufffd\ufffdpYl~\ufffdp\ufffd\ufffdlA\ufffd\ufffdN\ufffd\ufffdH\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2376 \u00b7 DOCKER TLS", "emulator_service": "docker-tls", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "docker_tls", "service_banner": "honeypot-docker-tls", "service_os": "linux", "dst_port": "2376" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 115, "port_scan_ports_sample": [ 81, 82, 83, 84, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 115, "scan_velocity_ports_per_s": 75.62, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 60, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "couchbase", "couchdb", "cpanel", "cpanel-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "docker_api_probe", "docker_tls_emulated", "docker_tls_payload", "net_port_scan_fast", "tls_clienthello" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	2379 · ETCD	etcd	Scan de ports port scan syn · via ETCD:2379 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur ETCD WAF — Recommandation Surveiller Tags etcd_emulated etcd_payload etcd_probe net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2379 Chemin / cible — Service ETCD Payload ��ܺ�KNFԞ��w��'+ �D�M��pS�� =w3Εv7� ߠ�:��o\�BB��=<JQI�L&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) Sigma DNP3 link PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��ܺ�KNFԞ��w��'+ �D�M��pS�� =w3Εv7� ߠ�:��o\�BB��=<JQI�L&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��ܺ�KNFԞ��w��'+ �D�M��pS�� =w3Εv7� ߠ�:��o\�BB��=<JQI�L&�+�/�,�0̨̩� �� /5� w �+3&$ ކ��l\P%Q��.:��"�t��(��1 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a436f6e74656e742d547970653a206170706c69636174696f6e2f6a736f6e0d0a436f6e74656e742d4c656e6774683a2034340d0a0d0a7b2265746364736572766572223a22332e352e39222c2265746364636c7573746572223a22332e352e39227d", "emulator_response_len": 115, "bytes_in": 239, "payload_entropy": 5.894849230492712, "port_category": "registered", "org": "Google LLC", "service": "etcd", "app_proto": "etcd", "asn": 396982, "country": "US", "dst_port": 2379, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 0, "campaign_key": "2d791a5f81212f5965a1c60903d1ad6cac5a9018", "event_fingerprint": "6ba0ae34fab78980904436295f71003affeecbf2", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0794", "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "Sigma DNP3 link", "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0794", "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "etcd", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7f33675f933e2b875826edc2f2559752", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2379, "service": "etcd", "service_name": "etcd", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u073a\ufffdKNF\u051e\ufffd\ufffd\ufffdw\ufffd\ufffd\u001d\ufffd'+ \ufffd\u0005D\ufffdM\ufffd\u0007\ufffd\ufffdpS\ufffd\ufffd =w3\u0395v7\ufffd\r\u07e0\ufffd:\u0019\ufffd\u0011\ufffdo\\\ufffdB\u001eB\ufffd\ufffd=<JQI\ufffdL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u073a\ufffdKNF\u051e\ufffd\ufffd\ufffdw\ufffd\ufffd\u001d\ufffd'+ \ufffd\u0005D\ufffdM\ufffd\u0007\ufffd\ufffdpS\ufffd\ufffd =w3\u0395v7\ufffd\r\u07e0\ufffd:\u0019\ufffd\u0011\ufffdo\\\ufffdB\u001eB\ufffd\ufffd=<JQI\ufffdL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0786\u0011\ufffd\ufffd\ufffd\ufffdl\\P%Q\ufffd\ufffd.:\ufffd\ufffd\"\ufffd\u0011t\ufffd\ufffd(\ufffd\ufffd\ufffd\u00051\u0002", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u073a\ufffdKNF\u051e\ufffd\ufffd\ufffdw\ufffd\ufffd\u001d\ufffd'+ \ufffd\u0005D\ufffdM\ufffd\u0007\ufffd\ufffdpS\ufffd\ufffd =w3\u0395v7\ufffd\r\u07e0\ufffd:\u0019\ufffd\u0011\ufffdo\\\ufffdB\u001eB\ufffd\ufffd=<JQI\ufffdL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9f9befe46898d28661715764e094e6c25c8e84b4", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u073a\ufffdKNF\u051e\ufffd\ufffd\ufffdw\ufffd\ufffd\u001d\ufffd'+ \ufffd\u0005D\ufffdM\ufffd\u0007\ufffd\ufffdpS\ufffd\ufffd =w3\u0395v7\ufffd\r\u07e0\ufffd:\u0019\ufffd\u0011\ufffdo\\\ufffdB\u001eB\ufffd\ufffd=<JQI\ufffdL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2379, "service": "etcd", "service_label_fr": "ETCD" }, "evidence_snippet": "\ufffd\ufffd\u073a\ufffdKNF\u051e\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffd'+ \ufffdD\ufffdM\ufffd\ufffd\ufffdpS\ufffd\ufffd =w3\u0395v7\ufffd\r\u07e0\ufffd:\ufffd\ufffdo\\\ufffdBB\ufffd\ufffd=<JQI\ufffdL&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via ETCD:2379 \u00b7 (reconnaissance)", "target_port_label": "2379 \u00b7 ETCD", "emulator_service": "etcd", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via ETCD \u2014 multi-protocole (60 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "etcd", "service_label_fr": "ETCD", "dst_port": 2379, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-etcd", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u073a\ufffdKNF\u051e\ufffd\ufffd\ufffdw\ufffd\ufffd\u001d\ufffd'+ \ufffd\u0005D\ufffdM\ufffd\u0007\ufffd\ufffdpS\ufffd\ufffd =w3\u0395v7\ufffd\r\u07e0\ufffd:\u0019\ufffd\u0011\ufffdo\\\ufffdB\u001eB\ufffd\ufffd=<JQI\ufffdL\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2379, "service": "etcd", "service_label_fr": "ETCD" }, "attack_vector": "port scan syn \u00b7 via ETCD:2379 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\u073a\ufffdKNF\u051e\ufffd\ufffd\ufffdw\ufffd\ufffd\ufffd'+ \ufffdD\ufffdM\ufffd\ufffd\ufffdpS\ufffd\ufffd =w3\u0395v7\ufffd\r\u07e0\ufffd:\ufffd\ufffdo\\\ufffdBB\ufffd\ufffd=<JQI\ufffdL&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2379 \u00b7 ETCD", "emulator_service": "etcd", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "etcd", "service_banner": "honeypot-etcd", "service_os": "linux", "dst_port": "2379" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 115, "port_scan_ports_sample": [ 81, 82, 83, 84, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 115, "scan_velocity_ports_per_s": 75.31, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 60, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "couchbase", "couchdb", "cpanel", "cpanel-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "etcd_emulated", "etcd_payload", "etcd_probe", "net_port_scan_fast", "tls_clienthello" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	8448 · TLS	tls	Scan de ports port scan syn · via TLS:8448 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8448 Chemin / cible — Service TLS Payload ��`w��k�3��[Y2�RY�W��}�=�� 9+J��R#+[\| S��}��_��Gf�s�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��`w��k�3��[Y2�RY�W��}�=�� 9+J��R#+[\| S��}��_��Gf�s�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��`w��k�3��[Y2�RY�W��}�=�� 9+J��R#+[\| S��}��_��Gf�s�&�+�/�,�0̨̩� �� /5� w �+3&$ ��_�'=L��?�]K��T��I Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.808250004004071, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 8448, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8ba3a388a3d699a65e3e1b1574fc0c84e5792c13", "event_fingerprint": "9aea52c59ee11da98745820176cced2ad4c3aeb9", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "89ff037197b407cd02010ab704198918", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8448, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003`w\ufffd\ufffd\ufffdk\ufffd3\ufffd\ufffd[Y\u0003\u00112\ufffdR\u0000Y\ufffdW\ufffd\ufffd\ufffd\ufffd}\ufffd\u0013=\ufffd\ufffd\ufffd \ufffd9+J\ufffd\ufffdR\b#\u0003+[\|\nS\ufffd\ufffd}\ufffd\ufffd_\u0004\u0002\ufffd\ufffdGf\u0005\ufffds\u0010\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003`w\ufffd\ufffd\ufffdk\ufffd3\ufffd\ufffd[Y\u0003\u00112\ufffdR\u0000Y\ufffdW\ufffd\ufffd\ufffd\ufffd}\ufffd\u0013=\ufffd\ufffd\ufffd \ufffd9+J\ufffd\ufffdR\b#\u0003+[\|\nS\ufffd\ufffd}\ufffd\ufffd_\u0004\u0002\ufffd\ufffdGf\u0005\ufffds\u0010\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \f\ufffd\ufffd\ufffd\ufffd_\ufffd'=L\ufffd\ufffd\ufffd?\ufffd]K\ufffd\ufffd\ufffd\ufffdT\ufffd\ufffd\ufffd\u0018\u0004\ufffdI", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003`w\ufffd\ufffd\ufffdk\ufffd3\ufffd\ufffd[Y\u0003\u00112\ufffdR\u0000Y\ufffdW\ufffd\ufffd\ufffd\ufffd}\ufffd\u0013=\ufffd\ufffd\ufffd \ufffd9+J\ufffd\ufffdR\b#\u0003+[\|\nS\ufffd\ufffd}\ufffd\ufffd_\u0004\u0002\ufffd\ufffdGf\u0005\ufffds\u0010\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8c1cf3633caf0ea6b86c43a6e7b8a31a5837ff2d", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003`w\ufffd\ufffd\ufffdk\ufffd3\ufffd\ufffd[Y\u0003\u00112\ufffdR\u0000Y\ufffdW\ufffd\ufffd\ufffd\ufffd}\ufffd\u0013=\ufffd\ufffd\ufffd \ufffd9+J\ufffd\ufffdR\b#\u0003+[\|\nS\ufffd\ufffd}\ufffd\ufffd_\u0004\u0002\ufffd\ufffdGf\u0005\ufffds\u0010\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8448, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd`w\ufffd\ufffd\ufffdk\ufffd3\ufffd\ufffd[Y2\ufffdRY\ufffdW\ufffd\ufffd\ufffd\ufffd}\ufffd=\ufffd\ufffd\ufffd \ufffd9+J\ufffd\ufffdR#+[\|\nS\ufffd\ufffd}\ufffd\ufffd_\ufffd\ufffdGf\ufffds\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:8448 \u00b7 (reconnaissance)", "target_port_label": "8448 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (60 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8448, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003`w\ufffd\ufffd\ufffdk\ufffd3\ufffd\ufffd[Y\u0003\u00112\ufffdR\u0000Y\ufffdW\ufffd\ufffd\ufffd\ufffd}\ufffd\u0013=\ufffd\ufffd\ufffd \ufffd9+J\ufffd\ufffdR\b#\u0003+[\|\nS\ufffd\ufffd}\ufffd\ufffd_\u0004\u0002\ufffd\ufffdGf\u0005\ufffds\u0010\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8448, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:8448 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd`w\ufffd\ufffd\ufffdk\ufffd3\ufffd\ufffd[Y2\ufffdRY\ufffdW\ufffd\ufffd\ufffd\ufffd}\ufffd=\ufffd\ufffd\ufffd \ufffd9+J\ufffd\ufffdR#+[\|\nS\ufffd\ufffd}\ufffd\ufffd_\ufffd\ufffdGf\ufffds\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8448 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8448" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 116, "port_scan_ports_sample": [ 81, 82, 83, 84, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 116, "scan_velocity_ports_per_s": 75.65, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 60, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "couchbase", "couchdb", "cpanel", "cpanel-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	2380 · TLS	tls	Scan de ports port scan syn · via TLS:2380 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2380 Chemin / cible — Service TLS Payload �� 3��S~$�WD��O�y��n�GlK� /m��"<8�^N�M��Vu��S/v�A\^&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) �� 3��S~$�WD��O�y��n�GlK� /m��"<8�^N�M��Vu��S/v�A\^&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) �� 3��S~$�WD��O�y��n�GlK� /m��"<8�^N�M��Vu��S/v�A\^&�+�/�,�0̨̩� �� /5� w �+3&$ �g��{��ZC�A�1awH%+�R�v�XnĿB Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.833325003354277, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 2380, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.2, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "3b43da7a3759a46adb3361bb27118fd9e16167cd", "event_fingerprint": "6e66646ea52e154ab74b66a3c865b960c188c2e1", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "662e222fa77a89d151c9cc2c650f8ca1", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2380, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd 3\b\ufffd\ufffd\u0015S~$\ufffdWD\ufffd\u001b\u001f\u0003\u0001\ufffd\ufffdO\ufffdy\ufffd\ufffdn\ufffdGlK\ufffd \u0018\/m\ufffd\ufffd\"<8\u0016\u0014\u001f\ufffd^N\ufffdM\ufffd\ufffd\ufffdV\u001du\ufffd\ufffdS\/v\u0015\ufffdA\\^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd 3\b\ufffd\ufffd\u0015S~$\ufffdWD\ufffd\u001b\u001f\u0003\u0001\ufffd\ufffdO\ufffdy\ufffd\ufffdn\ufffdGlK\ufffd \u0018\/m\ufffd\ufffd\"<8\u0016\u0014\u001f\ufffd^N\ufffdM\ufffd\ufffd\ufffdV\u001du\ufffd\ufffdS\/v\u0015\ufffdA\\^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdg\ufffd\ufffd\ufffd{\ufffd\ufffd\ufffd\u001aZC\ufffdA\ufffd1awH%+\ufffdR\ufffdv\ufffdXn\u013fB\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd 3\b\ufffd\ufffd\u0015S~$\ufffdWD\ufffd\u001b\u001f\u0003\u0001\ufffd\ufffdO\ufffdy\ufffd\ufffdn\ufffdGlK\ufffd \u0018\/m\ufffd\ufffd\"<8\u0016\u0014\u001f\ufffd^N\ufffdM\ufffd\ufffd\ufffdV\u001du\ufffd\ufffdS\/v\u0015\ufffdA\\^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "84f0e46f8a35cef5ec9c9272217a3a64f2bf56f0", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd 3\b\ufffd\ufffd\u0015S~$\ufffdWD\ufffd\u001b\u001f\u0003\u0001\ufffd\ufffdO\ufffdy\ufffd\ufffdn\ufffdGlK\ufffd \u0018\/m\ufffd\ufffd\"<8\u0016\u0014\u001f\ufffd^N\ufffdM\ufffd\ufffd\ufffdV\u001du\ufffd\ufffdS\/v\u0015\ufffdA\\^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2380, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd 3\ufffd\ufffdS~$\ufffdWD\ufffd\ufffd\ufffdO\ufffdy\ufffd\ufffdn\ufffdGlK\ufffd \/m\ufffd\ufffd\"<8\ufffd^N\ufffdM\ufffd\ufffd\ufffdVu\ufffd\ufffdS\/v\ufffdA\\^&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:2380 \u00b7 (reconnaissance)", "target_port_label": "2380 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (60 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2380, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd 3\b\ufffd\ufffd\u0015S~$\ufffdWD\ufffd\u001b\u001f\u0003\u0001\ufffd\ufffdO\ufffdy\ufffd\ufffdn\ufffdGlK\ufffd \u0018\/m\ufffd\ufffd\"<8\u0016\u0014\u001f\ufffd^N\ufffdM\ufffd\ufffd\ufffdV\u001du\ufffd\ufffdS\/v\u0015\ufffdA\\^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2380, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:2380 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd 3\ufffd\ufffdS~$\ufffdWD\ufffd\ufffd\ufffdO\ufffdy\ufffd\ufffdn\ufffdGlK\ufffd \/m\ufffd\ufffd\"<8\ufffd^N\ufffdM\ufffd\ufffd\ufffdVu\ufffd\ufffdS\/v\ufffdA\\^&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2380 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2380" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 116, "port_scan_ports_sample": [ 81, 82, 83, 84, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 116, "scan_velocity_ports_per_s": 75.32, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 60, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "couchbase", "couchdb", "cpanel", "cpanel-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	8484 · TLS	tls	Scan de ports port scan syn · via TLS:8484 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8484 Chemin / cible — Service TLS Payload ��H��;��ĺ��p8ǎ��:7�О�i ��nsd�w�� #U�Q��KN�RJ�L�u5&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��H��;��ĺ��p8ǎ��:7�О�i ��nsd�w�� #U�Q��KN�RJ�L�u5&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��H��;��ĺ��p8ǎ��:7�О�i ��nsd�w�� #U�Q��KN�RJ�L�u5&�+�/�,�0̨̩� �� /5� w �+3&$ �$C T��Z~��q��n�avq�1P��! Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.881960881281596, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 8484, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "8235f2d129f5d6950e0e138044e086dc65ed0150", "event_fingerprint": "a963a412d59eb59a6904d690d08746298e7dcc2a", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "0578203072a0c945ff68ad78656e28c0", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8484, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\ufffd\ufffd\u0015;\ufffd\ufffd\ufffd\ufffd\ufffd\u013a\ufffd\u001b\u001b\ufffd\ufffd\ufffd\ufffdp8\u01ce\ufffd\ufffd:7\ufffd\u041e\ufffdi \ufffd\ufffdnsd\ufffdw\ufffd\ufffd \ufffd\ufffd\u0004\r#U\ufffdQ\u0019\ufffd\ufffdKN\ufffdRJ\ufffdL\ufffdu5\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\ufffd\ufffd\u0015;\ufffd\ufffd\ufffd\ufffd\ufffd\u013a\ufffd\u001b\u001b\ufffd\ufffd\ufffd\ufffdp8\u01ce\ufffd\ufffd:7\ufffd\u041e\ufffdi \ufffd\ufffdnsd\ufffdw\ufffd\ufffd \ufffd\ufffd\u0004\r#U\ufffdQ\u0019\ufffd\ufffdKN\ufffdRJ\ufffdL\ufffdu5\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd$C\u0007 T\ufffd\ufffd\ufffdZ~\ufffd\ufffd\u0017q\ufffd\ufffd\u0016n\ufffdav\u001aq\ufffd1P\u001e\ufffd\ufffd\u0002!", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\ufffd\ufffd\u0015;\ufffd\ufffd\ufffd\ufffd\ufffd\u013a\ufffd\u001b\u001b\ufffd\ufffd\ufffd\ufffdp8\u01ce\ufffd\ufffd:7\ufffd\u041e\ufffdi \ufffd\ufffdnsd\ufffdw\ufffd\ufffd \ufffd\ufffd\u0004\r#U\ufffdQ\u0019\ufffd\ufffdKN\ufffdRJ\ufffdL\ufffdu5\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "699731c13bfbfa5e731b18e7bdb491538e7b8d26", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\ufffd\ufffd\u0015;\ufffd\ufffd\ufffd\ufffd\ufffd\u013a\ufffd\u001b\u001b\ufffd\ufffd\ufffd\ufffdp8\u01ce\ufffd\ufffd:7\ufffd\u041e\ufffdi \ufffd\ufffdnsd\ufffdw\ufffd\ufffd \ufffd\ufffd\u0004\r#U\ufffdQ\u0019\ufffd\ufffdKN\ufffdRJ\ufffdL\ufffdu5\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8484, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffdH\ufffd\ufffd;\ufffd\ufffd\ufffd\ufffd\ufffd\u013a\ufffd\ufffd\ufffd\ufffd\ufffdp8\u01ce\ufffd\ufffd:7\ufffd\u041e\ufffdi \ufffd\ufffdnsd\ufffdw\ufffd\ufffd \ufffd\ufffd\r#U\ufffdQ\ufffd\ufffdKN\ufffdRJ\ufffdL\ufffdu5&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:8484 \u00b7 (reconnaissance)", "target_port_label": "8484 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (60 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8484, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003H\ufffd\ufffd\u0015;\ufffd\ufffd\ufffd\ufffd\ufffd\u013a\ufffd\u001b\u001b\ufffd\ufffd\ufffd\ufffdp8\u01ce\ufffd\ufffd:7\ufffd\u041e\ufffdi \ufffd\ufffdnsd\ufffdw\ufffd\ufffd \ufffd\ufffd\u0004\r#U\ufffdQ\u0019\ufffd\ufffdKN\ufffdRJ\ufffdL\ufffdu5\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8484, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:8484 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffdH\ufffd\ufffd;\ufffd\ufffd\ufffd\ufffd\ufffd\u013a\ufffd\ufffd\ufffd\ufffd\ufffdp8\u01ce\ufffd\ufffd:7\ufffd\u041e\ufffdi \ufffd\ufffdnsd\ufffdw\ufffd\ufffd \ufffd\ufffd\r#U\ufffdQ\ufffd\ufffdKN\ufffdRJ\ufffdL\ufffdu5&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8484 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8484" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 117, "port_scan_ports_sample": [ 81, 82, 83, 84, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095, 2096 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 117, "scan_velocity_ports_per_s": 75.65, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 60, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "couchbase", "couchdb", "cpanel", "cpanel-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	85 · TLS	tls	Scan de ports port scan syn · via TLS:85 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 85 Chemin / cible — Service TLS Payload ��@ =�綰0=��<,@��r��Mx� ��8 n��[E��w��t��\|z��%1��ؔ�IG&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��@ =�綰0=��<,@��r��Mx� ��8 n��[E��w��t��\|z��%1��ؔ�IG&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��@ =�綰0=��<,@��r��Mx� ��8 n��[E��w��t��\|z��%1��ؔ�IG&�+�/�,�0̨̩� �� /5� w �+3&$ r0�m��_��Zj��4 ���_ Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.832411013195214, "port_category": "well_known", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 85, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "709fe951ef3b4fb8ce69a8c1952f65f4b1ba573f", "event_fingerprint": "82a818eef57c20934baadcf03ded32784013830c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "5c5c44a1537faa7fadd092ba7f1cac76", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 85, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@ =\ufffd\u7db00=\ufffd\u0001\ufffd\u0013\ufffd<,@\ufffd\ufffd\ufffdr\ufffd\u0017\ufffd\ufffdMx\ufffd\n\ufffd\ufffd8 n\ufffd\ufffd\ufffd\ufffd[E\ufffd\ufffd\ufffdw\ufffd\ufffdt\ufffd\ufffd\|z\ufffd\u001d\u0016\ufffd%1\ufffd\u0010\ufffd\u0614\ufffdIG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@ =\ufffd\u7db00=\ufffd\u0001\ufffd\u0013\ufffd<,@\ufffd\ufffd\ufffdr\ufffd\u0017\ufffd\ufffdMx\ufffd\n\ufffd\ufffd8 n\ufffd\ufffd\ufffd\ufffd[E\ufffd\ufffd\ufffdw\ufffd\ufffdt\ufffd\ufffd\|z\ufffd\u001d\u0016\ufffd%1\ufffd\u0010\ufffd\u0614\ufffdIG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 r0\ufffdm\ufffd\ufffd_\ufffd\ufffdZ\u000fj\ufffd\u0018\ufffd\ufffd\ufffd\ufffd\u00024\r\ufffd\ufffd\u0003\ufffd\ufffd\u0005\ufffd\ufffd_", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@ =\ufffd\u7db00=\ufffd\u0001\ufffd\u0013\ufffd<,@\ufffd\ufffd\ufffdr\ufffd\u0017\ufffd\ufffdMx\ufffd\n\ufffd\ufffd8 n\ufffd\ufffd\ufffd\ufffd[E\ufffd\ufffd\ufffdw\ufffd\ufffdt\ufffd\ufffd\|z\ufffd\u001d\u0016\ufffd%1\ufffd\u0010\ufffd\u0614\ufffdIG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6a4110668d4bfc98161ba97ff737df07391b962e", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@ =\ufffd\u7db00=\ufffd\u0001\ufffd\u0013\ufffd<,@\ufffd\ufffd\ufffdr\ufffd\u0017\ufffd\ufffdMx\ufffd\n\ufffd\ufffd8 n\ufffd\ufffd\ufffd\ufffd[E\ufffd\ufffd\ufffdw\ufffd\ufffdt\ufffd\ufffd\|z\ufffd\u001d\u0016\ufffd%1\ufffd\u0010\ufffd\u0614\ufffdIG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 85, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd@ =\ufffd\u7db00=\ufffd\ufffd\ufffd<,@\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffdMx\ufffd\n\ufffd\ufffd8 n\ufffd\ufffd\ufffd\ufffd[E\ufffd\ufffd\ufffdw\ufffd\ufffdt\ufffd\ufffd\|z\ufffd\ufffd%1\ufffd\ufffd\u0614\ufffdIG&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:85 \u00b7 (reconnaissance)", "target_port_label": "85 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (60 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 85, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003@ =\ufffd\u7db00=\ufffd\u0001\ufffd\u0013\ufffd<,@\ufffd\ufffd\ufffdr\ufffd\u0017\ufffd\ufffdMx\ufffd\n\ufffd\ufffd8 n\ufffd\ufffd\ufffd\ufffd[E\ufffd\ufffd\ufffdw\ufffd\ufffdt\ufffd\ufffd\|z\ufffd\u001d\u0016\ufffd%1\ufffd\u0010\ufffd\u0614\ufffdIG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 85, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:85 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd@ =\ufffd\u7db00=\ufffd\ufffd\ufffd<,@\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffdMx\ufffd\n\ufffd\ufffd8 n\ufffd\ufffd\ufffd\ufffd[E\ufffd\ufffd\ufffdw\ufffd\ufffdt\ufffd\ufffd\|z\ufffd\ufffd%1\ufffd\ufffd\u0614\ufffdIG&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "85 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "85" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 118, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 118, "scan_velocity_ports_per_s": 75.98, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 60, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "couchbase", "couchdb", "cpanel", "cpanel-ssl" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	8501 · CONSUL WAN	consul-wan	Scan de ports port scan syn · via CONSUL WAN:8501 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur CONSUL-WAN WAF — Recommandation Surveiller Tags consul_probe consul_wan_emulated consul_wan_payload net_port_scan_fast Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8501 Chemin / cible — Service CONSUL WAN Payload ��d7D��X�!�� _&���\|P)��Qc ��:~�B�L�4��G�x�=��>1(�o=.�\�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��d7D��X�!�� _&���\|P)��Qc ��:~�B�L�4��G�x�=��>1(�o=.�\�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��d7D��X�!�� _&���\|P)��Qc ��:~�B�L�4��G�x�=��>1(�o=.�\�&�+�/�,�0̨̩� �� /5� w �+3&$ ��U�5X�W�V�H�� 9� p�\W Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.808166585605019, "port_category": "registered", "org": "Google LLC", "service": "consul-wan", "app_proto": "consul-wan", "asn": 396982, "country": "US", "dst_port": 8501, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 0, "campaign_key": "9d5db2d6b4032949b12113c47004a9c86dc8ea2f", "event_fingerprint": "a733e743aa530c26cb48bb217e2ccd44bfb6e17c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "consul-wan", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "668d4b1d6ddafabe98b41a90b6ff1547", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8501, "service": "consul-wan", "service_name": "consul-wan", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d7D\ufffd\ufffdX\ufffd!\ufffd\ufffd\ufffd\t\ufffd\f\ufffd_&\u001c\ufffd\ufffd\ufffd\|P)\ufffd\ufffdQ\u0019c \ufffd\ufffd:~\ufffdB\ufffdL\ufffd4\ufffd\ufffdG\ufffdx\ufffd\u0019=\ufffd\ufffd>1(\u0013\u0003\ufffdo=.\ufffd\\\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d7D\ufffd\ufffdX\ufffd!\ufffd\ufffd\ufffd\t\ufffd\f\ufffd_&\u001c\ufffd\ufffd\ufffd\|P)\ufffd\ufffdQ\u0019c \ufffd\ufffd:~\ufffdB\ufffdL\ufffd4\ufffd\ufffdG\ufffdx\ufffd\u0019=\ufffd\ufffd>1(\u0013\u0003\ufffdo=.\ufffd\\\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdU\ufffd5X\ufffdW\ufffdV\u000f\b\u0014\u0005\u0013\ufffdH\ufffd\ufffd\ufffd\u000b\ufffd\ufffd\ufffd9\ufffd\r\u0002p\ufffd\\W", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d7D\ufffd\ufffdX\ufffd!\ufffd\ufffd\ufffd\t\ufffd\f\ufffd_&\u001c\ufffd\ufffd\ufffd\|P)\ufffd\ufffdQ\u0019c \ufffd\ufffd:~\ufffdB\ufffdL\ufffd4\ufffd\ufffdG\ufffdx\ufffd\u0019=\ufffd\ufffd>1(\u0013\u0003\ufffdo=.\ufffd\\\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "93486522f6dc2bc2398fd22bfa399ae7c39abf8a", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d7D\ufffd\ufffdX\ufffd!\ufffd\ufffd\ufffd\t\ufffd\f\ufffd_&\u001c\ufffd\ufffd\ufffd\|P)\ufffd\ufffdQ\u0019c \ufffd\ufffd:~\ufffdB\ufffdL\ufffd4\ufffd\ufffdG\ufffdx\ufffd\u0019=\ufffd\ufffd>1(\u0013\u0003\ufffdo=.\ufffd\\\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8501, "service": "consul-wan", "service_label_fr": "CONSUL WAN" }, "evidence_snippet": "\ufffd\ufffdd7D\ufffd\ufffdX\ufffd!\ufffd\ufffd\ufffd\t\ufffd\ufffd_&\ufffd\ufffd\ufffd\|P)\ufffd\ufffdQc \ufffd\ufffd:~\ufffdB\ufffdL\ufffd4\ufffd\ufffdG\ufffdx\ufffd=\ufffd\ufffd>1(\ufffdo=.\ufffd\\\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via CONSUL WAN:8501 \u00b7 (reconnaissance)", "target_port_label": "8501 \u00b7 CONSUL WAN", "emulator_service": "consul-wan", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CONSUL WAN \u2014 multi-protocole (61 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "consul-wan", "service_label_fr": "CONSUL WAN", "dst_port": 8501, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-consul-wan", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d7D\ufffd\ufffdX\ufffd!\ufffd\ufffd\ufffd\t\ufffd\f\ufffd_&\u001c\ufffd\ufffd\ufffd\|P)\ufffd\ufffdQ\u0019c \ufffd\ufffd:~\ufffdB\ufffdL\ufffd4\ufffd\ufffdG\ufffdx\ufffd\u0019=\ufffd\ufffd>1(\u0013\u0003\ufffdo=.\ufffd\\\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8501, "service": "consul-wan", "service_label_fr": "CONSUL WAN" }, "attack_vector": "port scan syn \u00b7 via CONSUL WAN:8501 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffdd7D\ufffd\ufffdX\ufffd!\ufffd\ufffd\ufffd\t\ufffd\ufffd_&\ufffd\ufffd\ufffd\|P)\ufffd\ufffdQc \ufffd\ufffd:~\ufffdB\ufffdL\ufffd4\ufffd\ufffdG\ufffdx\ufffd=\ufffd\ufffd>1(\ufffdo=.\ufffd\\\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8501 \u00b7 CONSUL WAN", "emulator_service": "consul-wan", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "consul_wan", "service_banner": "honeypot-consul-wan", "service_os": "linux", "dst_port": "8501" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 119, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 119, "scan_velocity_ports_per_s": 76.19, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 61, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "consul_probe", "consul_wan_emulated", "consul_wan_payload", "net_port_scan_fast", "tls_clienthello" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	2443 · TLS	tls	Scan de ports port scan syn · via TLS:2443 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2443 Chemin / cible — Service TLS Payload ��7�V��""�@"� \|��G�� Oti�� h0:s]�P!n��5�t�_u&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��7�V��""�@"� \|��G�� Oti�� h0:s]�P!n��5�t�_u&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��7�V��""�@"� \|��G�� Oti�� h0:s]�P!n��5�t�_u&�+�/�,�0̨̩� �� /5� w �+3&$ }t�9m��u�nF��/��m��t�� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.8330888189115875, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 2443, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9a84ceb103200dbbf934daa88e762d1e0203d909", "event_fingerprint": "9892e41f89d8d2b06b42c09ea0be5a1f588af95e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "3b23a0dd3f88e3abaa77389d653dad47", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2443, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0007\ufffd7\u0010\ufffdV\ufffd\ufffd\u000e\ufffd\u001f\"\"\ufffd@\"\ufffd\n\|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\u0007\u0004\ufffd Oti\ufffd\ufffd\ufffd\ufffd \u0001h0:s]\ufffdP!n\u0013\ufffd\u0017\ufffd\u0013\ufffd5\ufffdt\ufffd_u\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0007\ufffd7\u0010\ufffdV\ufffd\ufffd\u000e\ufffd\u001f\"\"\ufffd@\"\ufffd\n\|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\u0007\u0004\ufffd Oti\ufffd\ufffd\ufffd\ufffd \u0001h0:s]\ufffdP!n\u0013\ufffd\u0017\ufffd\u0013\ufffd5\ufffdt\ufffd_u\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 }\u001at\ufffd9m\ufffd\ufffd\ufffdu\u0012\ufffdnF\ufffd\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdm\ufffd\ufffdt\ufffd\ufffd\u0018", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0007\ufffd7\u0010\ufffdV\ufffd\ufffd\u000e\ufffd\u001f\"\"\ufffd@\"\ufffd\n\|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\u0007\u0004\ufffd Oti\ufffd\ufffd\ufffd\ufffd \u0001h0:s]\ufffdP!n\u0013\ufffd\u0017\ufffd\u0013\ufffd5\ufffdt\ufffd_u\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1308c668e679c380f51c249ebcd3f5a03437d2fa", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0007\ufffd7\u0010\ufffdV\ufffd\ufffd\u000e\ufffd\u001f\"\"\ufffd@\"\ufffd\n\|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\u0007\u0004\ufffd Oti\ufffd\ufffd\ufffd\ufffd \u0001h0:s]\ufffdP!n\u0013\ufffd\u0017\ufffd\u0013\ufffd5\ufffdt\ufffd_u\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2443, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd7\ufffdV\ufffd\ufffd\ufffd\"\"\ufffd@\"\ufffd\n\|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd Oti\ufffd\ufffd\ufffd\ufffd h0:s]\ufffdP!n\ufffd\ufffd\ufffd5\ufffdt\ufffd_u&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:2443 \u00b7 (reconnaissance)", "target_port_label": "2443 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (61 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2443, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0007\ufffd7\u0010\ufffdV\ufffd\ufffd\u000e\ufffd\u001f\"\"\ufffd@\"\ufffd\n\|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\u0007\u0004\ufffd Oti\ufffd\ufffd\ufffd\ufffd \u0001h0:s]\ufffdP!n\u0013\ufffd\u0017\ufffd\u0013\ufffd5\ufffdt\ufffd_u\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2443, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:2443 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd7\ufffdV\ufffd\ufffd\ufffd\"\"\ufffd@\"\ufffd\n\|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdG\ufffd\ufffd Oti\ufffd\ufffd\ufffd\ufffd h0:s]\ufffdP!n\ufffd\ufffd\ufffd5\ufffdt\ufffd_u&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "2443 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 119, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 119, "scan_velocity_ports_per_s": 75.87, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 61, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	8554 · RTSP ALT	rtsp-alt	Scan de ports port scan syn · via RTSP ALT:8554 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur RTSP-ALT WAF — Recommandation Surveiller Tags net_port_scan_fast tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8554 Chemin / cible — Service RTSP ALT Payload ��s8%��[RE �l4Co� 5a��R�<� �>��(j)�C�x�u��h��p"��.�W&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��s8%��[RE�l4Co� 5a��R�<� �>��(j)�C�x�u��h��p"��.�W&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��s8%��[RE �l4Co� 5a��R�<� �>��(j)�C�x�u��h��p"��.�W&�+�/�,�0̨̩� �� /5� w �+3&$ ��E�^>�. @��Nl��~��5!Gx�[ Meta JSON brut { "protocol_emulated": true, "emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a", "emulator_response_len": 63, "bytes_in": 239, "payload_entropy": 5.8090180099875095, "port_category": "registered", "org": "Google LLC", "service": "rtsp-alt", "app_proto": "rtsp-alt", "asn": 396982, "country": "US", "dst_port": 8554, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "d5a36efc15d71e2ec9b3f719719470da181ff577", "event_fingerprint": "5dabfaf6a16fb1b5f072afe85ff4268481282545", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "rtsp-alt", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4fce0b6630148837b3eb1da47e0ab7e8", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8554, "service": "rtsp-alt", "service_name": "rtsp-alt", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003s8%\ufffd\u0006\ufffd\ufffd\ufffd[RE\u000b\ufffdl4Co\u0006\ufffd\r\u00105a\ufffd\ufffd\u0001\ufffdR\ufffd<\ufffd \u000e\ufffd>\ufffd\ufffd(j)\ufffdC\ufffd\u0011x\ufffd\u0012u\ufffd\ufffd\u001d\u0003h\u0007\ufffd\ufffdp\"\ufffd\ufffd\ufffd.\ufffdW\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003s8%\ufffd\u0006\ufffd\ufffd\ufffd[RE\u000b\ufffdl4Co\u0006\ufffd\r\u00105a\ufffd\ufffd\u0001\ufffdR\ufffd<\ufffd \u000e\ufffd>\ufffd\ufffd(j)\ufffdC\ufffd\u0011x\ufffd\u0012u\ufffd\ufffd\u001d\u0003h\u0007\ufffd\ufffdp\"\ufffd\ufffd\ufffd.\ufffdW\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdE\ufffd^>\ufffd.\n\u000f@\ufffd\ufffd\ufffd\ufffdNl\ufffd\ufffd\ufffd\u0000\u0007~\ufffd\ufffd\ufffd5!Gx\ufffd[", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003s8%\ufffd\u0006\ufffd\ufffd\ufffd[RE\u000b\ufffdl4Co\u0006\ufffd\r\u00105a\ufffd\ufffd\u0001\ufffdR\ufffd<\ufffd \u000e\ufffd>\ufffd\ufffd(j)\ufffdC\ufffd\u0011x\ufffd\u0012u\ufffd\ufffd\u001d\u0003h\u0007\ufffd\ufffdp\"\ufffd\ufffd\ufffd.\ufffdW\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fefa1d9b536ebfde64258a010b04b239ec7fa2c6", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003s8%\ufffd\u0006\ufffd\ufffd\ufffd[RE\u000b\ufffdl4Co\u0006\ufffd\r\u00105a\ufffd\ufffd\u0001\ufffdR\ufffd<\ufffd \u000e\ufffd>\ufffd\ufffd(j)\ufffdC\ufffd\u0011x\ufffd\u0012u\ufffd\ufffd\u001d\u0003h\u0007\ufffd\ufffdp\"\ufffd\ufffd\ufffd.\ufffdW\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8554, "service": "rtsp-alt", "service_label_fr": "RTSP ALT" }, "evidence_snippet": "\ufffd\ufffds8%\ufffd\ufffd\ufffd\ufffd[RE\ufffdl4Co\ufffd\r5a\ufffd\ufffd\ufffdR\ufffd<\ufffd \ufffd>\ufffd\ufffd(j)\ufffdC\ufffdx\ufffdu\ufffd\ufffdh\ufffd\ufffdp\"\ufffd\ufffd\ufffd.\ufffdW&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via RTSP ALT:8554 \u00b7 (reconnaissance)", "target_port_label": "8554 \u00b7 RTSP ALT", "emulator_service": "rtsp-alt", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RTSP ALT \u2014 multi-protocole (62 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "rtsp-alt", "service_label_fr": "RTSP ALT", "dst_port": 8554, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-rtsp-alt", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003s8%\ufffd\u0006\ufffd\ufffd\ufffd[RE\u000b\ufffdl4Co\u0006\ufffd\r\u00105a\ufffd\ufffd\u0001\ufffdR\ufffd<\ufffd \u000e\ufffd>\ufffd\ufffd(j)\ufffdC\ufffd\u0011x\ufffd\u0012u\ufffd\ufffd\u001d\u0003h\u0007\ufffd\ufffdp\"\ufffd\ufffd\ufffd.\ufffdW\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8554, "service": "rtsp-alt", "service_label_fr": "RTSP ALT" }, "attack_vector": "port scan syn \u00b7 via RTSP ALT:8554 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffds8%\ufffd\ufffd\ufffd\ufffd[RE\ufffdl4Co\ufffd\r5a\ufffd\ufffd\ufffdR\ufffd<\ufffd \ufffd>\ufffd\ufffd(j)\ufffdC\ufffdx\ufffdu\ufffd\ufffdh\ufffd\ufffdp\"\ufffd\ufffd\ufffd.\ufffdW&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8554 \u00b7 RTSP ALT", "emulator_service": "rtsp-alt", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "rtsp_alt", "service_banner": "honeypot-rtsp-alt", "service_os": "linux", "dst_port": "8554" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 120, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 120, "scan_velocity_ports_per_s": 75.96, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 62, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_clienthello" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	8585 · TLS	tls	Scan de ports port scan syn · via TLS:8585 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8585 Chemin / cible — Service TLS Payload ��]Fz�m^��򅕎�tk��J�L �6��)�Ԅi��`/<E�O��͹��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��]Fz�m^��򅕎�tk��J�L �6��)�Ԅi��`/<E�O��͹��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��]Fz�m^��򅕎�tk��J�L �6��)�Ԅi��`/<E�O��͹��&�+�/�,�0̨̩� �� /5� w �+3&$ �7j�V��X�~��ҁ�Y��h��s Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.871964965415184, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 8585, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 6, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "3465eff6421972424c1a727467310e20f2a278a0", "event_fingerprint": "216765d4e1fcdc67de8c895ec3aa4b7cd48a8e5e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "40357c0ff54bafef1fbc62357402b250", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8585, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0013\u0015\ufffd\ufffd]Fz\ufffdm^\ufffd\ufffd\ufffd\u0014\ufffd\ud9d5\udd4e\ufffdtk\ufffd\ufffd\ufffdJ\ufffdL \ufffd\u00146\ufffd\ufffd)\ufffd\u0504i\ufffd\ufffd\ufffd\ufffd`\/\u0003<E\ufffdO\ufffd\ufffd\u0379\u0005\u0007\ufffd\u0019\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0013\u0015\ufffd\ufffd]Fz\ufffdm^\ufffd\ufffd\ufffd\u0014\ufffd\ud9d5\udd4e\ufffdtk\ufffd\ufffd\ufffdJ\ufffdL \ufffd\u00146\ufffd\ufffd)\ufffd\u0504i\ufffd\ufffd\ufffd\ufffd`\/\u0003<E\ufffdO\ufffd\ufffd\u0379\u0005\u0007\ufffd\u0019\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u000f\ufffd7j\u0014\ufffd\u0013V\ufffd\ufffdX\ufffd~\ufffd\ufffd\u0014\u0000\ufffd\ufffd\u0481\ufffdY\u001e\ufffd\ufffdh\ufffd\ufffds", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0013\u0015\ufffd\ufffd]Fz\ufffdm^\ufffd\ufffd\ufffd\u0014\ufffd\ud9d5\udd4e\ufffdtk\ufffd\ufffd\ufffdJ\ufffdL \ufffd\u00146\ufffd\ufffd)\ufffd\u0504i\ufffd\ufffd\ufffd\ufffd`\/\u0003<E\ufffdO\ufffd\ufffd\u0379\u0005\u0007\ufffd\u0019\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "dfe0cf7f0136df58723fc6e5e70ccdb26522edb4", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0013\u0015\ufffd\ufffd]Fz\ufffdm^\ufffd\ufffd\ufffd\u0014\ufffd\ud9d5\udd4e\ufffdtk\ufffd\ufffd\ufffdJ\ufffdL \ufffd\u00146\ufffd\ufffd)\ufffd\u0504i\ufffd\ufffd\ufffd\ufffd`\/\u0003<E\ufffdO\ufffd\ufffd\u0379\u0005\u0007\ufffd\u0019\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8585, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]Fz\ufffdm^\ufffd\ufffd\ufffd\ufffd\ud9d5\udd4e\ufffdtk\ufffd\ufffd\ufffdJ\ufffdL \ufffd6\ufffd\ufffd)\ufffd\u0504i\ufffd\ufffd\ufffd\ufffd`\/<E\ufffdO\ufffd\ufffd\u0379\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:8585 \u00b7 (reconnaissance)", "target_port_label": "8585 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (62 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8585, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0013\u0015\ufffd\ufffd]Fz\ufffdm^\ufffd\ufffd\ufffd\u0014\ufffd\ud9d5\udd4e\ufffdtk\ufffd\ufffd\ufffdJ\ufffdL \ufffd\u00146\ufffd\ufffd)\ufffd\u0504i\ufffd\ufffd\ufffd\ufffd`\/\u0003<E\ufffdO\ufffd\ufffd\u0379\u0005\u0007\ufffd\u0019\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8585, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:8585 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]Fz\ufffdm^\ufffd\ufffd\ufffd\ufffd\ud9d5\udd4e\ufffdtk\ufffd\ufffd\ufffdJ\ufffdL \ufffd6\ufffd\ufffd)\ufffd\u0504i\ufffd\ufffd\ufffd\ufffd`\/<E\ufffdO\ufffd\ufffd\u0379\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8585 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8585" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 121, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 121, "scan_velocity_ports_per_s": 76.27, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 62, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	8600 · TLS	tls	Scan de ports port scan syn · via TLS:8600 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8600 Chemin / cible — Service TLS Payload ��#�[�قRy�#��N7Kl�@�<s�ni�� e�PP��vP�7�S�\|��'��R�ͳ��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��#�[�قRy�#��N7Kl�@�<s�ni�� e�PP��vP�7�S�\|��'��R�ͳ��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��#�[�قRy�#��N7Kl�@�<s�ni�� e�PP��vP�7�S�\|��'��R�ͳ��&�+�/�,�0̨̩� �� /5� w �+3&$ S��Y�M�^�h�R[4��"(k�&Cn Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.802367991751947, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 8600, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 3.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "b9ab40cbe0a27a6132cba15bd94b62394f72230d", "event_fingerprint": "6be433ddb2eb1037d6f32ea778f25788f52fcd28", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "676c3a90a0d61893388070ea10fd2ec7", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8600, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003#\ufffd[\ufffd\u0642Ry\ufffd\u001d#\ufffd\ufffdN7Kl\ufffd@\ufffd<s\ufffdni\ufffd\u001d\ufffd\u0011\ufffd\u001d e\u0013\u0015\ufffdPP\ufffd\ufffdvP\u0004\ufffd7\ufffd\u0018S\ufffd\|\ufffd\ufffd'\ufffd\ufffdR\u0000\ufffd\u0373\u001c\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003#\ufffd[\ufffd\u0642Ry\ufffd\u001d#\ufffd\ufffdN7Kl\ufffd@\ufffd<s\ufffdni\ufffd\u001d\ufffd\u0011\ufffd\u001d e\u0013\u0015\ufffdPP\ufffd\ufffdvP\u0004\ufffd7\ufffd\u0018S\ufffd\|\ufffd\ufffd'\ufffd\ufffdR\u0000\ufffd\u0373\u001c\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u001dS\ufffd\ufffdY\u0010\u0017\ufffd\u0001M\ufffd^\ufffd\u001ch\ufffdR[4\ufffd\ufffd\ufffd\ufffd\ufffd\"(k\ufffd&Cn", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003#\ufffd[\ufffd\u0642Ry\ufffd\u001d#\ufffd\ufffdN7Kl\ufffd@\ufffd<s\ufffdni\ufffd\u001d\ufffd\u0011\ufffd\u001d e\u0013\u0015\ufffdPP\ufffd\ufffdvP\u0004\ufffd7\ufffd\u0018S\ufffd\|\ufffd\ufffd'\ufffd\ufffdR\u0000\ufffd\u0373\u001c\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4f001d5b5d62f54efc4f9fbf1bde11e72459471f", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003#\ufffd[\ufffd\u0642Ry\ufffd\u001d#\ufffd\ufffdN7Kl\ufffd@\ufffd<s\ufffdni\ufffd\u001d\ufffd\u0011\ufffd\u001d e\u0013\u0015\ufffdPP\ufffd\ufffdvP\u0004\ufffd7\ufffd\u0018S\ufffd\|\ufffd\ufffd'\ufffd\ufffdR\u0000\ufffd\u0373\u001c\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8600, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd#\ufffd[\ufffd\u0642Ry\ufffd#\ufffd\ufffdN7Kl\ufffd@\ufffd<s\ufffdni\ufffd\ufffd\ufffd e\ufffdPP\ufffd\ufffdvP\ufffd7\ufffdS\ufffd\|\ufffd\ufffd'\ufffd\ufffdR\ufffd\u0373\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:8600 \u00b7 (reconnaissance)", "target_port_label": "8600 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (62 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8600, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003#\ufffd[\ufffd\u0642Ry\ufffd\u001d#\ufffd\ufffdN7Kl\ufffd@\ufffd<s\ufffdni\ufffd\u001d\ufffd\u0011\ufffd\u001d e\u0013\u0015\ufffdPP\ufffd\ufffdvP\u0004\ufffd7\ufffd\u0018S\ufffd\|\ufffd\ufffd'\ufffd\ufffdR\u0000\ufffd\u0373\u001c\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8600, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:8600 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd#\ufffd[\ufffd\u0642Ry\ufffd#\ufffd\ufffdN7Kl\ufffd@\ufffd<s\ufffdni\ufffd\ufffd\ufffd e\ufffdPP\ufffd\ufffdvP\ufffd7\ufffdS\ufffd\|\ufffd\ufffd'\ufffd\ufffdR\ufffd\u0373\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8600 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8600" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 122, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 122, "scan_velocity_ports_per_s": 76.58, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 62, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	8686 · TLS	tls	Scan de ports port scan syn · via TLS:8686 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8686 Chemin / cible — Service TLS Payload ��B\|`��'+ � �d�ۭ�L<�a��+�G ��&h�}�`��k��Vf}T�'�Nl�K�3&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��B\|`��'+��d�ۭ�L<�a��+�G ��&h�}�`��k��Vf}T�'�Nl�K�3&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��B\|`��'+ � �d�ۭ�L<�a��+�G ��&h�}�`��k��Vf}T�'�Nl�K�3&�+�/�,�0̨̩� �� /5� w �+3&$ ��d��F��ݞT{�� #^��9 �u�Z Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.878530675974339, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 8686, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "4a9dbb0e5776c3bb4c14fce492e359a7116c1da2", "event_fingerprint": "f7e1a776eb2dbc746ebb0fa323e073c07353d0c2", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "348ebc7fa2445f95bca5c545d60aaac0", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8686, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdB\|`\ufffd\ufffd\ufffd'+\u000b\ufffd\f\ufffdd\ufffd\u06ed\ufffd\u0002L<\ufffda\ufffd\ufffd\ufffd\u001d\u000e\u000e+\ufffdG \ufffd\ufffd\ufffd&h\ufffd}\ufffd`\u001d\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffdVf}T\ufffd'\ufffdNl\ufffdK\ufffd3\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdB\|`\ufffd\ufffd\ufffd'+\u000b\ufffd\f\ufffdd\ufffd\u06ed\ufffd\u0002L<\ufffda\ufffd\ufffd\ufffd\u001d\u000e\u000e+\ufffdG \ufffd\ufffd\ufffd&h\ufffd}\ufffd`\u001d\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffdVf}T\ufffd'\ufffdNl\ufffdK\ufffd3\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffdd\ufffd\ufffdF\ufffd\ufffd\u075e\bT{\ufffd\ufffd\ufffd\r\ufffd\u001b#^\ufffd\ufffd\ufffd9 \ufffdu\u0012\ufffdZ", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdB\|`\ufffd\ufffd\ufffd'+\u000b\ufffd\f\ufffdd\ufffd\u06ed\ufffd\u0002L<\ufffda\ufffd\ufffd\ufffd\u001d\u000e\u000e+\ufffdG \ufffd\ufffd\ufffd&h\ufffd}\ufffd`\u001d\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffdVf}T\ufffd'\ufffdNl\ufffdK\ufffd3\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f05c4b2f098edf5b1c5db869a656db1c413d32a5", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdB\|`\ufffd\ufffd\ufffd'+\u000b\ufffd\f\ufffdd\ufffd\u06ed\ufffd\u0002L<\ufffda\ufffd\ufffd\ufffd\u001d\u000e\u000e+\ufffdG \ufffd\ufffd\ufffd&h\ufffd}\ufffd`\u001d\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffdVf}T\ufffd'\ufffdNl\ufffdK\ufffd3\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8686, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffdB\|`\ufffd\ufffd\ufffd'+\ufffd\ufffdd\ufffd\u06ed\ufffdL<\ufffda\ufffd\ufffd\ufffd+\ufffdG \ufffd\ufffd\ufffd&h\ufffd}\ufffd`\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffdVf}T\ufffd'\ufffdNl\ufffdK\ufffd3&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:8686 \u00b7 (reconnaissance)", "target_port_label": "8686 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (62 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8686, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdB\|`\ufffd\ufffd\ufffd'+\u000b\ufffd\f\ufffdd\ufffd\u06ed\ufffd\u0002L<\ufffda\ufffd\ufffd\ufffd\u001d\u000e\u000e+\ufffdG \ufffd\ufffd\ufffd&h\ufffd}\ufffd`\u001d\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffdVf}T\ufffd'\ufffdNl\ufffdK\ufffd3\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8686, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:8686 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffdB\|`\ufffd\ufffd\ufffd'+\ufffd\ufffdd\ufffd\u06ed\ufffdL<\ufffda\ufffd\ufffd\ufffd+\ufffdG \ufffd\ufffd\ufffd&h\ufffd}\ufffd`\ufffd\ufffd\ufffdk\ufffd\ufffd\ufffd\ufffd\ufffdVf}T\ufffd'\ufffdNl\ufffdK\ufffd3&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8686 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8686" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 123, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 123, "scan_velocity_ports_per_s": 76.9, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 62, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	27018 · MONGODB SHARD	mongodb-shard	Scan de ports port scan syn · via MONGODB SHARD:27018 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur MONGODB-SHARD WAF — Recommandation Surveiller Tags mongodb_shard_emulated mongodb_shard_payload net_port_scan_fast tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 27018 Chemin / cible — Service MONGODB SHARD Payload ��M��ʹh� ��l?9n>-.��3杦 �n�A!Q>X�H ��nxμ8 Y�=�[�h�^&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��M��ʹh� ��l?9n>-.��3杦 �n�A!Q>X�H ��nxμ8 Y�=�[�h�^&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��M��ʹh� ��l?9n>-.��3杦 �n�A!Q>X�H ��nxμ8 Y�=�[�h�^&�+�/�,�0̨̩� �� /5� w �+3&$ �6͝>��'GL�@��͛Z�[ �֪a Meta JSON brut { "protocol_emulated": true, "emulator_response": "3e000000000000000100000000000000dd070000000000001600000001000000000000001069736d6173746572000100000000016f6b0000000000f03f00", "emulator_response_len": 62, "bytes_in": 239, "payload_entropy": 5.785712460785875, "port_category": "registered", "org": "Google LLC", "service": "mongodb-shard", "app_proto": "mongodb-shard", "asn": 396982, "country": "US", "dst_port": 27018, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "504db5d72a536822c8d0a4bb0edbbe557755c36a", "event_fingerprint": "3680e9a6301ed4a6bbcf7f83c27993ce5993d0d3", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "mongodb-shard", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "26211be4213b75cfc252ceda274f2685", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 27018, "service": "mongodb-shard", "service_name": "mongodb-shard", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003M\ufffd\ufffd\ufffd\u02b9\u000eh\ufffd \ufffd\ufffd\ufffd\ufffd\u0019\ufffd\ufffdl?\u00019n>-.\u0019\ufffd\ufffd3\u6766 \ufffd\u0006n\ufffdA!\u0010Q>X\ufffdH \ufffd\ufffdnx\u03bc8\tY\u0012\ufffd\u0007=\ufffd[\ufffdh\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003M\ufffd\ufffd\ufffd\u02b9\u000eh\ufffd \ufffd\ufffd\ufffd\ufffd\u0019\ufffd\ufffdl?\u00019n>-.\u0019\ufffd\ufffd3\u6766 \ufffd\u0006n\ufffdA!\u0010Q>X\ufffdH \ufffd\ufffdnx\u03bc8\tY\u0012\ufffd\u0007=\ufffd[\ufffdh\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0004\ufffd6\u035d>\ufffd\ufffd\ufffd\u0001\ufffd\ufffd'\u0014GL\ufffd@\u0019\ufffd\ufffd\u035bZ\ufffd[\r\ufffd\u05aaa", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003M\ufffd\ufffd\ufffd\u02b9\u000eh\ufffd \ufffd\ufffd\ufffd\ufffd\u0019\ufffd\ufffdl?\u00019n>-.\u0019\ufffd\ufffd3\u6766 \ufffd\u0006n\ufffdA!\u0010Q>X\ufffdH \ufffd\ufffdnx\u03bc8\tY\u0012\ufffd\u0007=\ufffd[\ufffdh\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d724d4ac6461b57e313881f1e6b33649d5f5e17d", "protocol_details": { "mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003M\ufffd\ufffd\ufffd\u02b9\u000eh\ufffd \ufffd\ufffd\ufffd\ufffd\u0019\ufffd\ufffdl?\u00019n>-.\u0019\ufffd\ufffd3\u6766 \ufffd\u0006n\ufffdA!\u0010Q>X\ufffdH \ufffd\ufffdnx\u03bc8\tY\u0012\ufffd\u0007=\ufffd[\ufffdh\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 27018, "service": "mongodb-shard", "service_label_fr": "MONGODB SHARD" }, "evidence_snippet": "\ufffd\ufffdM\ufffd\ufffd\ufffd\u02b9h\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\ufffdl?9n>-.\ufffd\ufffd3\u6766 \ufffdn\ufffdA!Q>X\ufffdH \ufffd\ufffdnx\u03bc8\tY\ufffd=\ufffd[\ufffdh\ufffd^&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via MONGODB SHARD:27018 \u00b7 (reconnaissance)", "target_port_label": "27018 \u00b7 MONGODB SHARD", "emulator_service": "mongodb-shard", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MONGODB SHARD \u2014 multi-protocole (62 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mongodb-shard", "service_label_fr": "MONGODB SHARD", "dst_port": 27018, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-mongodb-shard", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "mongodb_wire_fr": "Protocole wire MongoDB (OP_QUERY\/OP_MSG)", "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003M\ufffd\ufffd\ufffd\u02b9\u000eh\ufffd \ufffd\ufffd\ufffd\ufffd\u0019\ufffd\ufffdl?\u00019n>-.\u0019\ufffd\ufffd3\u6766 \ufffd\u0006n\ufffdA!\u0010Q>X\ufffdH \ufffd\ufffdnx\u03bc8\tY\u0012\ufffd\u0007=\ufffd[\ufffdh\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 27018, "service": "mongodb-shard", "service_label_fr": "MONGODB SHARD" }, "attack_vector": "port scan syn \u00b7 via MONGODB SHARD:27018 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffdM\ufffd\ufffd\ufffd\u02b9h\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\ufffdl?9n>-.\ufffd\ufffd3\u6766 \ufffdn\ufffdA!Q>X\ufffdH \ufffd\ufffdnx\u03bc8\tY\ufffd=\ufffd[\ufffdh\ufffd^&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "27018 \u00b7 MONGODB SHARD", "emulator_service": "mongodb-shard", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mongodb_shard", "service_banner": "honeypot-mongodb-shard", "service_os": "linux", "dst_port": "27018" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 123, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 123, "scan_velocity_ports_per_s": 76.59, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 62, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_shard_emulated", "mongodb_shard_payload", "net_port_scan_fast", "tls_clienthello" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	8700 · TLS	tls	Scan de ports port scan syn · via TLS:8700 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8700 Chemin / cible — Service TLS Payload ��`��p�J��?��)_:/��2aJ��P� h��Y��C�_(��o�5�g��g��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��`��p�J��?��)_:/��2aJ��P� h��Y��C�_(��o�5�g��g��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��`��p�J��?��)_:/��2aJ��P� h��Y��C�_(��o�5�g��g��&�+�/�,�0̨̩� �� /5� w �+3&$ 4�x��8�ɫ��K��=z��z��ִG Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.827897731207486, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 8700, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.6, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "e28b7a8f1f752b65fd16f261db6a6b36160869f9", "event_fingerprint": "a74c7271e306cb082e62737733da786fab9514d2", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "6e1b2a08447dc25a22213fb97f92b251", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8700, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd`\ufffd\ufffd\ufffdp\u0003\ufffdJ\ufffd\ufffd?\ufffd\ufffd\ufffd)_\b:\/\ufffd\ufffd\ufffd2aJ\ufffd\ufffdP\ufffd h\ufffd\ufffdY\ufffd\ufffd\u0003\ufffdC\ufffd_\u0018(\ufffd\ufffd\ufffd\u0016\ufffd\u0011o\u0003\ufffd5\ufffdg\u0000\ufffd\ufffdg\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd`\ufffd\ufffd\ufffdp\u0003\ufffdJ\ufffd\ufffd?\ufffd\ufffd\ufffd)_\b:\/\ufffd\ufffd\ufffd2aJ\ufffd\ufffdP\ufffd h\ufffd\ufffdY\ufffd\ufffd\u0003\ufffdC\ufffd_\u0018(\ufffd\ufffd\ufffd\u0016\ufffd\u0011o\u0003\ufffd5\ufffdg\u0000\ufffd\ufffdg\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u001a\u00124\ufffdx\u0018\ufffd\ufffd\ufffd8\ufffd\u026b\u0002\ufffd\ufffdK\ufffd\ufffd\ufffd=z\ufffd\ufffdz\u001c\ufffd\ufffd\u05b4G", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd`\ufffd\ufffd\ufffdp\u0003\ufffdJ\ufffd\ufffd?\ufffd\ufffd\ufffd)_\b:\/\ufffd\ufffd\ufffd2aJ\ufffd\ufffdP\ufffd h\ufffd\ufffdY\ufffd\ufffd\u0003\ufffdC\ufffd_\u0018(\ufffd\ufffd\ufffd\u0016\ufffd\u0011o\u0003\ufffd5\ufffdg\u0000\ufffd\ufffdg\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "69b979d31da19b46c4891afbde7a095aa5bf9d98", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd`\ufffd\ufffd\ufffdp\u0003\ufffdJ\ufffd\ufffd?\ufffd\ufffd\ufffd)_\b:\/\ufffd\ufffd\ufffd2aJ\ufffd\ufffdP\ufffd h\ufffd\ufffdY\ufffd\ufffd\u0003\ufffdC\ufffd_\u0018(\ufffd\ufffd\ufffd\u0016\ufffd\u0011o\u0003\ufffd5\ufffdg\u0000\ufffd\ufffdg\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8700, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd`\ufffd\ufffd\ufffdp\ufffdJ\ufffd\ufffd?\ufffd\ufffd\ufffd)_:\/\ufffd\ufffd\ufffd2aJ\ufffd\ufffdP\ufffd h\ufffd\ufffdY\ufffd\ufffd\ufffdC\ufffd_(\ufffd\ufffd\ufffd\ufffdo\ufffd5\ufffdg\ufffd\ufffdg\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:8700 \u00b7 (reconnaissance)", "target_port_label": "8700 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (62 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8700, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd`\ufffd\ufffd\ufffdp\u0003\ufffdJ\ufffd\ufffd?\ufffd\ufffd\ufffd)_\b:\/\ufffd\ufffd\ufffd2aJ\ufffd\ufffdP\ufffd h\ufffd\ufffdY\ufffd\ufffd\u0003\ufffdC\ufffd_\u0018(\ufffd\ufffd\ufffd\u0016\ufffd\u0011o\u0003\ufffd5\ufffdg\u0000\ufffd\ufffdg\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8700, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:8700 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd`\ufffd\ufffd\ufffdp\ufffdJ\ufffd\ufffd?\ufffd\ufffd\ufffd)_:\/\ufffd\ufffd\ufffd2aJ\ufffd\ufffdP\ufffd h\ufffd\ufffdY\ufffd\ufffd\ufffdC\ufffd_(\ufffd\ufffd\ufffd\ufffdo\ufffd5\ufffdg\ufffd\ufffdg\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8700 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8700" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 124, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 124, "scan_velocity_ports_per_s": 76.89, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 62, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	8787 · TLS	tls	Scan de ports port scan syn · via TLS:8787 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8787 Chemin / cible — Service TLS Payload ��"�@@t~� ��+?n�z�� =nՏ��v�4��<��Q�k��N�3�0"AV&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��"�@@t~� ��+?n�z�� =nՏ��v�4��<��Q�k��N�3�0"AV&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��"�@@t~� ��+?n�z�� =nՏ��v�4��<��Q�k��N�3�0"AV&�+�/�,�0̨̩� �� /5� w �+3&$ @އE[�Y��/�n�9�n�:(J��\Nb��0R Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.767787813900522, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 8787, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 3.6, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "c7c0ed4d81de5294172adc31ffab30e4b5d282bf", "event_fingerprint": "ad7138225a6749c3cecb2cd8e2b37553b811f7c9", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "567844e1241c3019db5e12ce06034199", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8787, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001\ufffd\u0012\ufffd\u0015\ufffd\"\u0004\ufffd@@\u0012t~\ufffd\n\ufffd\ufffd+?n\ufffd\u001d\u001ez\ufffd\u0016\u0014\ufffd\u001a \ufffd\ufffd=n\u054f\u001f\ufffd\ufffdv\ufffd4\ufffd\ufffd<\ufffd\ufffd\ufffdQ\ufffd\u0019k\ufffd\ufffdN\ufffd3\ufffd0\"AV\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001\ufffd\u0012\ufffd\u0015\ufffd\"\u0004\ufffd@@\u0012t~\ufffd\n\ufffd\ufffd+?n\ufffd\u001d\u001ez\ufffd\u0016\u0014\ufffd\u001a \ufffd\ufffd=n\u054f\u001f\ufffd\ufffdv\ufffd4\ufffd\ufffd<\ufffd\ufffd\ufffdQ\ufffd\u0019k\ufffd\ufffdN\ufffd3\ufffd0\"AV\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 @\u0787E[\ufffdY\ufffd\ufffd\/\ufffdn\ufffd9\ufffdn\ufffd:(J\ufffd\ufffd\\\u0000Nb\ufffd\ufffd\ufffd0R", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001\ufffd\u0012\ufffd\u0015\ufffd\"\u0004\ufffd@@\u0012t~\ufffd\n\ufffd\ufffd+?n\ufffd\u001d\u001ez\ufffd\u0016\u0014\ufffd\u001a \ufffd\ufffd=n\u054f\u001f\ufffd\ufffdv\ufffd4\ufffd\ufffd<\ufffd\ufffd\ufffdQ\ufffd\u0019k\ufffd\ufffdN\ufffd3\ufffd0\"AV\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a95247a827ae1c3e8cbe7bc31c84415498587b59", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001\ufffd\u0012\ufffd\u0015\ufffd\"\u0004\ufffd@@\u0012t~\ufffd\n\ufffd\ufffd+?n\ufffd\u001d\u001ez\ufffd\u0016\u0014\ufffd\u001a \ufffd\ufffd=n\u054f\u001f\ufffd\ufffdv\ufffd4\ufffd\ufffd<\ufffd\ufffd\ufffdQ\ufffd\u0019k\ufffd\ufffdN\ufffd3\ufffd0\"AV\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8787, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\ufffd@@t~\ufffd\n\ufffd\ufffd+?n\ufffdz\ufffd\ufffd \ufffd\ufffd=n\u054f\ufffd\ufffdv\ufffd4\ufffd\ufffd<\ufffd\ufffd\ufffdQ\ufffdk\ufffd\ufffdN\ufffd3\ufffd0\"AV&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:8787 \u00b7 (reconnaissance)", "target_port_label": "8787 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (62 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8787, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001\ufffd\u0012\ufffd\u0015\ufffd\"\u0004\ufffd@@\u0012t~\ufffd\n\ufffd\ufffd+?n\ufffd\u001d\u001ez\ufffd\u0016\u0014\ufffd\u001a \ufffd\ufffd=n\u054f\u001f\ufffd\ufffdv\ufffd4\ufffd\ufffd<\ufffd\ufffd\ufffdQ\ufffd\u0019k\ufffd\ufffdN\ufffd3\ufffd0\"AV\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8787, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:8787 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\"\ufffd@@t~\ufffd\n\ufffd\ufffd+?n\ufffdz\ufffd\ufffd \ufffd\ufffd=n\u054f\ufffd\ufffdv\ufffd4\ufffd\ufffd<\ufffd\ufffd\ufffdQ\ufffdk\ufffd\ufffdN\ufffd3\ufffd0\"AV&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8787 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8787" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 125, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 125, "scan_velocity_ports_per_s": 77.19, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 62, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	28017 · MONGODB HTTP	mongodb-http	Scan de ports port scan syn · via MONGODB HTTP:28017 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur MONGODB-HTTP WAF — Recommandation Surveiller Tags net_port_scan_fast tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 28017 Chemin / cible — Service MONGODB HTTP Payload ��J��Mi�� e��N^I��`H %h6��H�U �ڥQtqo��t�b�\|��1^�Ci�/� �mF&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��J��Mi�� e��N^I��`H%h6��H�U �ڥQtqo��t�b�\|��1^�Ci�/��mF&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��J��Mi�� e��N^I��`H %h6��H�U �ڥQtqo��t�b�\|��1^�Ci�/� �mF&�+�/�,�0̨̩� �� /5� w �+3&$ �"� ��\�VtZ�c]��8H��M�@= y�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.820061351911427, "port_category": "registered", "org": "Google LLC", "service": "mongodb-http", "app_proto": "mongodb-http", "asn": 396982, "country": "US", "dst_port": 28017, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "f620a3133818c0b5dc1d0b18013ef113a34ba16a", "event_fingerprint": "50aa364f69e590d452be18621beb9717d2fe4feb", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "mongodb-http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bde1e8fb21a15f985054a46df773a86e", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 28017, "service": "mongodb-http", "service_name": "mongodb-http", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdJ\ufffd\ufffdM\u0011i\ufffd\ufffd\ne\ufffd\ufffd\ufffdN^I\ufffd\ufffd`H\f%h6\ufffd\ufffdH\ufffdU \ufffd\u06a5Qtqo\ufffd\ufffdt\ufffdb\u001e\ufffd\|\ufffd\u0013\ufffd\ufffd1^\ufffdCi\u001e\ufffd\/\ufffd\u000b\ufffdmF\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdJ\ufffd\ufffdM\u0011i\ufffd\ufffd\ne\ufffd\ufffd\ufffdN^I\ufffd\ufffd`H\f%h6\ufffd\ufffdH\ufffdU \ufffd\u06a5Qtqo\ufffd\ufffdt\ufffdb\u001e\ufffd\|\ufffd\u0013\ufffd\ufffd1^\ufffdCi\u001e\ufffd\/\ufffd\u000b\ufffdmF\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\"\u0004\ufffd\f\ufffd\ufffd\\\ufffdVtZ\ufffdc]\ufffd\ufffd\u00128H\ufffd\u0013\ufffdM\ufffd@=\u000by\ufffd\ufffd\u001e", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdJ\ufffd\ufffdM\u0011i\ufffd\ufffd\ne\ufffd\ufffd\ufffdN^I\ufffd\ufffd`H\f%h6\ufffd\ufffdH\ufffdU \ufffd\u06a5Qtqo\ufffd\ufffdt\ufffdb\u001e\ufffd\|\ufffd\u0013\ufffd\ufffd1^\ufffdCi\u001e\ufffd\/\ufffd\u000b\ufffdmF\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ef8be6fdc4b4c5d10243edea6b7e4101207eca49", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdJ\ufffd\ufffdM\u0011i\ufffd\ufffd\ne\ufffd\ufffd\ufffdN^I\ufffd\ufffd`H\f%h6\ufffd\ufffdH\ufffdU \ufffd\u06a5Qtqo\ufffd\ufffdt\ufffdb\u001e\ufffd\|\ufffd\u0013\ufffd\ufffd1^\ufffdCi\u001e\ufffd\/\ufffd\u000b\ufffdmF\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 28017, "service": "mongodb-http", "service_label_fr": "MONGODB HTTP" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffdMi\ufffd\ufffd\ne\ufffd\ufffd\ufffdN^I\ufffd\ufffd`H%h6\ufffd\ufffdH\ufffdU \ufffd\u06a5Qtqo\ufffd\ufffdt\ufffdb\ufffd\|\ufffd\ufffd\ufffd1^\ufffdCi\ufffd\/\ufffd\ufffdmF&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via MONGODB HTTP:28017 \u00b7 (reconnaissance)", "target_port_label": "28017 \u00b7 MONGODB HTTP", "emulator_service": "mongodb-http", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MONGODB HTTP \u2014 multi-protocole (62 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "mongodb-http", "service_label_fr": "MONGODB HTTP", "dst_port": 28017, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-mongodb-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdJ\ufffd\ufffdM\u0011i\ufffd\ufffd\ne\ufffd\ufffd\ufffdN^I\ufffd\ufffd`H\f%h6\ufffd\ufffdH\ufffdU \ufffd\u06a5Qtqo\ufffd\ufffdt\ufffdb\u001e\ufffd\|\ufffd\u0013\ufffd\ufffd1^\ufffdCi\u001e\ufffd\/\ufffd\u000b\ufffdmF\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 28017, "service": "mongodb-http", "service_label_fr": "MONGODB HTTP" }, "attack_vector": "port scan syn \u00b7 via MONGODB HTTP:28017 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffdMi\ufffd\ufffd\ne\ufffd\ufffd\ufffdN^I\ufffd\ufffd`H%h6\ufffd\ufffdH\ufffdU \ufffd\u06a5Qtqo\ufffd\ufffdt\ufffdb\ufffd\|\ufffd\ufffd\ufffd1^\ufffdCi\ufffd\/\ufffd\ufffdmF&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "28017 \u00b7 MONGODB HTTP", "emulator_service": "mongodb-http", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mongodb_http", "service_banner": "honeypot-mongodb-http", "service_os": "linux", "dst_port": "28017" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 125, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087, 2095 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 125, "scan_velocity_ports_per_s": 76.89, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 62, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_clienthello" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	88 · KERBEROS	kerberos	Scan de ports port scan syn · via KERBEROS:88 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur KERBEROS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 88 Chemin / cible — Service KERBEROS Payload ��B#]G��zJA�_��_W��g"�e ��iO&vQ��r��o��?��^�2n"&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��B#]G��zJA�_��_W��g"�e ��iO&vQ��r��o��?��^�2n"&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��B#]G��zJA�_��_W��g"�e ��iO&vQ��r��o��?��^�2n"&�+�/�,�0̨̩� �� /5� w �+3&$ �_/Q�2q3 Cٔ�/� � ��RH��_ Meta JSON brut { "protocol_emulated": true, "emulator_response": "6e82000c0a104142434445464748494a", "emulator_response_len": 16, "bytes_in": 239, "payload_entropy": 5.741581970093771, "port_category": "well_known", "org": "Google LLC", "service": "kerberos", "app_proto": "kerberos", "asn": 396982, "country": "US", "dst_port": 88, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "0a5fdd6a0b438b230b09a98fc924a5b02356a059", "event_fingerprint": "913d44813db075acdef68e978cb3225e3e208a9e", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "kerberos", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f8cc354d9250dcd2edbe0d2453c6a9f6", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 88, "service": "kerberos", "service_name": "kerberos", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdB\u001f#]G\ufffd\ufffdzJ\u0016A\u0019\ufffd\u0013_\ufffd\u0005\ufffd_W\ufffd\ufffd\ufffd\u001a\u001eg\"\ufffde\u0007\u001c \ufffd\ufffd\u0018iO&\u001avQ\ufffd\ufffdr\ufffd\u0018\ufffd\u0005o\ufffd\ufffd?\ufffd\ufffd^\u0011\ufffd2n\u001e\"\u0002\u001f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdB\u001f#]G\ufffd\ufffdzJ\u0016A\u0019\ufffd\u0013_\ufffd\u0005\ufffd_W\ufffd\ufffd\ufffd\u001a\u001eg\"\ufffde\u0007\u001c \ufffd\ufffd\u0018iO&\u001avQ\ufffd\ufffdr\ufffd\u0018\ufffd\u0005o\ufffd\ufffd?\ufffd\ufffd^\u0011\ufffd2n\u001e\"\u0002\u001f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd_\u000f\/\u0014Q\ufffd2q3\fC\u0654\ufffd\/\ufffd\n\ufffd\n\ufffd\ufffd\ufffd\ufffdRH\u0001\ufffd\ufffd\ufffd\ufffd_", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdB\u001f#]G\ufffd\ufffdzJ\u0016A\u0019\ufffd\u0013_\ufffd\u0005\ufffd_W\ufffd\ufffd\ufffd\u001a\u001eg\"\ufffde\u0007\u001c \ufffd\ufffd\u0018iO&\u001avQ\ufffd\ufffdr\ufffd\u0018\ufffd\u0005o\ufffd\ufffd?\ufffd\ufffd^\u0011\ufffd2n\u001e\"\u0002\u001f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8aea8d513fbc6264f5b674dc71511729766e0dd6", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdB\u001f#]G\ufffd\ufffdzJ\u0016A\u0019\ufffd\u0013_\ufffd\u0005\ufffd_W\ufffd\ufffd\ufffd\u001a\u001eg\"\ufffde\u0007\u001c \ufffd\ufffd\u0018iO&\u001avQ\ufffd\ufffdr\ufffd\u0018\ufffd\u0005o\ufffd\ufffd?\ufffd\ufffd^\u0011\ufffd2n\u001e\"\u0002\u001f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 88, "service": "kerberos", "service_label_fr": "KERBEROS" }, "evidence_snippet": "\ufffd\ufffd\ufffdB#]G\ufffd\ufffdzJA\ufffd_\ufffd\ufffd_W\ufffd\ufffd\ufffdg\"\ufffde \ufffd\ufffdiO&vQ\ufffd\ufffdr\ufffd\ufffdo\ufffd\ufffd?\ufffd\ufffd^\ufffd2n\"&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via KERBEROS:88 \u00b7 (reconnaissance)", "target_port_label": "88 \u00b7 KERBEROS", "emulator_service": "kerberos", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via KERBEROS \u2014 multi-protocole (63 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "kerberos", "service_label_fr": "KERBEROS", "dst_port": 88, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-kerberos", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdB\u001f#]G\ufffd\ufffdzJ\u0016A\u0019\ufffd\u0013_\ufffd\u0005\ufffd_W\ufffd\ufffd\ufffd\u001a\u001eg\"\ufffde\u0007\u001c \ufffd\ufffd\u0018iO&\u001avQ\ufffd\ufffdr\ufffd\u0018\ufffd\u0005o\ufffd\ufffd?\ufffd\ufffd^\u0011\ufffd2n\u001e\"\u0002\u001f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 88, "service": "kerberos", "service_label_fr": "KERBEROS" }, "attack_vector": "port scan syn \u00b7 via KERBEROS:88 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffdB#]G\ufffd\ufffdzJA\ufffd_\ufffd\ufffd_W\ufffd\ufffd\ufffdg\"\ufffde \ufffd\ufffdiO&vQ\ufffd\ufffdr\ufffd\ufffdo\ufffd\ufffd?\ufffd\ufffd^\ufffd2n\"&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "88 \u00b7 KERBEROS", "emulator_service": "kerberos", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "kerberos", "service_banner": "honeypot-kerberos", "service_os": "linux", "dst_port": "88" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 126, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 126, "scan_velocity_ports_per_s": 77.2, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 63, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_clienthello" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	3000 · NODE HTTP	node-http	Scan de ports port scan syn · via NODE HTTP:3000 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur NODE-HTTP WAF — Recommandation Surveiller Tags net_port_scan_fast node_http_emulated tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3000 Chemin / cible — Service NODE HTTP Payload ��.m��1M��]�';��l @ ��u��Vw�/`X��Q-j�TU1D!�z�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��.m��1M��]�';��l @ ��u��Vw�/`X��Q-j�TU1D!�z�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��.m��1M��]�';��l @ ��u��Vw�/`X��Q-j�TU1D!�z�&�+�/�,�0̨̩� �� /5� w �+3&$ ^O��Ra�(]�]�zf"c�>l�p��,�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120343034204e6f7420466f756e640d0a582d506f77657265642d42793a20457870726573730d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2031320d0a0d0a43616e6e6f7420474554202f", "emulator_response_len": 106, "bytes_in": 239, "payload_entropy": 5.79217699354461, "port_category": "registered", "org": "Google LLC", "service": "node-http", "app_proto": "node-http", "asn": 396982, "country": "US", "dst_port": 3000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "910d2e1ae5b8e831f5c5501738ac45d64bbf92fd", "event_fingerprint": "56c1d9e71ec0fbc64d6b78f88fe2220e0d1d5b61", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "node-http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b340a2e99e2893d3d662bffba60653e3", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 3000, "service": "node-http", "service_name": "node-http", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd.m\ufffd\ufffd\ufffd\u001b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd1M\ufffd\ufffd\ufffd]\ufffd';\u0004\u001d\ufffd\ufffd\ufffdl\n\u0018@ \ufffd\ufffdu\ufffd\u0005\ufffdV\u001ew\ufffd\/\u0006`X\ufffd\ufffd\u0007\ufffdQ\u0000-j\ufffdT\u001bU1D!\ufffdz\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd.m\ufffd\ufffd\ufffd\u001b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd1M\ufffd\ufffd\ufffd]\ufffd';\u0004\u001d\ufffd\ufffd\ufffdl\n\u0018@ \ufffd\ufffdu\ufffd\u0005\ufffdV\u001ew\ufffd\/\u0006`X\ufffd\ufffd\u0007\ufffdQ\u0000-j\ufffdT\u001bU1D!\ufffdz\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 ^O\ufffd\ufffdRa\ufffd(]\ufffd]\ufffdzf\"c\ufffd>l\ufffd\u0005p\ufffd\u0017\u0000\ufffd\u0003\ufffd,\ufffd\ufffd\u0007", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd.m\ufffd\ufffd\ufffd\u001b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd1M\ufffd\ufffd\ufffd]\ufffd';\u0004\u001d\ufffd\ufffd\ufffdl\n\u0018@ \ufffd\ufffdu\ufffd\u0005\ufffdV\u001ew\ufffd\/\u0006`X\ufffd\ufffd\u0007\ufffdQ\u0000-j\ufffdT\u001bU1D!\ufffdz\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "56eec71867f52b8e0ae570d52533278e89722b40", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd.m\ufffd\ufffd\ufffd\u001b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd1M\ufffd\ufffd\ufffd]\ufffd';\u0004\u001d\ufffd\ufffd\ufffdl\n\u0018@ \ufffd\ufffdu\ufffd\u0005\ufffdV\u001ew\ufffd\/\u0006`X\ufffd\ufffd\u0007\ufffdQ\u0000-j\ufffdT\u001bU1D!\ufffdz\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 3000, "service": "node-http", "service_label_fr": "NODE HTTP" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd.m\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd1M\ufffd\ufffd\ufffd]\ufffd';\ufffd\ufffd\ufffdl\n@ \ufffd\ufffdu\ufffd\ufffdVw\ufffd\/`X\ufffd\ufffd\ufffdQ-j\ufffdTU1D!\ufffdz\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via NODE HTTP:3000 \u00b7 (reconnaissance)", "target_port_label": "3000 \u00b7 NODE HTTP", "emulator_service": "node-http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via NODE HTTP \u2014 multi-protocole (63 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "node-http", "service_label_fr": "NODE HTTP", "dst_port": 3000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-node-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd.m\ufffd\ufffd\ufffd\u001b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd1M\ufffd\ufffd\ufffd]\ufffd';\u0004\u001d\ufffd\ufffd\ufffdl\n\u0018@ \ufffd\ufffdu\ufffd\u0005\ufffdV\u001ew\ufffd\/\u0006`X\ufffd\ufffd\u0007\ufffdQ\u0000-j\ufffdT\u001bU1D!\ufffdz\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 3000, "service": "node-http", "service_label_fr": "NODE HTTP" }, "attack_vector": "port scan syn \u00b7 via NODE HTTP:3000 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd.m\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd1M\ufffd\ufffd\ufffd]\ufffd';\ufffd\ufffd\ufffdl\n@ \ufffd\ufffdu\ufffd\ufffdVw\ufffd\/`X\ufffd\ufffd\ufffdQ-j\ufffdTU1D!\ufffdz\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "3000 \u00b7 NODE HTTP", "emulator_service": "node-http", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "node_http", "service_banner": "honeypot-node-http", "service_os": "linux", "dst_port": "3000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 126, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 126, "scan_velocity_ports_per_s": 76.81, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 63, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "node_http_emulated", "tls_clienthello" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	8880 · HTTP ALT 8880	http-alt-8880	Scan de ports port scan syn · via HTTP ALT 8880:8880 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-8880 WAF — Recommandation Surveiller Tags net_port_scan_fast tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8880 Chemin / cible — Service HTTP ALT 8880 Payload ��I._� �#��^Ћ-�c�f�� YJ)�)á� ��g��g�?�� ;� ��mː)��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��I._� �#��^Ћ-�c�f��YJ)�)á� ��g��g�?��;��mː)��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��I._� �#��^Ћ-�c�f�� YJ)�)á� ��g��g�?�� ;� ��mː)��&�+�/�,�0̨̩� �� /5� w �+3&$ ��lV\|\e��WN��2�� rw ��? Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.82754706445753, "port_category": "registered", "org": "Google LLC", "service": "http-alt-8880", "app_proto": "http-alt-8880", "asn": 396982, "country": "US", "dst_port": 8880, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "5023c27c661fad443455d7c997cf8ecbff786722", "event_fingerprint": "357ff3213c654ade294f3304a97e92068c5db766", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "http-alt-8880", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "26379c975456f0e6c6be31e168e7982f", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8880, "service": "http-alt-8880", "service_name": "http-alt-8880", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I._\ufffd\r\ufffd#\ufffd\ufffd\ufffd^\u040b-\ufffdc\ufffd\u0007\u0016f\ufffd\ufffd\ufffd\fYJ)\ufffd)\u00e1\ufffd \ufffd\ufffdg\ufffd\ufffdg\ufffd\u001e?\ufffd\ufffd\ufffd\ufffd\ufffd\f\ufffd\ufffd\ufffd;\ufffd\u000b\ufffd\ufffdm\u02d0)\u0003\ufffd\ufffd\u0019\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I._\ufffd\r\ufffd#\ufffd\ufffd\ufffd^\u040b-\ufffdc\ufffd\u0007\u0016f\ufffd\ufffd\ufffd\fYJ)\ufffd)\u00e1\ufffd \ufffd\ufffdg\ufffd\ufffdg\ufffd\u001e?\ufffd\ufffd\ufffd\ufffd\ufffd\f\ufffd\ufffd\ufffd;\ufffd\u000b\ufffd\ufffdm\u02d0)\u0003\ufffd\ufffd\u0019\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdlV\|\\e\ufffd\ufffdW\u0018N\ufffd\ufffd\ufffd\ufffd2\ufffd\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014rw \ufffd\ufffd?", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I._\ufffd\r\ufffd#\ufffd\ufffd\ufffd^\u040b-\ufffdc\ufffd\u0007\u0016f\ufffd\ufffd\ufffd\fYJ)\ufffd)\u00e1\ufffd \ufffd\ufffdg\ufffd\ufffdg\ufffd\u001e?\ufffd\ufffd\ufffd\ufffd\ufffd\f\ufffd\ufffd\ufffd;\ufffd\u000b\ufffd\ufffdm\u02d0)\u0003\ufffd\ufffd\u0019\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c90f545ee59d04298455091fdaafa77af788a9e9", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I._\ufffd\r\ufffd#\ufffd\ufffd\ufffd^\u040b-\ufffdc\ufffd\u0007\u0016f\ufffd\ufffd\ufffd\fYJ)\ufffd)\u00e1\ufffd \ufffd\ufffdg\ufffd\ufffdg\ufffd\u001e?\ufffd\ufffd\ufffd\ufffd\ufffd\f\ufffd\ufffd\ufffd;\ufffd\u000b\ufffd\ufffdm\u02d0)\u0003\ufffd\ufffd\u0019\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8880, "service": "http-alt-8880", "service_label_fr": "HTTP ALT 8880" }, "evidence_snippet": "\ufffd\ufffdI._\ufffd\r\ufffd#\ufffd\ufffd\ufffd^\u040b-\ufffdc\ufffdf\ufffd\ufffd\ufffdYJ)\ufffd)\u00e1\ufffd \ufffd\ufffdg\ufffd\ufffdg\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\ufffd\ufffd\ufffdm\u02d0)\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via HTTP ALT 8880:8880 \u00b7 (reconnaissance)", "target_port_label": "8880 \u00b7 HTTP ALT 8880", "emulator_service": "http-alt-8880", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8880 \u2014 multi-protocole (64 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "http-alt-8880", "service_label_fr": "HTTP ALT 8880", "dst_port": 8880, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8880", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I._\ufffd\r\ufffd#\ufffd\ufffd\ufffd^\u040b-\ufffdc\ufffd\u0007\u0016f\ufffd\ufffd\ufffd\fYJ)\ufffd)\u00e1\ufffd \ufffd\ufffdg\ufffd\ufffdg\ufffd\u001e?\ufffd\ufffd\ufffd\ufffd\ufffd\f\ufffd\ufffd\ufffd;\ufffd\u000b\ufffd\ufffdm\u02d0)\u0003\ufffd\ufffd\u0019\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8880, "service": "http-alt-8880", "service_label_fr": "HTTP ALT 8880" }, "attack_vector": "port scan syn \u00b7 via HTTP ALT 8880:8880 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffdI._\ufffd\r\ufffd#\ufffd\ufffd\ufffd^\u040b-\ufffdc\ufffdf\ufffd\ufffd\ufffdYJ)\ufffd)\u00e1\ufffd \ufffd\ufffdg\ufffd\ufffdg\ufffd?\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\ufffd\ufffd\ufffdm\u02d0)\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8880 \u00b7 HTTP ALT 8880", "emulator_service": "http-alt-8880", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8880", "service_banner": "honeypot-http-alt-8880", "service_os": "linux", "dst_port": "8880" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 127, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 127, "scan_velocity_ports_per_s": 77.1, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 64, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_clienthello" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	30000 · MINIKUBE NODEPORT	minikube-nodeport	Scan de ports port scan syn · via MINIKUBE NODEPORT:30000 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur MINIKUBE-NODEPORT WAF — Recommandation Surveiller Tags minikube_nodeport_emulated minikube_nodeport_payload net_port_scan_fast tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 30000 Chemin / cible — Service MINIKUBE NODEPORT Payload ��= �#�a'��.C2�jn� jle �ޯ]��֑Au[��u�+ Y��b,�g�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��= �#�a'��.C2�jn� jle �ޯ]��֑Au[��u�+ Y��b,�g�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��= �#�a'��.C2�jn� jle �ޯ]��֑Au[��u�+ Y��b,�g�&�+�/�,�0̨̩� �� /5� w �+3&$ ЪB�j<�aj'��.K��8K#{�&�ǃ� i Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.741753308373003, "port_category": "registered", "org": "Google LLC", "service": "minikube-nodeport", "app_proto": "minikube-nodeport", "asn": 396982, "country": "US", "dst_port": 30000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "771c71b0230eebac5597f698e8683d3d7792be46", "event_fingerprint": "00ed2e5f6f68ec6f5791f8904473d7e752386221", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "minikube-nodeport", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c49c737ad7f4f1bb42b9dc5e1b5743ec", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 30000, "service": "minikube-nodeport", "service_name": "minikube-nodeport", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0011=\n\ufffd#\ufffd\u0012a'\u001e\ufffd\u000e\u001e\ufffd\ufffd.C2\ufffdjn\u001e\ufffd\t\u0001jle \ufffd\u07af]\ufffd\ufffd\u0591Au[\ufffd\ufffd\ufffd\ufffd\ufffdu\u0004\ufffd+\tY\ufffd\ufffd\u0012\u0015b,\ufffd\u0001g\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0011=\n\ufffd#\ufffd\u0012a'\u001e\ufffd\u000e\u001e\ufffd\ufffd.C2\ufffdjn\u001e\ufffd\t\u0001jle \ufffd\u07af]\ufffd\ufffd\u0591Au[\ufffd\ufffd\ufffd\ufffd\ufffdu\u0004\ufffd+\tY\ufffd\ufffd\u0012\u0015b,\ufffd\u0001g\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u042aB\u001f\ufffdj<\ufffdaj'\u0004\ufffd\ufffd.K\ufffd\ufffd8K#{\ufffd\u0018&\ufffd\u001e\u01c3\ufffd\ri", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0011=\n\ufffd#\ufffd\u0012a'\u001e\ufffd\u000e\u001e\ufffd\ufffd.C2\ufffdjn\u001e\ufffd\t\u0001jle \ufffd\u07af]\ufffd\ufffd\u0591Au[\ufffd\ufffd\ufffd\ufffd\ufffdu\u0004\ufffd+\tY\ufffd\ufffd\u0012\u0015b,\ufffd\u0001g\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "41986af86557ac51284cff377b7e216591f8cd29", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0011=\n\ufffd#\ufffd\u0012a'\u001e\ufffd\u000e\u001e\ufffd\ufffd.C2\ufffdjn\u001e\ufffd\t\u0001jle \ufffd\u07af]\ufffd\ufffd\u0591Au[\ufffd\ufffd\ufffd\ufffd\ufffdu\u0004\ufffd+\tY\ufffd\ufffd\u0012\u0015b,\ufffd\u0001g\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 30000, "service": "minikube-nodeport", "service_label_fr": "MINIKUBE NODEPORT" }, "evidence_snippet": "\ufffd\ufffd\ufffd=\n\ufffd#\ufffda'\ufffd\ufffd\ufffd.C2\ufffdjn\ufffd\tjle \ufffd\u07af]\ufffd\ufffd\u0591Au[\ufffd\ufffd\ufffd\ufffd\ufffdu\ufffd+\tY\ufffd\ufffdb,\ufffdg\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via MINIKUBE NODEPORT:30000 \u00b7 (reconnaissance)", "target_port_label": "30000 \u00b7 MINIKUBE NODEPORT", "emulator_service": "minikube-nodeport", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MINIKUBE NODEPORT \u2014 multi-protocole (64 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "minikube-nodeport", "service_label_fr": "MINIKUBE NODEPORT", "dst_port": 30000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-minikube-nodeport", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0011=\n\ufffd#\ufffd\u0012a'\u001e\ufffd\u000e\u001e\ufffd\ufffd.C2\ufffdjn\u001e\ufffd\t\u0001jle \ufffd\u07af]\ufffd\ufffd\u0591Au[\ufffd\ufffd\ufffd\ufffd\ufffdu\u0004\ufffd+\tY\ufffd\ufffd\u0012\u0015b,\ufffd\u0001g\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 30000, "service": "minikube-nodeport", "service_label_fr": "MINIKUBE NODEPORT" }, "attack_vector": "port scan syn \u00b7 via MINIKUBE NODEPORT:30000 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd=\n\ufffd#*\ufffda'\ufffd\ufffd\ufffd.C2\ufffdjn\ufffd\tjle \ufffd\u07af]\ufffd\ufffd\u0591Au[\ufffd\ufffd\ufffd\ufffd\ufffdu\ufffd+\tY\ufffd\ufffdb,\ufffdg\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "30000 \u00b7 MINIKUBE NODEPORT", "emulator_service": "minikube-nodeport", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "minikube_nodeport", "service_banner": "honeypot-minikube-nodeport", "service_os": "linux", "dst_port": "30000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 127, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 127, "scan_velocity_ports_per_s": 76.8, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 64, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "minikube_nodeport_emulated", "minikube_nodeport_payload", "net_port_scan_fast", "tls_clienthello" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	8898 · TLS	tls	Scan de ports port scan syn · via TLS:8898 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8898 Chemin / cible — Service TLS Payload ��%uB�7>O,c<��n�� lv �iu��vCO˩αۻ�d��9��:R��A&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��%uB�7>O,c<��n�� lv �iu��vCO˩αۻ�d��9��:R��A&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��%uB�7>O,c<��n�� lv �iu��vCO˩αۻ�d��9��:R��A&�+�/�,�0̨̩� �� /5� w �+3&$ ��_\|a�1.��Rk�:��ؗ��: Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.849039333074034, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 8898, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1.6, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "f6111ce839ada027c8e106a97467d4680c17b679", "event_fingerprint": "625237fdfbdcf57fbd7400bbcbb7681d31ef707d", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "31137be35ccf43202c4d5930218ce9f3", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8898, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001%u\u001dB\ufffd7>O,c<\u0003\ufffd\ufffd\ufffd\ufffdn\ufffd\ufffd\u0002\ufffd\u0010\ufffd\ufffd\ufffd\ufffd\tlv \ufffdiu\ufffd\u0018\ufffdvCO\u02e9\u0010\u03b1\u06fb\ufffdd\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd:R\ufffd\ufffdA\u001c\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001%u\u001dB\ufffd7>O,c<\u0003\ufffd\ufffd\ufffd\ufffdn\ufffd\ufffd\u0002\ufffd\u0010\ufffd\ufffd\ufffd\ufffd\tlv \ufffdiu\ufffd\u0018\ufffdvCO\u02e9\u0010\u03b1\u06fb\ufffdd\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd:R\ufffd\ufffdA\u001c\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\ufffd\ufffd_\|a\ufffd1.\ufffd\u0016\ufffd\u0005\ufffd\u0015\ufffd\u0014Rk\ufffd:\ufffd\ufffd\ufffd\u0617\ufffd\ufffd:", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001%u\u001dB\ufffd7>O,c<\u0003\ufffd\ufffd\ufffd\ufffdn\ufffd\ufffd\u0002\ufffd\u0010\ufffd\ufffd\ufffd\ufffd\tlv \ufffdiu\ufffd\u0018\ufffdvCO\u02e9\u0010\u03b1\u06fb\ufffdd\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd:R\ufffd\ufffdA\u001c\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d6d9c191b0ad3052812120a75d1f5ccdb6218f8b", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001%u\u001dB\ufffd7>O,c<\u0003\ufffd\ufffd\ufffd\ufffdn\ufffd\ufffd\u0002\ufffd\u0010\ufffd\ufffd\ufffd\ufffd\tlv \ufffdiu\ufffd\u0018\ufffdvCO\u02e9\u0010\u03b1\u06fb\ufffdd\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd:R\ufffd\ufffdA\u001c\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8898, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd%uB\ufffd7>O,c<\ufffd\ufffd\ufffd\ufffdn\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\tlv \ufffdiu\ufffd\ufffdvCO\u02e9\u03b1\u06fb\ufffdd\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd:R\ufffd\ufffdA&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:8898 \u00b7 (reconnaissance)", "target_port_label": "8898 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (64 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8898, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u0001%u\u001dB\ufffd7>O,c<\u0003\ufffd\ufffd\ufffd\ufffdn\ufffd\ufffd\u0002\ufffd\u0010\ufffd\ufffd\ufffd\ufffd\tlv \ufffdiu\ufffd\u0018\ufffdvCO\u02e9\u0010\u03b1\u06fb\ufffdd\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd:R\ufffd\ufffdA\u001c\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8898, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:8898 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd%uB\ufffd7>O,c<\ufffd\ufffd\ufffd\ufffdn\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\tlv \ufffdiu\ufffd\ufffdvCO\u02e9\u03b1\u06fb\ufffdd\ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd:R\ufffd\ufffdA&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8898 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8898" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 128, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 128, "scan_velocity_ports_per_s": 77.1, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 64, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	8900 · TLS	tls	Scan de ports port scan syn · via TLS:8900 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8900 Chemin / cible — Service TLS Payload ��d�@�?W%w/��j��\ϝ�4��i�L��M�mk> �{��fFa��t Q��hd�� 5�W&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��d�@�?W%w/��j��\ϝ�4��i�L��M�mk> �{��fFa��tQ��hd��5�W&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��d�@�?W%w/��j��\ϝ�4��i�L��M�mk> �{��fFa��t Q��hd�� 5�W&�+�/�,�0̨̩� �� /5� w �+3&$ �0S��HD��^&��p��ڳ Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.8735926804447764, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 8900, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "9113d016f17a247f7874aacf6575ca5ed3e81296", "event_fingerprint": "0a4cc0b1c5a1ce5d89fbf7664315d3dceec02337", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "8618c908be18ae202d068b8ff2bb5ab2", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8900, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d\ufffd@\ufffd?W%w\/\ufffd\ufffd\ufffdj\ufffd\ufffd\\\u03dd\ufffd4\ufffd\ufffdi\ufffdL\ufffd\ufffdM\ufffdmk> \ufffd{\ufffd\ufffdf\u0019Fa\ufffd\ufffd\u0017\ufffdt\u000bQ\ufffd\ufffd\u001c\u001bhd\ufffd\ufffd\ufffd\f\ufffd\u001a\ufffd5\ufffdW\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d\ufffd@\ufffd?W%w\/\ufffd\ufffd\ufffdj\ufffd\ufffd\\\u03dd\ufffd4\ufffd\ufffdi\ufffdL\ufffd\ufffdM\ufffdmk> \ufffd{\ufffd\ufffdf\u0019Fa\ufffd\ufffd\u0017\ufffdt\u000bQ\ufffd\ufffd\u001c\u001bhd\ufffd\ufffd\ufffd\f\ufffd\u001a\ufffd5\ufffdW\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd0S\ufffd\ufffd\ufffdHD\ufffd\u001d\ufffd\ufffd^\u0019&\ufffd\ufffd\ufffd\ufffd\u001d\u001f\ufffd\ufffdp\u001a\u001e\ufffd\ufffd\u06b3\u0019", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d\ufffd@\ufffd?W%w\/\ufffd\ufffd\ufffdj\ufffd\ufffd\\\u03dd\ufffd4\ufffd\ufffdi\ufffdL\ufffd\ufffdM\ufffdmk> \ufffd{\ufffd\ufffdf\u0019Fa\ufffd\ufffd\u0017\ufffdt\u000bQ\ufffd\ufffd\u001c\u001bhd\ufffd\ufffd\ufffd\f\ufffd\u001a\ufffd5\ufffdW\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fba5b0d50219b53ace8c5bec7a2a285ec7b439ba", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d\ufffd@\ufffd?W%w\/\ufffd\ufffd\ufffdj\ufffd\ufffd\\\u03dd\ufffd4\ufffd\ufffdi\ufffdL\ufffd\ufffdM\ufffdmk> \ufffd{\ufffd\ufffdf\u0019Fa\ufffd\ufffd\u0017\ufffdt\u000bQ\ufffd\ufffd\u001c\u001bhd\ufffd\ufffd\ufffd\f\ufffd\u001a\ufffd5\ufffdW\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8900, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffdd\ufffd@\ufffd?W%w\/\ufffd\ufffd\ufffdj\ufffd\ufffd\\\u03dd\ufffd4\ufffd\ufffdi\ufffdL\ufffd\ufffdM\ufffdmk> \ufffd{\ufffd\ufffdfFa\ufffd\ufffd\ufffdtQ\ufffd\ufffdhd\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffdW&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:8900 \u00b7 (reconnaissance)", "target_port_label": "8900 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (64 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8900, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d\ufffd@\ufffd?W%w\/\ufffd\ufffd\ufffdj\ufffd\ufffd\\\u03dd\ufffd4\ufffd\ufffdi\ufffdL\ufffd\ufffdM\ufffdmk> \ufffd{\ufffd\ufffdf\u0019Fa\ufffd\ufffd\u0017\ufffdt\u000bQ\ufffd\ufffd\u001c\u001bhd\ufffd\ufffd\ufffd\f\ufffd\u001a\ufffd5\ufffdW\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8900, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:8900 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffdd\ufffd@\ufffd?W%w\/\ufffd\ufffd\ufffdj\ufffd\ufffd\\\u03dd\ufffd4\ufffd\ufffdi\ufffdL\ufffd\ufffdM\ufffdmk> \ufffd{\ufffd\ufffdfFa\ufffd\ufffd\ufffdtQ\ufffd\ufffdhd\ufffd\ufffd\ufffd\ufffd\ufffd5\ufffdW&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "8900 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8900" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 129, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 129, "scan_velocity_ports_per_s": 77.4, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 64, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	3002 · TLS	tls	Scan de ports port scan syn · via TLS:3002 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3002 Chemin / cible — Service TLS Payload ��U>��2JWN�vcw�3�p�� 0�� #%��A��X�6' ��R�.X��\�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��U>��2JWN�vcw�3�p�� 0�� #%��A��X�6' ��R�.X��\�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��U>��2JWN�vcw�3�p�� 0�� #%��A��X�6' ��R�.X��\�&�+�/�,�0̨̩� �� /5� w �+3&$ �華%x��=LL��z_�O�d҅�� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.830038192806699, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 3002, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.6, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "a0c45e7177b933e629d9ad518af273e6943a71ac", "event_fingerprint": "156b9d935fa5330c327c51cad74727d180f38b56", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "9cbf1ae98c223eb876ac11c94fcbea01", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 3002, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdU>\u001a\ufffd\ufffd\u0011\ufffd\u0002\ufffd2JWN\ufffdvcw\ufffd3\ufffdp\ufffd\ufffd 0\ufffd\u001b\ufffd\ufffd #%\ufffd\ufffd\ufffd\ufffdA\ufffd\u0000\ufffd\ufffdX\ufffd6'\r\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd.X\ufffd\u001e\ufffd\ufffd\\\ufffd\u001d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdU>\u001a\ufffd\ufffd\u0011\ufffd\u0002\ufffd2JWN\ufffdvcw\ufffd3\ufffdp\ufffd\ufffd 0\ufffd\u001b\ufffd\ufffd #%\ufffd\ufffd\ufffd\ufffdA\ufffd\u0000\ufffd\ufffdX\ufffd6'\r\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd.X\ufffd\u001e\ufffd\ufffd\\\ufffd\u001d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u83ef%x\ufffd\ufffd\ufffd=\u000eLL\u0004\ufffd\u0007\ufffdz_\u001e\ufffd\u0001O\ufffdd\u0485\ufffd\ufffd\u0005\ufffd\u0007", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdU>\u001a\ufffd\ufffd\u0011\ufffd\u0002\ufffd2JWN\ufffdvcw\ufffd3\ufffdp\ufffd\ufffd 0\ufffd\u001b\ufffd\ufffd #%\ufffd\ufffd\ufffd\ufffdA\ufffd\u0000\ufffd\ufffdX\ufffd6'\r\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd.X\ufffd\u001e\ufffd\ufffd\\\ufffd\u001d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "36db8868ecb187213adb9dafe96f0bb5d6524c4a", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdU>\u001a\ufffd\ufffd\u0011\ufffd\u0002\ufffd2JWN\ufffdvcw\ufffd3\ufffdp\ufffd\ufffd 0\ufffd\u001b\ufffd\ufffd #%\ufffd\ufffd\ufffd\ufffdA\ufffd\u0000\ufffd\ufffdX\ufffd6'\r\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd.X\ufffd\u001e\ufffd\ufffd\\\ufffd\u001d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 3002, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdU>\ufffd\ufffd\ufffd\ufffd2JWN\ufffdvcw\ufffd3\ufffdp\ufffd\ufffd 0\ufffd\ufffd\ufffd #%\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffdX\ufffd6'\r\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd.X\ufffd\ufffd\ufffd\\\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:3002 \u00b7 (reconnaissance)", "target_port_label": "3002 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (64 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 3002, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffdU>\u001a\ufffd\ufffd\u0011\ufffd\u0002\ufffd2JWN\ufffdvcw\ufffd3\ufffdp\ufffd\ufffd 0\ufffd\u001b\ufffd\ufffd #%\ufffd\ufffd\ufffd\ufffdA\ufffd\u0000\ufffd\ufffdX\ufffd6'\r\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd.X\ufffd\u001e\ufffd\ufffd\\\ufffd\u001d\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 3002, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:3002 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdU>\ufffd\ufffd\ufffd\ufffd2JWN\ufffdvcw\ufffd3\ufffdp\ufffd\ufffd 0\ufffd\ufffd\ufffd #%\ufffd\ufffd\ufffd\ufffdA\ufffd\ufffd\ufffdX\ufffd6'\r\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffd.X\ufffd\ufffd\ufffd\\\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "3002 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "3002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 129, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 129, "scan_velocity_ports_per_s": 77.1, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 64, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	32000 · TLS	tls	Scan de ports port scan syn · via TLS:32000 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 32000 Chemin / cible — Service TLS Payload ��t�/.�p�8?+��X1��[�ɅZ�,$�v�!~w� h�Νl�d��\|W!��ǜ\�� ĀET�W�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��t�/.�p�8?+��X1��[�ɅZ�,$�v�!~w� h�Νl�d��\|W!��ǜ\�� ĀET�W�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��t�/.�p�8?+��X1��[�ɅZ�,$�v�!~w� h�Νl�d��\|W!��ǜ\�� ĀET�W�&�+�/�,�0̨̩� �� /5� w �+3&$ ��2��s��=��(Frx�IO Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.7809787244274045, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 32000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "592313efe083b3358bb9a622d67dcae9288c91d4", "event_fingerprint": "c3d9f5db7c0ec2536b009196a088752e86a85bcf", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "2a15ab6732c5bd4c8d47ced23619116a", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 32000, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003t\ufffd\/.\ufffdp\ufffd8?+\ufffd\ufffdX1\u001c\ufffd\ufffd[\ufffd\u0245Z\ufffd,$\ufffdv\ufffd!~w\ufffd h\ufffd\u0002\u039dl\ufffdd\ufffd\ufffd\|W!\ufffd\ufffd\u01dc\u0006\\\ufffd\ufffd \u0100E\u0019T\ufffd\bW\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003t\ufffd\/.\ufffdp\ufffd8?+\ufffd\ufffdX1\u001c\ufffd\ufffd[\ufffd\u0245Z\ufffd,$\ufffdv\ufffd!~w\ufffd h\ufffd\u0002\u039dl\ufffdd\ufffd\ufffd\|W!\ufffd\ufffd\u01dc\u0006\\\ufffd\ufffd \u0100E\u0019T\ufffd\bW\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u00022\ufffd\u0005\ufffd\u001ds\ufffd\ufffd\ufffd\u0019\u001a=\ufffd\u0000\ufffd(F\b\u0015\u0019rx\ufffdIO", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003t\ufffd\/.\ufffdp\ufffd8?+\ufffd\ufffdX1\u001c\ufffd\ufffd[\ufffd\u0245Z\ufffd,$\ufffdv\ufffd!~w\ufffd h\ufffd\u0002\u039dl\ufffdd\ufffd\ufffd\|W!\ufffd\ufffd\u01dc\u0006\\\ufffd\ufffd \u0100E\u0019T\ufffd\bW\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e6aabc8598f4fcff65f384492e97c63ea0e13584", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003t\ufffd\/.\ufffdp\ufffd8?+\ufffd\ufffdX1\u001c\ufffd\ufffd[\ufffd\u0245Z\ufffd,$\ufffdv\ufffd!~w\ufffd h\ufffd\u0002\u039dl\ufffdd\ufffd\ufffd\|W!\ufffd\ufffd\u01dc\u0006\\\ufffd\ufffd \u0100E\u0019T\ufffd\bW\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 32000, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffdt\ufffd\/.\ufffdp\ufffd8?+\ufffd\ufffdX1\ufffd\ufffd[\ufffd\u0245Z\ufffd,$\ufffdv\ufffd!~w\ufffd h\ufffd\u039dl\ufffdd\ufffd\ufffd\|W!\ufffd\ufffd\u01dc\\\ufffd\ufffd \u0100ET\ufffdW\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:32000 \u00b7 (reconnaissance)", "target_port_label": "32000 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (64 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 32000, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003t\ufffd\/.\ufffdp\ufffd8?+\ufffd\ufffdX1\u001c\ufffd\ufffd[\ufffd\u0245Z\ufffd,$\ufffdv\ufffd!~w\ufffd h\ufffd\u0002\u039dl\ufffdd\ufffd\ufffd\|W!\ufffd\ufffd\u01dc\u0006\\\ufffd\ufffd \u0100E\u0019T\ufffd\bW\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 32000, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:32000 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffdt\ufffd\/.\ufffdp\ufffd8?+\ufffd\ufffdX1\ufffd\ufffd[\ufffd\u0245Z\ufffd,$\ufffdv\ufffd!~w\ufffd h\ufffd\u039dl\ufffdd\ufffd\ufffd\|W!\ufffd\ufffd\u01dc\\\ufffd\ufffd \u0100ET\ufffdW\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "32000 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "32000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 129, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 129, "scan_velocity_ports_per_s": 76.7, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 64, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	9001 · TOR OR	tor-or	Scan de ports port scan syn · via TOR OR:9001 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TOR-OR WAF — Recommandation Surveiller Tags net_port_scan_fast tls_clienthello tor_exit_probe tor_or_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9001 Chemin / cible — Service TOR OR Payload ��G?�j��4�SKjHC��2��#��3��+q�s `��Z�3A�h��=�d��$��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 5 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��G?�j��4�SKjHC��2��#��3��+q�s `��Z�3A�h��=�d��$��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��G?�j��4�SKjHC��2��#��3��+q�s `��Z�3A�h��=�d��$��&�+�/�,�0̨̩� �� /5� w �+3&$ � G��u��{>2��7��\�<�Q�o Meta JSON brut { "protocol_emulated": true, "emulator_response": "030000000000000000", "emulator_response_len": 9, "bytes_in": 239, "payload_entropy": 5.878948523129612, "port_category": "registered", "org": "Google LLC", "service": "tor-or", "app_proto": "tor-or", "asn": 396982, "country": "US", "dst_port": 9001, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 0, "campaign_key": "8070529ea809db521e77d6c1e264f298470db612", "event_fingerprint": "ad0b471326720f66329abc8483052ac26a31da24", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tor-or", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ce2a560b8672b46b532ad8b7c88be6fa", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9001, "service": "tor-or", "service_name": "tor-or", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdG?\ufffdj\ufffd\u000e\ufffd\ufffd4\ufffdSKjHC\ufffd\ufffd2\ufffd\ufffd#\ufffd\ufffd3\ufffd\ufffd+q\ufffds `\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffd3A\ufffdh\ufffd\ufffd=\ufffdd\ufffd\ufffd$\ufffd\ufffd\ufffd\u000e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdG?\ufffdj\ufffd\u000e\ufffd\ufffd4\ufffdSKjHC\ufffd\ufffd2\ufffd\ufffd#\ufffd\ufffd3\ufffd\ufffd+q\ufffds `\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffd3A\ufffdh\ufffd\ufffd=\ufffdd\ufffd\ufffd$\ufffd\ufffd\ufffd\u000e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u001b\u000bG\ufffd\ufffd\u001b\ufffdu\ufffd\ufffd\ufffd\b\ufffd{>2\ufffd\ufffd\ufffd7\ufffd\ufffd\ufffd\\\ufffd<\ufffdQ\ufffdo", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdG?\ufffdj\ufffd\u000e\ufffd\ufffd4\ufffdSKjHC\ufffd\ufffd2\ufffd\ufffd#\ufffd\ufffd3\ufffd\ufffd+q\ufffds `\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffd3A\ufffdh\ufffd\ufffd=\ufffdd\ufffd\ufffd$\ufffd\ufffd\ufffd\u000e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "756109722c6b6938f875b06235c997c2c1fcde60", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdG?\ufffdj\ufffd\u000e\ufffd\ufffd4\ufffdSKjHC\ufffd\ufffd2\ufffd\ufffd#\ufffd\ufffd3\ufffd\ufffd+q\ufffds `\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffd3A\ufffdh\ufffd\ufffd=\ufffdd\ufffd\ufffd$\ufffd\ufffd\ufffd\u000e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9001, "service": "tor-or", "service_label_fr": "TOR OR" }, "evidence_snippet": "\ufffd\ufffd\ufffdG?\ufffdj\ufffd\ufffd\ufffd4\ufffdSKjHC\ufffd\ufffd2\ufffd\ufffd#\ufffd\ufffd3\ufffd\ufffd+q\ufffds `\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffd3A\ufffdh\ufffd\ufffd=\ufffdd\ufffd\ufffd$\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TOR OR:9001 \u00b7 (reconnaissance)", "target_port_label": "9001 \u00b7 TOR OR", "emulator_service": "tor-or", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TOR OR \u2014 multi-protocole (65 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 25, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tor-or", "service_label_fr": "TOR OR", "dst_port": 9001, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tor-or", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdG?\ufffdj\ufffd\u000e\ufffd\ufffd4\ufffdSKjHC\ufffd\ufffd2\ufffd\ufffd#\ufffd\ufffd3\ufffd\ufffd+q\ufffds `\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffd3A\ufffdh\ufffd\ufffd=\ufffdd\ufffd\ufffd$\ufffd\ufffd\ufffd\u000e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9001, "service": "tor-or", "service_label_fr": "TOR OR" }, "attack_vector": "port scan syn \u00b7 via TOR OR:9001 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffdG?\ufffdj\ufffd\ufffd\ufffd4\ufffdSKjHC\ufffd\ufffd2\ufffd\ufffd#\ufffd\ufffd3\ufffd\ufffd+q\ufffds `\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdZ\ufffd3A\ufffdh\ufffd\ufffd=\ufffdd\ufffd\ufffd$\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9001 \u00b7 TOR OR", "emulator_service": "tor-or", "confidence_reason": "Confiance 100 % \u2014 5 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tor_or", "service_banner": "honeypot-tor-or", "service_os": "linux", "dst_port": "9001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 131, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 131, "scan_velocity_ports_per_s": 77.25, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 65, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_clienthello", "tor_exit_probe", "tor_or_emulated", "tor_or_payload" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	9002 · MINIO CONSOLE	minio-console	Scan de ports port scan syn · via MINIO CONSOLE:9002 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur MINIO-CONSOLE WAF — Recommandation Surveiller Tags net_port_scan_fast tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9002 Chemin / cible — Service MINIO CONSOLE Payload ��9Ԓ�.1�V��fL�j�4l��2�:x1��M YV0/��'\b�/(5C�P�'ɉY&��"�l�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��9Ԓ�.1�V��fL�j�4l��2�:x1��M YV0/��'\b�/(5C�P�'ɉY&��"�l�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��9Ԓ�.1�V��fL�j�4l��2�:x1��M YV0/��'\b�/(5C�P�'ɉY&��"�l�&�+�/�,�0̨̩� �� /5� w �+3&$ Pu� �ѫ'J��Z�o�`^q��.EY9�& Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.8653706465696285, "port_category": "registered", "org": "Google LLC", "service": "minio-console", "app_proto": "minio-console", "asn": 396982, "country": "US", "dst_port": 9002, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.6, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "cb1a04b529a6678be1e7d97542c20c167de05e38", "event_fingerprint": "1ecc4a8cf9348bc993033dc2db3257374f3e4996", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "minio-console", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5180d21ab1b6aa84ff7c9e63ac8d835e", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9002, "service": "minio-console", "service_name": "minio-console", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001b9\u0512\ufffd.1\u0017\ufffdV\ufffd\ufffdfL\ufffdj\ufffd4l\ufffd\ufffd2\ufffd:x1\u0014\ufffd\u001e\u000f\ufffdM YV0\/\ufffd\ufffd'\\b\ufffd\/(5C\ufffd\bP\ufffd'\u0249Y&\ufffd\ufffd\"\ufffdl\ufffd\u001c\u0010\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001b9\u0512\ufffd.1\u0017\ufffdV\ufffd\ufffdfL\ufffdj\ufffd4l\ufffd\ufffd2\ufffd:x1\u0014\ufffd\u001e\u000f\ufffdM YV0\/\ufffd\ufffd'\\b\ufffd\/(5C\ufffd\bP\ufffd'\u0249Y&\ufffd\ufffd\"\ufffdl\ufffd\u001c\u0010\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 Pu\ufffd\f\ufffd\u046b'J\ufffd\ufffd\ufffdZ\ufffd\u0017o\ufffd`^q\ufffd\u001b\u001e\u000f\ufffd.EY9\ufffd&", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001b9\u0512\ufffd.1\u0017\ufffdV\ufffd\ufffdfL\ufffdj\ufffd4l\ufffd\ufffd2\ufffd:x1\u0014\ufffd\u001e\u000f\ufffdM YV0\/\ufffd\ufffd'\\b\ufffd\/(5C\ufffd\bP\ufffd'\u0249Y&\ufffd\ufffd\"\ufffdl\ufffd\u001c\u0010\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fd43931aecd6323260046439f0cda8e5bfb7d50b", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001b9\u0512\ufffd.1\u0017\ufffdV\ufffd\ufffdfL\ufffdj\ufffd4l\ufffd\ufffd2\ufffd:x1\u0014\ufffd\u001e\u000f\ufffdM YV0\/\ufffd\ufffd'\\b\ufffd\/(5C\ufffd\bP\ufffd'\u0249Y&\ufffd\ufffd\"\ufffdl\ufffd\u001c\u0010\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9002, "service": "minio-console", "service_label_fr": "MINIO CONSOLE" }, "evidence_snippet": "\ufffd\ufffd9\u0512\ufffd.1\ufffdV\ufffd\ufffdfL\ufffdj\ufffd4l\ufffd\ufffd2\ufffd:x1\ufffd\ufffdM YV0\/\ufffd\ufffd'\\b\ufffd\/(5C\ufffdP\ufffd'\u0249Y&\ufffd\ufffd\"\ufffdl\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via MINIO CONSOLE:9002 \u00b7 (reconnaissance)", "target_port_label": "9002 \u00b7 MINIO CONSOLE", "emulator_service": "minio-console", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MINIO CONSOLE \u2014 multi-protocole (66 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "minio-console", "service_label_fr": "MINIO CONSOLE", "dst_port": 9002, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-minio-console", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001b9\u0512\ufffd.1\u0017\ufffdV\ufffd\ufffdfL\ufffdj\ufffd4l\ufffd\ufffd2\ufffd:x1\u0014\ufffd\u001e\u000f\ufffdM YV0\/\ufffd\ufffd'\\b\ufffd\/(5C\ufffd\bP\ufffd'\u0249Y&\ufffd\ufffd\"\ufffdl\ufffd\u001c\u0010\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9002, "service": "minio-console", "service_label_fr": "MINIO CONSOLE" }, "attack_vector": "port scan syn \u00b7 via MINIO CONSOLE:9002 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd9\u0512\ufffd.1\ufffdV\ufffd\ufffdfL\ufffdj\ufffd4l\ufffd\ufffd2\ufffd:x1\ufffd\ufffdM YV0\/\ufffd\ufffd'\\b\ufffd\/(5C\ufffdP\ufffd'\u0249Y&\ufffd\ufffd\"\ufffdl\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9002 \u00b7 MINIO CONSOLE", "emulator_service": "minio-console", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "minio_console", "service_banner": "honeypot-minio-console", "service_os": "linux", "dst_port": "9002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 132, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 132, "scan_velocity_ports_per_s": 77.43, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 66, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_clienthello" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	4001 · NOMAD HTTP	nomad-http	Scan de ports port scan syn · via NOMAD HTTP:4001 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur NOMAD-HTTP WAF — Recommandation Surveiller Tags net_port_scan_fast nomad_http_emulated nomad_http_payload tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4001 Chemin / cible — Service NOMAD HTTP Payload ��c��=��r��\+��u7�ʃ��s� k}`W� �1��(��8��L��&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��c��=��r��\+��u7�ʃ��s� k}`W� �1��(��8��L��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��c��=��r��\+��u7�ʃ��s� k}`W� �1��(��8��L��&�+�/�,�0̨̩� �� /5� w �+3&$ �hn��b\]z�d'fOVF��{}��T Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.907458850337607, "port_category": "registered", "org": "Google LLC", "service": "nomad-http", "app_proto": "nomad-http", "asn": 396982, "country": "US", "dst_port": 4001, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "da565258dc7abe4b690e72706a46aa33eb12379f", "event_fingerprint": "1710fe16dc3b4fac12cb708baf813cd8f7c8cdf7", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "nomad-http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6009962209448f3840fb6aae8a777a73", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 4001, "service": "nomad-http", "service_name": "nomad-http", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c\ufffd\ufffd\ufffd\ufffd\u001f=\u0002\ufffd\ufffd\ufffd\ufffd\ufffdr\u0015\ufffd\ufffd\\+\ufffd\ufffdu7\ufffd\u0283\ufffd\ufffds\u0012\ufffd k}`W\u0015\ufffd\t\u001c\ufffd1\u001b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(\ufffd\ufffd\u0007\u00198\ufffd\ufffd\ufffd\ufffdL\ufffd\u001f\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c\ufffd\ufffd\ufffd\ufffd\u001f=\u0002\ufffd\ufffd\ufffd\ufffd\ufffdr\u0015\ufffd\ufffd\\+\ufffd\ufffdu7\ufffd\u0283\ufffd\ufffds\u0012\ufffd k}`W\u0015\ufffd\t\u001c\ufffd1\u001b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(\ufffd\ufffd\u0007\u00198\ufffd\ufffd\ufffd\ufffdL\ufffd\u001f\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdhn\ufffd\ufffd\u000f\u0012b\\]z\ufffd\u0004d'fOVF\ufffd\ufffd\u0018\ufffd{\u0016\u001f}\ufffd\ufffd\ufffdT\u0001", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c\ufffd\ufffd\ufffd\ufffd\u001f=\u0002\ufffd\ufffd\ufffd\ufffd\ufffdr\u0015\ufffd\ufffd\\+\ufffd\ufffdu7\ufffd\u0283\ufffd\ufffds\u0012\ufffd k}`W\u0015\ufffd\t\u001c\ufffd1\u001b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(\ufffd\ufffd\u0007\u00198\ufffd\ufffd\ufffd\ufffdL\ufffd\u001f\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4dc66decd9be401bcc2e77a70f4c7b9ef634aa08", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c\ufffd\ufffd\ufffd\ufffd\u001f=\u0002\ufffd\ufffd\ufffd\ufffd\ufffdr\u0015\ufffd\ufffd\\+\ufffd\ufffdu7\ufffd\u0283\ufffd\ufffds\u0012\ufffd k}`W\u0015\ufffd\t\u001c\ufffd1\u001b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(\ufffd\ufffd\u0007\u00198\ufffd\ufffd\ufffd\ufffdL\ufffd\u001f\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 4001, "service": "nomad-http", "service_label_fr": "NOMAD HTTP" }, "evidence_snippet": "\ufffd\ufffdc\ufffd\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffd\ufffd\ufffdr\ufffd\ufffd\\+\ufffd\ufffdu7\ufffd\u0283\ufffd\ufffds\ufffd k}`W\ufffd\t\ufffd1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffdL\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via NOMAD HTTP:4001 \u00b7 (reconnaissance)", "target_port_label": "4001 \u00b7 NOMAD HTTP", "emulator_service": "nomad-http", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via NOMAD HTTP \u2014 multi-protocole (66 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "nomad-http", "service_label_fr": "NOMAD HTTP", "dst_port": 4001, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-nomad-http", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c\ufffd\ufffd\ufffd\ufffd\u001f=\u0002\ufffd\ufffd\ufffd\ufffd\ufffdr\u0015\ufffd\ufffd\\+\ufffd\ufffdu7\ufffd\u0283\ufffd\ufffds\u0012\ufffd k}`W\u0015\ufffd\t\u001c\ufffd1\u001b\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(\ufffd\ufffd\u0007\u00198\ufffd\ufffd\ufffd\ufffdL\ufffd\u001f\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 4001, "service": "nomad-http", "service_label_fr": "NOMAD HTTP" }, "attack_vector": "port scan syn \u00b7 via NOMAD HTTP:4001 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffdc\ufffd\ufffd\ufffd\ufffd=\ufffd\ufffd\ufffd\ufffd\ufffdr\ufffd\ufffd\\+\ufffd\ufffdu7\ufffd\u0283\ufffd\ufffds\ufffd k}`W\ufffd\t\ufffd1\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd(\ufffd\ufffd8\ufffd\ufffd\ufffd\ufffdL\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "4001 \u00b7 NOMAD HTTP", "emulator_service": "nomad-http", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "nomad_http", "service_banner": "honeypot-nomad-http", "service_os": "linux", "dst_port": "4001" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 132, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 132, "scan_velocity_ports_per_s": 77.14, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 66, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "nomad_http_emulated", "nomad_http_payload", "tls_clienthello" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	9003 · TLS	tls	Scan de ports port scan syn · via TLS:9003 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9003 Chemin / cible — Service TLS Payload �� mŠ��x� %��7[�� x@tW�Pb �m$� �{N�^t�O�;��R�׎K"Ş�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��mŠ��x� %��7[��x@tW�Pb �m$� �{N�^t�O�;��R�׎K"Ş�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) �� mŠ��x� %��7[�� x@tW�Pb �m$� �{N�^t�O�;��R�׎K"Ş�&�+�/�,�0̨̩� �� /5� w �+3&$ p�); �>Jf��ů-��8�m�\|X�)�38 Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.857528374682898, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 9003, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 3.5, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "72974fd359809a4911dcfa6ed8b4b886c9baeda8", "event_fingerprint": "bdf973725b7cfa692769aa909d52b0ce5b5fdded", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "ac08976497617e1cef3b77c4b7e052ee", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9003, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\f\u0016\ufffd\ue98em\u0160\ufffd\u0017\ufffdx\ufffd\t%\ufffd\ufffd7[\ufffd\ufffd\u000b\fx@tW\ufffdPb \ufffdm$\ufffd \ufffd{N\ufffd^t\ufffdO\ufffd;\ufffd\uf42b\ufffdR\ufffd\u05ceK\u0002\"\u015e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\f\u0016\ufffd\ue98em\u0160\ufffd\u0017\ufffdx\ufffd\t%\ufffd\ufffd7[\ufffd\ufffd\u000b\fx@tW\ufffdPb \ufffdm$\ufffd \ufffd{N\ufffd^t\ufffdO\ufffd;\ufffd\uf42b\ufffdR\ufffd\u05ceK\u0002\"\u015e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 p\ufffd);\r\u0002\ufffd>Jf\ufffd\u001d\ufffd\ufffd\u016f-\ufffd\ufffd8\u001a\u0011\ufffdm\ufffd\|X\ufffd)\ufffd38", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\f\u0016\ufffd\ue98em\u0160\ufffd\u0017\ufffdx\ufffd\t%\ufffd\ufffd7[\ufffd\ufffd\u000b\fx@tW\ufffdPb \ufffdm$\ufffd \ufffd{N\ufffd^t\ufffdO\ufffd;\ufffd\uf42b\ufffdR\ufffd\u05ceK\u0002\"\u015e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b1c090fe0cfd20327379ddd26b30b06180f01520", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\f\u0016\ufffd\ue98em\u0160\ufffd\u0017\ufffdx\ufffd\t%\ufffd\ufffd7[\ufffd\ufffd\u000b\fx@tW\ufffdPb \ufffdm$\ufffd \ufffd{N\ufffd^t\ufffdO\ufffd;\ufffd\uf42b\ufffdR\ufffd\u05ceK\u0002\"\u015e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9003, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ue98em\u0160\ufffd\ufffdx\ufffd\t%\ufffd\ufffd7[\ufffd\ufffdx@tW\ufffdPb \ufffdm$\ufffd \ufffd{N\ufffd^t\ufffdO\ufffd;\ufffd\uf42b\ufffdR\ufffd\u05ceK\"\u015e\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:9003 \u00b7 (reconnaissance)", "target_port_label": "9003 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (66 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 9003, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\f\u0016\ufffd\ue98em\u0160\ufffd\u0017\ufffdx\ufffd\t%\ufffd\ufffd7[\ufffd\ufffd\u000b\fx@tW\ufffdPb \ufffdm$\ufffd \ufffd{N\ufffd^t\ufffdO\ufffd;\ufffd\uf42b\ufffdR\ufffd\u05ceK\u0002\"\u015e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9003, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:9003 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ue98em\u0160\ufffd\ufffdx\ufffd\t%\ufffd\ufffd7[\ufffd\ufffdx@tW\ufffdPb \ufffdm$\ufffd \ufffd{N\ufffd^t\ufffdO\ufffd;\ufffd\uf42b\ufffdR\ufffd\u05ceK\"\u015e\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9003 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "9003" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 133, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 133, "scan_velocity_ports_per_s": 77.43, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 66, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	4000 · REMOTEANYTHING	remoteanything	Scan de ports port scan syn · via REMOTEANYTHING:4000 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur REMOTEANYTHING WAF — Recommandation Surveiller Tags net_port_scan_fast tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4000 Chemin / cible — Service REMOTEANYTHING Payload ��z��MQ��-mJ��FￖV��] ��J��;}ǃ�?��۩;R�f6A�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 2 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��z��MQ��-mJ��FￖV��] ��J��;}ǃ�?��۩;R�f6A�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��z��MQ��-mJ��FￖV��] ��J��;}ǃ�?��۩;R�f6A�&�+�/�,�0̨̩� �� /5� w �+3&$ J��Zr\r\�:,�Y�?��x��jv��d, Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742072656d6f7465616e797468696e6720726561647920706f72743d343030300d0a", "emulator_response_len": 45, "bytes_in": 239, "payload_entropy": 5.858722634611652, "port_category": "registered", "org": "Google LLC", "service": "remoteanything", "app_proto": "remoteanything", "asn": 396982, "country": "US", "dst_port": 4000, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 0.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 42, "tag_count": 2, "anomaly_count": 0, "campaign_key": "36ae3f4c8cacdf1ea47fa080288c7f9a84dcfd7f", "event_fingerprint": "7efabdbca5bf0f016f426b45f2c65d538f330e51", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "remoteanything", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e6d7edf87232827d2ae86a80da1bf75b", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 4000, "service": "remoteanything", "service_name": "remoteanything", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\ufffdz\ufffd\u0010\ufffd\ufffd\u0006M\u0000Q\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd-mJ\ufffd\ufffd\u0013F\uffd6V\ufffd\ufffd] \ufffd\ufffd\ufffd\bJ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\u0010}\u01c3\u001f\ufffd?\ufffd\ufffd\u06e9\u001a;\u0000R\ufffdf6A\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\ufffdz\ufffd\u0010\ufffd\ufffd\u0006M\u0000Q\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd-mJ\ufffd\ufffd\u0013F\uffd6V\ufffd\ufffd] \ufffd\ufffd\ufffd\bJ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\u0010}\u01c3\u001f\ufffd?\ufffd\ufffd\u06e9\u001a;\u0000R\ufffdf6A\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 J\ufffd\ufffdZr\u0014\\r\\\ufffd\b:,\ufffdY\ufffd?\ufffd\ufffd\ufffdx\ufffd\ufffdjv\ufffd\ufffd\ufffd\ufffd\ufffdd,", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\ufffdz\ufffd\u0010\ufffd\ufffd\u0006M\u0000Q\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd-mJ\ufffd\ufffd\u0013F\uffd6V\ufffd\ufffd] \ufffd\ufffd\ufffd\bJ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\u0010}\u01c3\u001f\ufffd?\ufffd\ufffd\u06e9\u001a;\u0000R\ufffdf6A\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1eeb174b82345aa01f0c7926d594faca915268aa", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\ufffdz\ufffd\u0010\ufffd\ufffd\u0006M\u0000Q\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd-mJ\ufffd\ufffd\u0013F\uffd6V\ufffd\ufffd] \ufffd\ufffd\ufffd\bJ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\u0010}\u01c3\u001f\ufffd?\ufffd\ufffd\u06e9\u001a;\u0000R\ufffdf6A\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 4000, "service": "remoteanything", "service_label_fr": "REMOTEANYTHING" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffd\ufffdMQ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd-mJ\ufffd\ufffdF\uffd6V\ufffd\ufffd] \ufffd\ufffd\ufffdJ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;}\u01c3\ufffd?\ufffd\ufffd\u06e9;R\ufffdf6A\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via REMOTEANYTHING:4000 \u00b7 (reconnaissance)", "target_port_label": "4000 \u00b7 REMOTEANYTHING", "emulator_service": "remoteanything", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via REMOTEANYTHING \u2014 multi-protocole (66 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "remoteanything", "service_label_fr": "REMOTEANYTHING", "dst_port": 4000, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-remoteanything", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0002\ufffdz\ufffd\u0010\ufffd\ufffd\u0006M\u0000Q\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd-mJ\ufffd\ufffd\u0013F\uffd6V\ufffd\ufffd] \ufffd\ufffd\ufffd\bJ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;\u0010}\u01c3\u001f\ufffd?\ufffd\ufffd\u06e9\u001a;\u0000R\ufffdf6A\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 4000, "service": "remoteanything", "service_label_fr": "REMOTEANYTHING" }, "attack_vector": "port scan syn \u00b7 via REMOTEANYTHING:4000 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffd\ufffdMQ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd-mJ\ufffd\ufffdF\uffd6V\ufffd\ufffd] \ufffd\ufffd\ufffdJ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd;}\u01c3\ufffd?\ufffd\ufffd\u06e9;R\ufffdf6A\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "4000 \u00b7 REMOTEANYTHING", "emulator_service": "remoteanything", "confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "remoteanything", "service_banner": "honeypot-remoteanything", "service_os": "linux", "dst_port": "4000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 133, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 133, "scan_velocity_ports_per_s": 77.14, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 66, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_clienthello" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	9005 · TLS	tls	Scan de ports port scan syn · via TLS:9005 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9005 Chemin / cible — Service TLS Payload ��J�:��)�F�j��4��x��$z �'Vg籘��rLcR��3,��>I��K�� &�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��J�:��)�F�j��4��x��$z �'Vg籘��rLcR��3,��>I��K��&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��J�:��)�F�j��4��x��$z �'Vg籘��rLcR��3,��>I��K�� &�+�/�,�0̨̩� �� /5� w �+3&$ Jk��B0P��Aޒ�}3�3s�O� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.821365936414043, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 9005, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 3.8, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "01ede1674de7ad0b9d2d00100f01f49f509b7174", "event_fingerprint": "f31b8770ff5a5a84121c9f92c8028b72b5180ec2", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "cf6ed4a16561e25fdee866826984138d", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9005, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdJ\ufffd\u0019\u0010:\ufffd\ufffd\u0010\ufffd)\ufffdF\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd4\ufffd\u0013\ufffd\ufffdx\ufffd\ufffd\ufffd$\u0017z \ufffd'Vg\u7c58\ufffd\ufffdrLcR\ufffd\ufffd3,\ufffd\ufffd\ufffd\ufffd\u000e>I\ufffd\ufffdK\ufffd\ufffd\u000b\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdJ\ufffd\u0019\u0010:\ufffd\ufffd\u0010\ufffd)\ufffdF\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd4\ufffd\u0013\ufffd\ufffdx\ufffd\ufffd\ufffd$\u0017z \ufffd'Vg\u7c58\ufffd\ufffdrLcR\ufffd\ufffd3,\ufffd\ufffd\ufffd\ufffd\u000e>I\ufffd\ufffdK\ufffd\ufffd\u000b\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 Jk\ufffd\u0016\ufffd\ufffd\ufffdB0P\ufffd\u0001\ufffd\ufffd\ufffd\u0002\u001bA\u0792\ufffd}3\ufffd3s\ufffdO\ufffd\u0000", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdJ\ufffd\u0019\u0010:\ufffd\ufffd\u0010\ufffd)\ufffdF\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd4\ufffd\u0013\ufffd\ufffdx\ufffd\ufffd\ufffd$\u0017z \ufffd'Vg\u7c58\ufffd\ufffdrLcR\ufffd\ufffd3,\ufffd\ufffd\ufffd\ufffd\u000e>I\ufffd\ufffdK\ufffd\ufffd\u000b\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7594abb872e28a600ed91541ebc3e786d0db135c", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdJ\ufffd\u0019\u0010:\ufffd\ufffd\u0010\ufffd)\ufffdF\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd4\ufffd\u0013\ufffd\ufffdx\ufffd\ufffd\ufffd$\u0017z \ufffd'Vg\u7c58\ufffd\ufffdrLcR\ufffd\ufffd3,\ufffd\ufffd\ufffd\ufffd\u000e>I\ufffd\ufffdK\ufffd\ufffd\u000b\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9005, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffdJ\ufffd:\ufffd\ufffd\ufffd)\ufffdF\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd4\ufffd\ufffd\ufffdx\ufffd\ufffd\ufffd$z \ufffd'Vg\u7c58\ufffd\ufffdrLcR\ufffd\ufffd3,\ufffd\ufffd\ufffd\ufffd>I\ufffd\ufffdK\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:9005 \u00b7 (reconnaissance)", "target_port_label": "9005 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (66 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 9005, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdJ\ufffd\u0019\u0010:\ufffd\ufffd\u0010\ufffd)\ufffdF\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd4\ufffd\u0013\ufffd\ufffdx\ufffd\ufffd\ufffd$\u0017z \ufffd'Vg\u7c58\ufffd\ufffdrLcR\ufffd\ufffd3,\ufffd\ufffd\ufffd\ufffd\u000e>I\ufffd\ufffdK\ufffd\ufffd\u000b\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9005, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:9005 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffdJ\ufffd:\ufffd\ufffd\ufffd)\ufffdF\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffd4\ufffd\ufffd\ufffdx\ufffd\ufffd\ufffd$z \ufffd'Vg\u7c58\ufffd\ufffdrLcR\ufffd\ufffd3,\ufffd\ufffd\ufffd\ufffd>I\ufffd\ufffdK\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9005 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "9005" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 134, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 134, "scan_velocity_ports_per_s": 77.43, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 66, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	4002 · TLS	tls	Scan de ports port scan syn · via TLS:4002 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4002 Chemin / cible — Service TLS Payload ��}�Hh޿�ª�k��ෛ��}��r�ez��`n �-��D�7�=�d� ��)�� wvgc�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification :* Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��}�Hh޿�ª�k��ෛ��}��r�ez��`n �-��D�7�=�d��)��wvgc�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��}�Hh޿�ª�k��ෛ��}��r�ez��`n �-��D�7�=�d� ��)�� wvgc�&�+�/�,�0̨̩� �� /5� w �+3&$ ��I�^e��Q)c�}��= Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.836847560384411, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 4002, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1.9, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "976d20c6e128606f77b2b5d6e554959496275ac4", "event_fingerprint": "aaf6e4bb9ee93c8d4bb26d71b3b0680593b2049f", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "ac0f349ae8010f897853159fd3f5a615", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 4002, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\ufffdHh\u07bf\ufffd\u00aa\ufffdk\ufffd\ufffd\ufffd\u0ddb\ufffd\ufffd}\ufffd\ufffdr\ufffdez\ufffd\ufffd`n \ufffd-\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\u001bD\ufffd\u00057\ufffd=\ufffdd\ufffd\f\ufffd\ufffd)\ufffd\ufffd\f\u0003wvgc\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\ufffdHh\u07bf\ufffd\u00aa\ufffdk\ufffd\ufffd\ufffd\u0ddb\ufffd\ufffd}\ufffd\ufffdr\ufffdez\ufffd\ufffd`n \ufffd-\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\u001bD\ufffd\u00057\ufffd=\ufffdd\ufffd\f\ufffd\ufffd)\ufffd\ufffd\f\u0003wvgc\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffdI\ufffd^e\ufffd\ufffd\ufffd\ufffd\u0006\u0015\ufffdQ)\u0002\u0010\u000fc\u0014\ufffd}\ufffd\ufffd\ufffd\u0016\u0018\ufffd=", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\ufffdHh\u07bf\ufffd\u00aa\ufffdk\ufffd\ufffd\ufffd\u0ddb\ufffd\ufffd}\ufffd\ufffdr\ufffdez\ufffd\ufffd`n \ufffd-\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\u001bD\ufffd\u00057\ufffd=\ufffdd\ufffd\f\ufffd\ufffd)\ufffd\ufffd\f\u0003wvgc\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d3c78d1bde5d161f2a958f9334b55ef17c06364d", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\ufffdHh\u07bf\ufffd\u00aa\ufffdk\ufffd\ufffd\ufffd\u0ddb\ufffd\ufffd}\ufffd\ufffdr\ufffdez\ufffd\ufffd`n \ufffd-\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\u001bD\ufffd\u00057\ufffd=\ufffdd\ufffd\f\ufffd\ufffd)\ufffd\ufffd\f\u0003wvgc\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 4002, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd}\ufffdHh\u07bf\ufffd\u00aa\ufffdk\ufffd\ufffd\ufffd\u0ddb\ufffd\ufffd}\ufffd\ufffdr\ufffdez\ufffd\ufffd`n \ufffd-\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffd7\ufffd=\ufffdd\ufffd\ufffd\ufffd)\ufffd\ufffdwvgc\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:4002 \u00b7 (reconnaissance)", "target_port_label": "4002 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (66 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 4002, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003}\ufffdHh\u07bf\ufffd\u00aa\ufffdk\ufffd\ufffd\ufffd\u0ddb\ufffd\ufffd}\ufffd\ufffdr\ufffdez\ufffd\ufffd`n \ufffd-\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\u001bD\ufffd\u00057\ufffd=\ufffdd\ufffd\f\ufffd\ufffd)\ufffd\ufffd\f\u0003wvgc\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 4002, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:4002 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd}\ufffdHh\u07bf\ufffd\u00aa\ufffdk\ufffd\ufffd\ufffd\u0ddb\ufffd\ufffd}\ufffd\ufffdr\ufffdez\ufffd\ufffd`n \ufffd-\ufffd\ufffd\ufffd\ufffd\ufffdD\ufffd7\ufffd*=\ufffdd\ufffd\ufffd\ufffd)\ufffd\ufffdwvgc\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "4002 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "4002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 134, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 134, "scan_velocity_ports_per_s": 77.14, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 66, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	4100 · TLS	tls	Scan de ports port scan syn · via TLS:4100 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4100 Chemin / cible — Service TLS Payload ��W��5��v��ġW@�e��u諹 C�Vi�/�NR�y�D �sc�ME�̵j^&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��W��5��v��ġW@�e��u諹 C�Vi�/�NR�y�D �sc�ME�̵j^&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��W��5��v��ġW@�e��u諹 C�Vi�/�NR�y�D �sc�ME�̵j^&�+�/�,�0̨̩� �� /5� w �+3&$ ��\|B32/.x\�BF�'��C�st�e��\ Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.8156088918642315, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 4100, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "703d8b821972a1ace9adbcf6fcd0e8920d590ff2", "event_fingerprint": "e32ee28180105964666e103d7a2bcf52516e66d1", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "1d7b33d0e4ab816147f3953af6d0e92b", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 4100, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffd5\ufffd\u001e\ufffdv\ufffd\ufffd\u0004\u0121W@\ufffde\ufffd\ufffd\ufffdu\u000e\u8af9\r \u0006C\u0001\ufffdVi\ufffd\/\ufffd\u0017NR\ufffdy\ufffdD\n\u0014\ufffds\u000ec\u0012\ufffdME\ufffd\u0335j^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffd5\ufffd\u001e\ufffdv\ufffd\ufffd\u0004\u0121W@\ufffde\ufffd\ufffd\ufffdu\u000e\u8af9\r \u0006C\u0001\ufffdVi\ufffd\/\ufffd\u0017NR\ufffdy\ufffdD\n\u0014\ufffds\u000ec\u0012\ufffdME\ufffd\u0335j^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\ufffd\|B3\u00142\/\u0001.x\\\ufffdBF\u001d\ufffd'\ufffd\ufffdC\ufffdst\ufffde\ufffd\ufffd\\", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffd5\ufffd\u001e\ufffdv\ufffd\ufffd\u0004\u0121W@\ufffde\ufffd\ufffd\ufffdu\u000e\u8af9\r \u0006C\u0001\ufffdVi\ufffd\/\ufffd\u0017NR\ufffdy\ufffdD\n\u0014\ufffds\u000ec\u0012\ufffdME\ufffd\u0335j^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9b9629e44ddcec806157dbeb0e85ea2066f382d1", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffd5\ufffd\u001e\ufffdv\ufffd\ufffd\u0004\u0121W@\ufffde\ufffd\ufffd\ufffdu\u000e\u8af9\r \u0006C\u0001\ufffdVi\ufffd\/\ufffd\u0017NR\ufffdy\ufffdD\n\u0014\ufffds\u000ec\u0012\ufffdME\ufffd\u0335j^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 4100, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffd5\ufffd\ufffdv\ufffd\ufffd\u0121W@\ufffde\ufffd\ufffd\ufffdu\u8af9\r C\ufffdVi\ufffd\/\ufffdNR\ufffdy\ufffdD\n\ufffdsc\ufffdME\ufffd\u0335j^&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:4100 \u00b7 (reconnaissance)", "target_port_label": "4100 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (66 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 4100, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffd5\ufffd\u001e\ufffdv\ufffd\ufffd\u0004\u0121W@\ufffde\ufffd\ufffd\ufffdu\u000e\u8af9\r \u0006C\u0001\ufffdVi\ufffd\/\ufffd\u0017NR\ufffdy\ufffdD\n\u0014\ufffds\u000ec\u0012\ufffdME\ufffd\u0335j^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 4100, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:4100 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffd\ufffd5\ufffd\ufffdv\ufffd\ufffd\u0121W@\ufffde\ufffd\ufffd\ufffdu\u8af9\r C\ufffdVi\ufffd\/\ufffdNR\ufffdy\ufffdD\n\ufffdsc\ufffdME\ufffd\u0335j^&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "4100 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "4100" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 134, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 134, "scan_velocity_ports_per_s": 76.86, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 66, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	9006 · TLS	tls	Scan de ports port scan syn · via TLS:9006 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9006 Chemin / cible — Service TLS Payload ��{��~��E�9��6�M��F�<�<(�� q��:�^%F`�W�F�G�ҡ;�0h��#&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��{��~��E�9��6�M��F�<�<(�� q��:�^%F`�W�F�G�ҡ;�0h��#&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��{��~��E�9��6�M��F�<�<(�� q��:�^%F`�W�F�G�ҡ;�0h��#&�+�/�,�0̨̩� �� /5� w �+3&$ ��@�k�z [ź�qh��\|d��>��C�U Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.886407448738126, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 9006, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "153996c70c98d2a5e02aaa15130cf2af6504bdd7", "event_fingerprint": "e22d642159a01268707bf8073ef2813d7879c33c", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "1e57a6b3164546a3450b0c26c2c4c90d", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9006, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{\ufffd\ufffd~\ufffd\ufffdE\ufffd9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffdM\ufffd\ufffdF\ufffd<\ufffd\u0015<(\ufffd\ufffd\ufffd \ufffd\u0015q\ufffd\u0016\ufffd\u0003:\ufffd^%\u000eF`\ufffdW\ufffdF\ufffdG\ufffd\u04a1;\ufffd0h\ufffd\ufffd\ufffd#\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{\ufffd\ufffd~\ufffd\ufffdE\ufffd9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffdM\ufffd\ufffdF\ufffd<\ufffd\u0015<(\ufffd\ufffd\ufffd \ufffd\u0015q\ufffd\u0016\ufffd\u0003:\ufffd^%\u000eF`\ufffdW\ufffdF\ufffdG\ufffd\u04a1;\ufffd0h\ufffd\ufffd\ufffd#\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd@\ufffdk\ufffd\u0002z [\u017a\ufffdq\u0000h\ufffd\ufffd\ufffd\|d\u001e\ufffd\ufffd>\ufffd\ufffd\ufffdC\ufffdU", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{\ufffd\ufffd~\ufffd\ufffdE\ufffd9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffdM\ufffd\ufffdF\ufffd<\ufffd\u0015<(\ufffd\ufffd\ufffd \ufffd\u0015q\ufffd\u0016\ufffd\u0003:\ufffd^%\u000eF`\ufffdW\ufffdF\ufffdG\ufffd\u04a1;\ufffd0h\ufffd\ufffd\ufffd#\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3125cc6a9b8543796544ba4d0690d229996cd5b1", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{\ufffd\ufffd~\ufffd\ufffdE\ufffd9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffdM\ufffd\ufffdF\ufffd<\ufffd\u0015<(\ufffd\ufffd\ufffd \ufffd\u0015q\ufffd\u0016\ufffd\u0003:\ufffd^%\u000eF`\ufffdW\ufffdF\ufffdG\ufffd\u04a1;\ufffd0h\ufffd\ufffd\ufffd#\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9006, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd{\ufffd\ufffd~\ufffd\ufffdE\ufffd9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffdM\ufffd\ufffdF\ufffd<\ufffd<(\ufffd\ufffd\ufffd \ufffdq\ufffd\ufffd:\ufffd^%F`\ufffdW\ufffdF\ufffdG\ufffd\u04a1;\ufffd0h\ufffd\ufffd\ufffd#&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:9006 \u00b7 (reconnaissance)", "target_port_label": "9006 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (66 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 9006, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003{\ufffd\ufffd~\ufffd\ufffdE\ufffd9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffdM\ufffd\ufffdF\ufffd<\ufffd\u0015<(\ufffd\ufffd\ufffd \ufffd\u0015q\ufffd\u0016\ufffd\u0003:\ufffd^%\u000eF`\ufffdW\ufffdF\ufffdG\ufffd\u04a1;\ufffd0h\ufffd\ufffd\ufffd#\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9006, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:9006 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd{\ufffd\ufffd~\ufffd\ufffdE\ufffd9\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffdM\ufffd\ufffdF\ufffd<\ufffd<(\ufffd\ufffd\ufffd \ufffdq\ufffd\ufffd:\ufffd^%F`\ufffdW\ufffdF\ufffdG\ufffd\u04a1;\ufffd0h\ufffd\ufffd\ufffd#&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9006 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "9006" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 135, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 135, "scan_velocity_ports_per_s": 77.14, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 66, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	9008 · TLS	tls	Scan de ports port scan syn · via TLS:9008 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags net_port_scan_fast tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9008 Chemin / cible — Service TLS Payload ��CQ��vvZ�_�V)��=� ?W�3��m� �5}.&�#�-m��.G[�AB�T��Dl�OͿ&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��CQ��vvZ�_�V)��=�?W�3��m� �5}.&�#�-m��.G[�AB�T��Dl�OͿ&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��CQ��vvZ�_�V)��=� ?W�3��m� �5}.&�#�-m��.G[�AB�T��Dl�OͿ&�+�/�,�0̨̩� �� /5� w �+3&$ SK [N��&�<�{寧�YԘH��<+�g��n Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 239, "payload_entropy": 5.914151230710649, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 9008, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "ca63aea7641560e826430642e28da119a63e73f6", "event_fingerprint": "d17f357aeb1eaa632c60c56975a0f8d4d5f5f1ae", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "b4002d2992027b7981eb82028488b685", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 9008, "service": "tls", "service_name": "tls", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003CQ\ufffd\ufffd\ufffdvv\u0005Z\ufffd_\ufffdV)\ufffd\ufffd\ufffd=\ufffd\f?W\u001c\u0018\ufffd3\ufffd\u00ad\ufffdm\ufffd \ufffd5}\u0010.&\ufffd#\ufffd-\u0002m\ufffd\ufffd.\u0011G[\ufffdAB\ufffdT\u0017\ufffd\ufffdDl\ufffdO\u037f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003CQ\ufffd\ufffd\ufffdvv\u0005Z\ufffd_\ufffdV)\ufffd\ufffd\ufffd=\ufffd\f?W\u001c\u0018\ufffd3\ufffd\u00ad\ufffdm\ufffd \ufffd5}\u0010.&\ufffd#\ufffd-\u0002m\ufffd\ufffd.\u0011G[\ufffdAB\ufffdT\u0017\ufffd\ufffdDl\ufffdO\u037f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 SK\f[N\ufffd\ufffd&\u0014\ufffd\u0007<\ufffd{\uf95f\ufffdY\u000e\u0518H\ufffd\ufffd<+\ufffdg\ufffd\ufffdn", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003CQ\ufffd\ufffd\ufffdvv\u0005Z\ufffd_\ufffdV)\ufffd\ufffd\ufffd=\ufffd\f?W\u001c\u0018\ufffd3\ufffd\u00ad\ufffdm\ufffd \ufffd5}\u0010.&\ufffd#\ufffd-\u0002m\ufffd\ufffd.\u0011G[\ufffdAB\ufffdT\u0017\ufffd\ufffdDl\ufffdO\u037f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "33375b7460a4b246635c822c724fec6de04f43a2", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003CQ\ufffd\ufffd\ufffdvv\u0005Z\ufffd_\ufffdV)\ufffd\ufffd\ufffd=\ufffd\f?W\u001c\u0018\ufffd3\ufffd\u00ad\ufffdm\ufffd \ufffd5}\u0010.&\ufffd#\ufffd-\u0002m\ufffd\ufffd.\u0011G[\ufffdAB\ufffdT\u0017\ufffd\ufffdDl\ufffdO\u037f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9008, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffdCQ\ufffd\ufffd\ufffdvvZ\ufffd_\ufffdV)\ufffd\ufffd\ufffd=\ufffd?W\ufffd3\ufffd\u00ad\ufffdm\ufffd \ufffd5}.&\ufffd#\ufffd-m\ufffd\ufffd.G[\ufffdAB\ufffdT\ufffd\ufffdDl\ufffdO\u037f&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via TLS:9008 \u00b7 (reconnaissance)", "target_port_label": "9008 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (66 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 9008, "protocol_emulated": null, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003CQ\ufffd\ufffd\ufffdvv\u0005Z\ufffd_\ufffdV)\ufffd\ufffd\ufffd=\ufffd\f?W\u001c\u0018\ufffd3\ufffd\u00ad\ufffdm\ufffd \ufffd5}\u0010.&\ufffd#\ufffd-\u0002m\ufffd\ufffd.\u0011G[\ufffdAB\ufffdT\u0017\ufffd\ufffdDl\ufffdO\u037f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 9008, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "port scan syn \u00b7 via TLS:9008 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffdCQ\ufffd\ufffd\ufffdvvZ\ufffd_\ufffdV)\ufffd\ufffd\ufffd=\ufffd?W\ufffd3\ufffd\u00ad\ufffdm\ufffd \ufffd5}.&\ufffd#\ufffd-m\ufffd\ufffd.G[\ufffdAB\ufffdT\ufffd\ufffdDl\ufffdO\u037f&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "9008 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "9008" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 136, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 136, "scan_velocity_ports_per_s": 77.44, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 66, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "net_port_scan_fast", "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	4567 · AWS ECS AGENT	aws-ecs-agent	Scan de ports port scan syn · via AWS ECS AGENT:4567 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur AWS-ECS-AGENT WAF — Recommandation Surveiller Tags aws_ecs_agent_emulated aws_ecs_agent_payload net_port_scan_fast tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4567 Chemin / cible — Service AWS ECS AGENT Payload ��\|��]~�Q�/N�kn��9+��AKU� �^(��0?dl9�8Zr]/��qC�OⲰ�&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 4 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��\|��]~�Q�/N�kn��9+��AKU� �^(��0?dl9�8Zr]/��qC�OⲰ�&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��\|��]~�Q�/N�kn��9+��AKU� �^(��0?dl9�8Zr]/��qC�OⲰ�&�+�/�,�0̨̩� �� /5� w �+3&$ 8(��l��?fe�M;2��0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f74206177735f6563735f6167656e7420726561647920706f72743d343536370d0a", "emulator_response_len": 44, "bytes_in": 239, "payload_entropy": 5.768012700113949, "port_category": "registered", "org": "Google LLC", "service": "aws-ecs-agent", "app_proto": "aws-ecs-agent", "asn": 396982, "country": "US", "dst_port": 4567, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 42, "tag_count": 4, "anomaly_count": 0, "campaign_key": "6f8dd10dc41490209661cfc03304fd62cb611017", "event_fingerprint": "c6397497acebeb3231ed85d5db13c626b10bb1b4", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "aws-ecs-agent", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c88505239e626d8c2d3d990b23548c92", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 4567, "service": "aws-ecs-agent", "service_name": "aws-ecs-agent", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\|\ufffd\ufffd\b\ufffd\ufffd]~\ufffdQ\ufffd\b\/N\ufffdk\u0016n\ufffd\ufffd9\u0007+\ufffd\ufffd\ufffd\u0007AKU\ufffd \u0001\ufffd^(\ufffd\ufffd\ufffd\ufffd\ufffd0?dl9\u0003\ufffd8Zr]\/\ufffd\ufffdqC\ufffdO\u2cb0\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\|\ufffd\ufffd\b\ufffd\ufffd]~\ufffdQ\ufffd\b\/N\ufffdk\u0016n\ufffd\ufffd9\u0007+\ufffd\ufffd\ufffd\u0007AKU\ufffd \u0001\ufffd^(\ufffd\ufffd\ufffd\ufffd\ufffd0?dl9\u0003\ufffd8Zr]\/\ufffd\ufffdqC\ufffdO\u2cb0\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 8(\ufffd\ufffd\ufffd\u0000l\ufffd\u0012\ufffd\ufffd\u001d\u000f\ufffd?\bf\u0013e\u0016\ufffdM;2\ufffd\ufffd\ufffd\ufffd0", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\|\ufffd\ufffd\b\ufffd\ufffd]~\ufffdQ\ufffd\b\/N\ufffdk\u0016n\ufffd\ufffd9\u0007+\ufffd\ufffd\ufffd\u0007AKU\ufffd \u0001\ufffd^(\ufffd\ufffd\ufffd\ufffd\ufffd0?dl9\u0003\ufffd8Zr]\/\ufffd\ufffdqC\ufffdO\u2cb0\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f42ef111ce8ea75a077b29e448477cc01b12e8dc", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\|\ufffd\ufffd\b\ufffd\ufffd]~\ufffdQ\ufffd\b\/N\ufffdk\u0016n\ufffd\ufffd9\u0007+\ufffd\ufffd\ufffd\u0007AKU\ufffd \u0001\ufffd^(\ufffd\ufffd\ufffd\ufffd\ufffd0?dl9\u0003\ufffd8Zr]\/\ufffd\ufffdqC\ufffdO\u2cb0\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 4567, "service": "aws-ecs-agent", "service_label_fr": "AWS ECS AGENT" }, "evidence_snippet": "\ufffd\ufffd\ufffd\|\ufffd\ufffd\ufffd\ufffd]~\ufffdQ\ufffd\/N\ufffdkn\ufffd\ufffd9+\ufffd\ufffd\ufffdAKU\ufffd \ufffd^(\ufffd\ufffd\ufffd\ufffd\ufffd0?dl9\ufffd8Zr]\/\ufffd\ufffdqC\ufffdO\u2cb0\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via AWS ECS AGENT:4567 \u00b7 (reconnaissance)", "target_port_label": "4567 \u00b7 AWS ECS AGENT", "emulator_service": "aws-ecs-agent", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via AWS ECS AGENT \u2014 multi-protocole (66 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "aws-ecs-agent", "service_label_fr": "AWS ECS AGENT", "dst_port": 4567, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-aws-ecs-agent", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\|\ufffd\ufffd\b\ufffd\ufffd]~\ufffdQ\ufffd\b\/N\ufffdk\u0016n\ufffd\ufffd9\u0007+\ufffd\ufffd\ufffd\u0007AKU\ufffd \u0001\ufffd^(\ufffd\ufffd\ufffd\ufffd\ufffd0?dl9\u0003\ufffd8Zr]\/\ufffd\ufffdqC\ufffdO\u2cb0\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 4567, "service": "aws-ecs-agent", "service_label_fr": "AWS ECS AGENT" }, "attack_vector": "port scan syn \u00b7 via AWS ECS AGENT:4567 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffd\ufffd\|\ufffd\ufffd\ufffd\ufffd]~\ufffdQ\ufffd\/N\ufffdkn\ufffd\ufffd9+\ufffd\ufffd\ufffdAKU\ufffd \ufffd^(\ufffd\ufffd\ufffd\ufffd\ufffd0?dl9\ufffd8Zr]\/\ufffd\ufffdqC\ufffdO\u2cb0\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "4567 \u00b7 AWS ECS AGENT", "emulator_service": "aws-ecs-agent", "confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "aws_ecs_agent", "service_banner": "honeypot-aws-ecs-agent", "service_os": "linux", "dst_port": "4567" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 136, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 136, "scan_velocity_ports_per_s": 77.15, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 66, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "aws_ecs_agent_emulated", "aws_ecs_agent_payload", "net_port_scan_fast", "tls_clienthello" ], "asn_dc_heuristic": true }
13/06/2026 19:19:56 UTC	TCP	4848 · GLASSFISH ADMIN	glassfish-admin	Scan de ports port scan syn · via GLASSFISH ADMIN:4848 · (reconnaissance)	Élevée	Moyen · 42
Étape Reconnaissance Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan rapide multi-ports Campagne multi-ports Multi-protocole corrélé (5 min) MITRE T1046 TA0043 Protocole JA3 19e29534fd49dd27 Émulateur GLASSFISH-ADMIN WAF — Recommandation Surveiller Tags glassfish_emulated net_port_scan_fast tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4848 Chemin / cible — Service GLASSFISH ADMIN Payload ��U��r6��B��~��C>�4� ��]�ykv ��F.Q��I�]�pW��Zp�e��@Iۮ$&�+�/�,�0̨̩� �� /5� w Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100% Confiance classification 100% Corrélation +23 Risque capteur Moyen · 42 Confiance : Confiance 100 % — 3 signal(aux) capteur Protocole émulé 1 Signaux MITRE-T1046 SIGMA-net-port-scan Beh Scan Burst Beh Multi Port 60S Technique MITRE T1046 Tactiques MITRE TA0043 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��U��r6��B��~��C>�4� ��]�ykv ��F.Q��I�]�pW��Zp�e��@Iۮ$&�+�/�,�0̨̩� �� /5� w Requête brute (extrait) ��U��r6��B��~��C>�4� ��]�ykv ��F.Q��I�]�pW��Zp�e��@Iۮ$&�+�/�,�0̨̩� �� /5� w �+3&$ \|cA\|��N�4/�\|�}>�)W٤��,k��TU Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 239, "payload_entropy": 5.8213078442046235, "port_category": "registered", "org": "Google LLC", "service": "glassfish-admin", "app_proto": "glassfish-admin", "asn": 396982, "country": "US", "dst_port": 4848, "risk_waf": 8, "risk_classification": 64, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 42, "tag_count": 3, "anomaly_count": 0, "campaign_key": "ad78d195f76a2b003cf9a20f683bd74bd0977996", "event_fingerprint": "7843788e69cb5dc2139586154e3ccc371dec148b", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 318, "precision_signals": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "kb_rule_ids": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s", "INT-upstream" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "named_classification_skipped": false, "service_name": "glassfish-admin", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f3257a6ec5938a28c9187cabd14595f5", "path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 4848, "service": "glassfish-admin", "service_name": "glassfish-admin", "risk_score": 42 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003U\ufffd\ufffd\ufffd\ufffdr6\ufffd\u0018\u0006\ufffdB\ufffd\ufffd~\ufffd\ufffdC>\ufffd4\u0001\ufffd\n\ufffd\ufffd]\ufffdy\u0005kv \ufffd\u0005\ufffd\ufffd\ufffdF.Q\ufffd\ufffdI\ufffd]\ufffdpW\ufffd\ufffd\ufffd\ufffdZp\ufffde\ufffd\ufffd@I\u06ee$\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003U\ufffd\ufffd\ufffd\ufffdr6\ufffd\u0018\u0006\ufffdB\ufffd\ufffd~\ufffd\ufffdC>\ufffd4\u0001\ufffd\n\ufffd\ufffd]\ufffdy\u0005kv \ufffd\u0005\ufffd\ufffd\ufffdF.Q\ufffd\ufffdI\ufffd]\ufffdpW\ufffd\ufffd\ufffd\ufffdZp\ufffde\ufffd\ufffd@I\u06ee$\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \|cA\|\ufffd\u0010\ufffdN\ufffd4\/\ufffd\|\ufffd}>\ufffd)W\u000f\u0664\ufffd\ufffd,k\ufffd\u0007\u001c\ufffdTU", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003U\ufffd\ufffd\ufffd\ufffdr6\ufffd\u0018\u0006\ufffdB\ufffd\ufffd~\ufffd\ufffdC>\ufffd4\u0001\ufffd\n\ufffd\ufffd]\ufffdy\u0005kv \ufffd\u0005\ufffd\ufffd\ufffdF.Q\ufffd\ufffdI\ufffd]\ufffdpW\ufffd\ufffd\ufffd\ufffdZp\ufffde\ufffd\ufffd@I\u06ee$\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "recon", "mitre_tactics": [ "TA0043" ], "mitre_techniques": [ "T1046" ], "mitre": "T1046", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "43753a160db124c0a9f3bd7553b9dd7aca2d3047", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003U\ufffd\ufffd\ufffd\ufffdr6\ufffd\u0018\u0006\ufffdB\ufffd\ufffd~\ufffd\ufffdC>\ufffd4\u0001\ufffd\n\ufffd\ufffd]\ufffdy\u0005kv \ufffd\u0005\ufffd\ufffd\ufffdF.Q\ufffd\ufffdI\ufffd]\ufffdpW\ufffd\ufffd\ufffd\ufffdZp\ufffde\ufffd\ufffd@I\u06ee$\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 4848, "service": "glassfish-admin", "service_label_fr": "GLASSFISH ADMIN" }, "evidence_snippet": "\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffdr6\ufffd\ufffdB\ufffd\ufffd~\ufffd\ufffdC>\ufffd4\ufffd\n\ufffd\ufffd]\ufffdykv \ufffd\ufffd\ufffd\ufffdF.Q\ufffd\ufffdI\ufffd]\ufffdpW\ufffd\ufffd\ufffd\ufffdZp\ufffde\ufffd\ufffd@I\u06ee$&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "attack_vector": "port scan syn \u00b7 via GLASSFISH ADMIN:4848 \u00b7 (reconnaissance)", "target_port_label": "4848 \u00b7 GLASSFISH ADMIN", "emulator_service": "glassfish-admin", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via GLASSFISH ADMIN \u2014 multi-protocole (66 protocoles \u00b7 5 min)", "confidence_pct": 100, "confidence_breakdown": { "waf": 8, "classification": 64, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 42, "correlation_boost": 23 }, "attack_stage": "recon", "attack_stage_label": "Reconnaissance", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 42, "risk_label": "Moyen", "service_name": "glassfish-admin", "service_label_fr": "GLASSFISH ADMIN", "dst_port": 4848, "protocol_emulated": true, "tags_summary": [ "MITRE-T1046", "SIGMA-net-port-scan", "INT-beh-scan-burst", "INT-beh-multi-port-60s" ], "tags_summary_labels_fr": [ "MITRE-T1046", "SIGMA-net-port-scan", "Beh Scan Burst", "Beh Multi Port 60S" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1046", "mitre_technique": "T1046", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-glassfish-admin", "correlation_flags": [ "scan_rapide", "campagne_ports", "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Scan rapide multi-ports", "Campagne multi-ports", "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +23", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003U\ufffd\ufffd\ufffd\ufffdr6\ufffd\u0018\u0006\ufffdB\ufffd\ufffd~\ufffd\ufffdC>\ufffd4\u0001\ufffd\n\ufffd\ufffd]\ufffdy\u0005kv \ufffd\u0005\ufffd\ufffd\ufffdF.Q\ufffd\ufffdI\ufffd]\ufffdpW\ufffd\ufffd\ufffd\ufffdZp\ufffde\ufffd\ufffd@I\u06ee$\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 4848, "service": "glassfish-admin", "service_label_fr": "GLASSFISH ADMIN" }, "attack_vector": "port scan syn \u00b7 via GLASSFISH ADMIN:4848 \u00b7 (reconnaissance)", "evidence_snippet": "\ufffd\ufffdU\ufffd\ufffd\ufffd\ufffdr6\ufffd\ufffdB\ufffd\ufffd~\ufffd\ufffdC>\ufffd4\ufffd\n\ufffd\ufffd]\ufffdykv \ufffd\ufffd\ufffd\ufffdF.Q\ufffd\ufffdI\ufffd]\ufffdpW\ufffd\ufffd\ufffd\ufffdZp\ufffde\ufffd\ufffd@I\u06ee$&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw", "target_port_label": "4848 \u00b7 GLASSFISH ADMIN", "emulator_service": "glassfish-admin", "confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23", "campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": true, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "glassfish_admin", "service_banner": "honeypot-glassfish-admin", "service_os": "linux", "dst_port": "4848" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "port_scan_campaign": true, "port_scan_distinct_ports": 136, "port_scan_ports_sample": [ 81, 82, 83, 84, 85, 88, 554, 591, 1080, 1443, 2000, 2001, 2082, 2083, 2086, 2087 ], "rapid_port_scan": true, "rapid_scan_distinct_ports": 136, "scan_velocity_ports_per_s": 76.86, "multi_category_scan": true, "scan_category_diversity": [ "blockchain", "cloud", "game", "web" ], "multi_protocol_correlation": true, "multi_protocol_count": 66, "multi_protocol_sample": [ "activemq-console", "aws-ecs-agent", "cassandra-jmx", "consul-server", "consul-wan", "couchbase", "couchdb", "cpanel" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "port_scan_campaign", "rapid_port_scan", "multi_category_scan", "multi_protocol_correlation" ], "correlation_confidence_boost": 23, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "glassfish_emulated", "net_port_scan_fast", "tls_clienthello" ], "asn_dc_heuristic": true }

136.112.73.222

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence