|
|
TCP |
8260 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8260 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
��������������������x[�9���K78��?(ß�҂-R�� �H1o���y�����5~r��k�'R�����˵�6�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������������x[�9���K78��?(ß�҂-R�� �H1o���y�����5~r��k�'R�����˵�6�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������������x[�9���K78��?(ß�҂-R�� �H1o���y�����5~r��k�'R�����˵�6�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���\�8_e}��|��}z�ܙ��)���N ¾��
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.849528454819197,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "63078d6f18cf1751dc4fcf365472528190d837ea",
"event_fingerprint": "73e984194c8d37522e0e3314b145e12f5da46517",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "1817d5afca6d014278ac65ae6e196c74",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\b\ufffd\u0005\b\ufffd\ufffd\ufffd\ufffd\ufffdx[\ufffd9\ufffd\ufffd\ufffdK78\ufffd\ufffd?(\u00df\ufffd\u0482-R\ufffd\ufffd \ufffdH1o\ufffd\u0015\ufffdy\b\ufffd\ufffd\ufffd\ufffd5~r\ufffd\u0016k\ufffd'R\ufffd\ufffd\ufffd\ufffd\ufffd\u02f5\ufffd6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\b\ufffd\u0005\b\ufffd\ufffd\ufffd\ufffd\ufffdx[\ufffd9\ufffd\ufffd\ufffdK78\ufffd\ufffd?(\u00df\ufffd\u0482-R\ufffd\ufffd \ufffdH1o\ufffd\u0015\ufffdy\b\ufffd\ufffd\ufffd\ufffd5~r\ufffd\u0016k\ufffd'R\ufffd\ufffd\ufffd\ufffd\ufffd\u02f5\ufffd6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\u0013\\\ufffd8_e}\ufffd\ufffd|\ufffd\ufffd}z\ufffd\u0719\ufffd\ufffd)\ufffd\ufffd\ufffdN\r\u00be\ufffd\u0018\n",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\b\ufffd\u0005\b\ufffd\ufffd\ufffd\ufffd\ufffdx[\ufffd9\ufffd\ufffd\ufffdK78\ufffd\ufffd?(\u00df\ufffd\u0482-R\ufffd\ufffd \ufffdH1o\ufffd\u0015\ufffdy\b\ufffd\ufffd\ufffd\ufffd5~r\ufffd\u0016k\ufffd'R\ufffd\ufffd\ufffd\ufffd\ufffd\u02f5\ufffd6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "408771365365dfb6c58cfb946cb3d02cf914533a",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\b\ufffd\u0005\b\ufffd\ufffd\ufffd\ufffd\ufffdx[\ufffd9\ufffd\ufffd\ufffdK78\ufffd\ufffd?(\u00df\ufffd\u0482-R\ufffd\ufffd \ufffdH1o\ufffd\u0015\ufffdy\b\ufffd\ufffd\ufffd\ufffd5~r\ufffd\u0016k\ufffd'R\ufffd\ufffd\ufffd\ufffd\ufffd\u02f5\ufffd6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdx[\ufffd9\ufffd\ufffd\ufffdK78\ufffd\ufffd?(\u00df\ufffd\u0482-R\ufffd\ufffd \ufffdH1o\ufffd\ufffdy\ufffd\ufffd\ufffd\ufffd5~r\ufffdk\ufffd'R\ufffd\ufffd\ufffd\ufffd\ufffd\u02f5\ufffd6&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8260 \u00b7 (reconnaissance)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\b\ufffd\u0005\b\ufffd\ufffd\ufffd\ufffd\ufffdx[\ufffd9\ufffd\ufffd\ufffdK78\ufffd\ufffd?(\u00df\ufffd\u0482-R\ufffd\ufffd \ufffdH1o\ufffd\u0015\ufffdy\b\ufffd\ufffd\ufffd\ufffd5~r\ufffd\u0016k\ufffd'R\ufffd\ufffd\ufffd\ufffd\ufffd\u02f5\ufffd6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8260 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdx[\ufffd9\ufffd\ufffd\ufffdK78\ufffd\ufffd?(\u00df\ufffd\u0482-R\ufffd\ufffd \ufffdH1o\ufffd\ufffdy\ufffd\ufffd\ufffd\ufffd5~r\ufffdk\ufffd'R\ufffd\ufffd\ufffd\ufffd\ufffd\u02f5\ufffd6&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 61.4,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8270 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8270 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8270
Chemin / cible
—
Service
TLS
Payload
������������)f��_v1���y�瓒�XN�����;y�����e U4��B1��:.0 ��0�=.��۽�+�'�������&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������)f��_v1���y�瓒�XN�����;y�����e U4��B1��:.0
��0�=.��۽�+�'�������&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������)f��_v1���y�瓒�XN�����;y�����e U4��B1��:.0 ��0�=.��۽�+�'�������&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ,�{@xH�o9y+Ӝ�4����Y��Ÿ�@����N#
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.829748631085344,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8270,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "57f9cd1166ed30216d2f69322d165ce721b8477e",
"event_fingerprint": "cc16dda502ba90c902e13ab0b444384f9096d560",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "2df2f4cc310219c5b1df6ed35e02e0e6",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8270,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd)f\ufffd\u0003_v1\u0000\ufffd\ufffdy\ufffd\u74d2\ufffdXN\ufffd\ufffd\u0017\ufffd\ufffd;y\ufffd\ufffd\ufffd\ufffd\u001ce U4\u001b\ufffdB1\ufffd\u0019:.0\r\u0001\ufffd0\ufffd=.\ufffd\ufffd\u06fd\ufffd+\ufffd'\ufffd\ufffd\u0007\ufffd\u001a\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd)f\ufffd\u0003_v1\u0000\ufffd\ufffdy\ufffd\u74d2\ufffdXN\ufffd\ufffd\u0017\ufffd\ufffd;y\ufffd\ufffd\ufffd\ufffd\u001ce U4\u001b\ufffdB1\ufffd\u0019:.0\r\u0001\ufffd0\ufffd=.\ufffd\ufffd\u06fd\ufffd+\ufffd'\ufffd\ufffd\u0007\ufffd\u001a\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 ,\ufffd{@xH\ufffdo9y+\u04dc\ufffd4\ufffd\ufffd\u000f\ufffdY\ufffd\ufffd\u0178\ufffd@\ufffd\ufffd\ufffd\u0007N#",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd)f\ufffd\u0003_v1\u0000\ufffd\ufffdy\ufffd\u74d2\ufffdXN\ufffd\ufffd\u0017\ufffd\ufffd;y\ufffd\ufffd\ufffd\ufffd\u001ce U4\u001b\ufffdB1\ufffd\u0019:.0\r\u0001\ufffd0\ufffd=.\ufffd\ufffd\u06fd\ufffd+\ufffd'\ufffd\ufffd\u0007\ufffd\u001a\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9a4ebac9d86d35e57bf9ebc6fb8d70aac0671a73",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd)f\ufffd\u0003_v1\u0000\ufffd\ufffdy\ufffd\u74d2\ufffdXN\ufffd\ufffd\u0017\ufffd\ufffd;y\ufffd\ufffd\ufffd\ufffd\u001ce U4\u001b\ufffdB1\ufffd\u0019:.0\r\u0001\ufffd0\ufffd=.\ufffd\ufffd\u06fd\ufffd+\ufffd'\ufffd\ufffd\u0007\ufffd\u001a\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8270,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd)f\ufffd_v1\ufffd\ufffdy\ufffd\u74d2\ufffdXN\ufffd\ufffd\ufffd\ufffd;y\ufffd\ufffd\ufffd\ufffde U4\ufffdB1\ufffd:.0\r\ufffd0\ufffd=.\ufffd\ufffd\u06fd\ufffd+\ufffd'\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8270 \u00b7 (reconnaissance)",
"target_port_label": "8270 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8270,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd)f\ufffd\u0003_v1\u0000\ufffd\ufffdy\ufffd\u74d2\ufffdXN\ufffd\ufffd\u0017\ufffd\ufffd;y\ufffd\ufffd\ufffd\ufffd\u001ce U4\u001b\ufffdB1\ufffd\u0019:.0\r\u0001\ufffd0\ufffd=.\ufffd\ufffd\u06fd\ufffd+\ufffd'\ufffd\ufffd\u0007\ufffd\u001a\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8270,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8270 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd)f\ufffd_v1\ufffd\ufffdy\ufffd\u74d2\ufffdXN\ufffd\ufffd\ufffd\ufffd;y\ufffd\ufffd\ufffd\ufffde U4\ufffdB1\ufffd:.0\r\ufffd0\ufffd=.\ufffd\ufffd\u06fd\ufffd+\ufffd'\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8270 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8270"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 61.25,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8282 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8282 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8282
Chemin / cible
—
Service
TLS
Payload
�����������Ο]JD���:�,x��1��O�~;�>� �5��w�K ��yşS�v�yg%��o̽?�� �٬����e�N�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������Ο]JD���:�,x��1��O�~;�>� �5��w�K ��yşS�v�yg%��o̽?����٬����e�N�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������Ο]JD���:�,x��1��O�~;�>� �5��w�K ��yşS�v�yg%��o̽?�� �٬����e�N�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �pږ1�ףv��VwY��o�����aqIPG�xtX
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.8348970189938605,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8282,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "388d6457cc60d79b631dbed44a529b3c3e7f44fe",
"event_fingerprint": "3d2feef089d7d081a8e70aaab802f7198f52e743",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "a65080c2e941c7280a762b3f54369f1e",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8282,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u039f]JD\ufffd\u0014\u0011:\ufffd,x\ufffd\ufffd1\ufffd\ufffdO\ufffd~;\ufffd>\ufffd\t\ufffd5\u0000\ufffdw\ufffdK \ufffd\ufffdy\u015fS\ufffdv\ufffdyg%\ufffd\ufffdo\u033d?\ufffd\ufffd\u000b\ufffd\u066c\ufffd\u0001\ufffd\u0017e\ufffdN\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u039f]JD\ufffd\u0014\u0011:\ufffd,x\ufffd\ufffd1\ufffd\ufffdO\ufffd~;\ufffd>\ufffd\t\ufffd5\u0000\ufffdw\ufffdK \ufffd\ufffdy\u015fS\ufffdv\ufffdyg%\ufffd\ufffdo\u033d?\ufffd\ufffd\u000b\ufffd\u066c\ufffd\u0001\ufffd\u0017e\ufffdN\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0007p\u06961\u001d\u05e3v\ufffd\ufffdVwY\u0011\ufffdo\ufffd\ufffd\u001d\ufffd\ufffdaqIPG\ufffdxtX",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u039f]JD\ufffd\u0014\u0011:\ufffd,x\ufffd\ufffd1\ufffd\ufffdO\ufffd~;\ufffd>\ufffd\t\ufffd5\u0000\ufffdw\ufffdK \ufffd\ufffdy\u015fS\ufffdv\ufffdyg%\ufffd\ufffdo\u033d?\ufffd\ufffd\u000b\ufffd\u066c\ufffd\u0001\ufffd\u0017e\ufffdN\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c3cbedb64ef8738287fa90e9ae9542dc28293806",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u039f]JD\ufffd\u0014\u0011:\ufffd,x\ufffd\ufffd1\ufffd\ufffdO\ufffd~;\ufffd>\ufffd\t\ufffd5\u0000\ufffdw\ufffdK \ufffd\ufffdy\u015fS\ufffdv\ufffdyg%\ufffd\ufffdo\u033d?\ufffd\ufffd\u000b\ufffd\u066c\ufffd\u0001\ufffd\u0017e\ufffdN\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8282,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\u039f]JD\ufffd:\ufffd,x\ufffd\ufffd1\ufffd\ufffdO\ufffd~;\ufffd>\ufffd\t\ufffd5\ufffdw\ufffdK \ufffd\ufffdy\u015fS\ufffdv\ufffdyg%\ufffd\ufffdo\u033d?\ufffd\ufffd\ufffd\u066c\ufffd\ufffde\ufffdN&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8282 \u00b7 (reconnaissance)",
"target_port_label": "8282 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8282,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u039f]JD\ufffd\u0014\u0011:\ufffd,x\ufffd\ufffd1\ufffd\ufffdO\ufffd~;\ufffd>\ufffd\t\ufffd5\u0000\ufffdw\ufffdK \ufffd\ufffdy\u015fS\ufffdv\ufffdyg%\ufffd\ufffdo\u033d?\ufffd\ufffd\u000b\ufffd\u066c\ufffd\u0001\ufffd\u0017e\ufffdN\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8282,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8282 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\u039f]JD\ufffd:\ufffd,x\ufffd\ufffd1\ufffd\ufffdO\ufffd~;\ufffd>\ufffd\t\ufffd5\ufffdw\ufffdK \ufffd\ufffdy\u015fS\ufffdv\ufffdyg%\ufffd\ufffdo\u033d?\ufffd\ufffd\ufffd\u066c\ufffd\ufffde\ufffdN&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8282 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8282"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 61.07,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
83 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:83 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
83
Chemin / cible
—
Service
TLS
Payload
���������������]� o��|���T�X���G����x�!��A� �����{*@�����s�wϊ���Xp]��3���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
���������������]��o��|���T�X���G����x�!��A� �����{*@�����s�wϊ���Xp]��3���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
���������������]� o��|���T�X���G����x�!��A� �����{*@�����s�wϊ���Xp]��3���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���)�ƛ��肨��qO�R��,���� �����l
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.883570982088029,
"port_category": "well_known",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 83,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.8,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "3457883ab4edca17b0c8d5149e6b5f8032fba09e",
"event_fingerprint": "561b479a71c7bc338d97ecdfb5379523d636ef58",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "356332bb9e97577de71a114c82a050db",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 83,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd]\ufffd\u000bo\ufffd\ufffd|\ufffd\ufffd\ufffdT\ufffdX\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffdx\ufffd!\ufffd\ufffdA\ufffd \ufffd\ufffd\ufffd\ufffd\u000f{*@\ufffd\ufffd\ufffd\u0011\ufffds\u001ew\u03ca\ufffd\u0017\ufffdXp]\ufffd\u0099\ufffd3\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd]\ufffd\u000bo\ufffd\ufffd|\ufffd\ufffd\ufffdT\ufffdX\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffdx\ufffd!\ufffd\ufffdA\ufffd \ufffd\ufffd\ufffd\ufffd\u000f{*@\ufffd\ufffd\ufffd\u0011\ufffds\u001ew\u03ca\ufffd\u0017\ufffdXp]\ufffd\u0099\ufffd3\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0010\ufffd)\ufffd\u019b\ufffd\ufffd\u80a8\u0006\ufffdqO\ufffdR\ufffd\ufffd,\ufffd\ufffd\u001e\ufffd\r\u0004\ufffd\u000f\ufffd\bl",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd]\ufffd\u000bo\ufffd\ufffd|\ufffd\ufffd\ufffdT\ufffdX\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffdx\ufffd!\ufffd\ufffdA\ufffd \ufffd\ufffd\ufffd\ufffd\u000f{*@\ufffd\ufffd\ufffd\u0011\ufffds\u001ew\u03ca\ufffd\u0017\ufffdXp]\ufffd\u0099\ufffd3\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3c46025008bf91f3a30c562158db8dc1d63976a5",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd]\ufffd\u000bo\ufffd\ufffd|\ufffd\ufffd\ufffdT\ufffdX\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffdx\ufffd!\ufffd\ufffdA\ufffd \ufffd\ufffd\ufffd\ufffd\u000f{*@\ufffd\ufffd\ufffd\u0011\ufffds\u001ew\u03ca\ufffd\u0017\ufffdXp]\ufffd\u0099\ufffd3\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 83,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffdo\ufffd\ufffd|\ufffd\ufffd\ufffdT\ufffdX\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffdx\ufffd!\ufffd\ufffdA\ufffd \ufffd\ufffd\ufffd\ufffd{*@\ufffd\ufffd\ufffd\ufffdsw\u03ca\ufffd\ufffdXp]\ufffd\u0099\ufffd3\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:83 \u00b7 (reconnaissance)",
"target_port_label": "83 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 83,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd]\ufffd\u000bo\ufffd\ufffd|\ufffd\ufffd\ufffdT\ufffdX\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffdx\ufffd!\ufffd\ufffdA\ufffd \ufffd\ufffd\ufffd\ufffd\u000f{*@\ufffd\ufffd\ufffd\u0011\ufffds\u001ew\u03ca\ufffd\u0017\ufffdXp]\ufffd\u0099\ufffd3\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 83,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:83 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd]\ufffdo\ufffd\ufffd|\ufffd\ufffd\ufffdT\ufffdX\ufffd\ufffd\ufffdG\ufffd\ufffd\ufffd\ufffdx\ufffd!\ufffd\ufffdA\ufffd \ufffd\ufffd\ufffd\ufffd{*@\ufffd\ufffd\ufffd\ufffdsw\u03ca\ufffd\ufffdXp]\ufffd\u0099\ufffd3\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "83 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "83"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 60.81,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8290 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8290 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8290
Chemin / cible
—
Service
TLS
Payload
������������(�����~j���6k��=@�F���1�<�/�+� �v����1 �<���DdI�����Ԥ�)�÷��^�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������(�����~j���6k��=@�F���1�<�/�+� �v����1
�<���DdI�����Ԥ�)�÷��^�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������(�����~j���6k��=@�F���1�<�/�+� �v����1 �<���DdI�����Ԥ�)�÷��^�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� � S� ��L����y ��N�X[�����`/=Y4
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.790615810260157,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8290,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "54bcd6b364905ffa4aee19d58856df1655cf5a14",
"event_fingerprint": "1c2f574c27ec1d64b4500dd1ca82a0e9141b04f0",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "656be09e58b87e7c3fb5417f47d953f8",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8290,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(\u001a\ufffd\ufffd\ufffd\ufffd~j\ufffd\u000f\ufffd6k\u0014\u0004=@\ufffdF\ufffd\u0003\ufffd1\ufffd<\ufffd\/\u001e+\ufffd \ufffdv\ufffd\u0016\ufffd\ufffd1\n\ufffd<\u0000\ufffd\u000eDdI\ufffd\ufffd\u0001\ufffd\ufffd\u0524\ufffd)\ufffd\u00f7\ufffd\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(\u001a\ufffd\ufffd\ufffd\ufffd~j\ufffd\u000f\ufffd6k\u0014\u0004=@\ufffdF\ufffd\u0003\ufffd1\ufffd<\ufffd\/\u001e+\ufffd \ufffdv\ufffd\u0016\ufffd\ufffd1\n\ufffd<\u0000\ufffd\u000eDdI\ufffd\ufffd\u0001\ufffd\ufffd\u0524\ufffd)\ufffd\u00f7\ufffd\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\tS\ufffd\r\ufffd\u0000L\u000f\ufffd\ufffd\ufffdy\n\ufffd\ufffdN\ufffdX[\ufffd\u0005\ufffd\ufffd\ufffd`\/=Y4",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(\u001a\ufffd\ufffd\ufffd\ufffd~j\ufffd\u000f\ufffd6k\u0014\u0004=@\ufffdF\ufffd\u0003\ufffd1\ufffd<\ufffd\/\u001e+\ufffd \ufffdv\ufffd\u0016\ufffd\ufffd1\n\ufffd<\u0000\ufffd\u000eDdI\ufffd\ufffd\u0001\ufffd\ufffd\u0524\ufffd)\ufffd\u00f7\ufffd\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2cbcab2d92fd625ea9638bcd81020e22c1e21b22",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(\u001a\ufffd\ufffd\ufffd\ufffd~j\ufffd\u000f\ufffd6k\u0014\u0004=@\ufffdF\ufffd\u0003\ufffd1\ufffd<\ufffd\/\u001e+\ufffd \ufffdv\ufffd\u0016\ufffd\ufffd1\n\ufffd<\u0000\ufffd\u000eDdI\ufffd\ufffd\u0001\ufffd\ufffd\u0524\ufffd)\ufffd\u00f7\ufffd\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8290,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd\ufffd~j\ufffd\ufffd6k=@\ufffdF\ufffd\ufffd1\ufffd<\ufffd\/+\ufffd \ufffdv\ufffd\ufffd\ufffd1\n\ufffd<\ufffdDdI\ufffd\ufffd\ufffd\ufffd\u0524\ufffd)\ufffd\u00f7\ufffd\ufffd^&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8290 \u00b7 (reconnaissance)",
"target_port_label": "8290 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8290,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(\u001a\ufffd\ufffd\ufffd\ufffd~j\ufffd\u000f\ufffd6k\u0014\u0004=@\ufffdF\ufffd\u0003\ufffd1\ufffd<\ufffd\/\u001e+\ufffd \ufffdv\ufffd\u0016\ufffd\ufffd1\n\ufffd<\u0000\ufffd\u000eDdI\ufffd\ufffd\u0001\ufffd\ufffd\u0524\ufffd)\ufffd\u00f7\ufffd\ufffd^\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8290,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8290 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd\ufffd~j\ufffd\ufffd6k=@\ufffdF\ufffd\ufffd1\ufffd<\ufffd\/+\ufffd \ufffdv\ufffd\ufffd\ufffd1\n\ufffd<\ufffdDdI\ufffd\ufffd\ufffd\ufffd\u0524\ufffd)\ufffd\u00f7\ufffd\ufffd^&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8290 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8290"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 60.63,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8300 · CONSUL SERVER
|
consul-server
|
Scan de ports
port scan syn · via CONSUL SERVER:8300 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
CONSUL-SERVER
WAF
—
Recommandation
Surveiller
Tags
net_flood
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8300
Chemin / cible
—
Service
CONSUL SERVER
Payload
������������)D�������!�����.������IH4I>2�ek �[ٜt��η�;��\9����R�r�Q;�x������&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������)D�������!�����.������IH4I>2�ek �[ٜt��η�;��\9����R�r�Q;�x������&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������)D�������!�����.������IH4I>2�ek �[ٜt��η�;��\9����R�r�Q;�x������&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��U5��ۺ,u������W�A�༒\�d�ʢ�q
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.818406852086966,
"port_category": "registered",
"org": "Google LLC",
"service": "consul-server",
"app_proto": "consul-server",
"asn": 396982,
"country": "US",
"dst_port": 8300,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "6fb1dcfb536ed06ac48a5f920174a63054f2ac14",
"event_fingerprint": "e68037b92ba58b835ba3615b495a30586db90f6f",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 293,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "consul-server",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "daa3788d817d49464cf68365222df982",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8300,
"service": "consul-server",
"service_name": "consul-server",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd)D\u0014\ufffd\ufffd\u0014\ufffd\ufffd\u001b!\ufffd\u001f\ufffd\u0000\ufffd.\u001a\ufffd\ufffd\ufffd\ufffd\ufffdIH4I>2\ufffdek \ufffd[\u065ct\ufffd\ufffd\u03b7\ufffd;\ufffd\u0016\\9\ufffd\u000e\u001c\ufffdR\ufffdr\u0013Q;\u0015x\u0005\ufffd\ufffd\u001b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd)D\u0014\ufffd\ufffd\u0014\ufffd\ufffd\u001b!\ufffd\u001f\ufffd\u0000\ufffd.\u001a\ufffd\ufffd\ufffd\ufffd\ufffdIH4I>2\ufffdek \ufffd[\u065ct\ufffd\ufffd\u03b7\ufffd;\ufffd\u0016\\9\ufffd\u000e\u001c\ufffdR\ufffdr\u0013Q;\u0015x\u0005\ufffd\ufffd\u001b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0006U5\u0004\u0017\u06fa,u\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdW\ufffdA\u0018\u0f12\\\ufffdd\ufffd\u02a2\u0000q",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd)D\u0014\ufffd\ufffd\u0014\ufffd\ufffd\u001b!\ufffd\u001f\ufffd\u0000\ufffd.\u001a\ufffd\ufffd\ufffd\ufffd\ufffdIH4I>2\ufffdek \ufffd[\u065ct\ufffd\ufffd\u03b7\ufffd;\ufffd\u0016\\9\ufffd\u000e\u001c\ufffdR\ufffdr\u0013Q;\u0015x\u0005\ufffd\ufffd\u001b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "21fc016a8514dd84f81b4b264e44e90255a536aa",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd)D\u0014\ufffd\ufffd\u0014\ufffd\ufffd\u001b!\ufffd\u001f\ufffd\u0000\ufffd.\u001a\ufffd\ufffd\ufffd\ufffd\ufffdIH4I>2\ufffdek \ufffd[\u065ct\ufffd\ufffd\u03b7\ufffd;\ufffd\u0016\\9\ufffd\u000e\u001c\ufffdR\ufffdr\u0013Q;\u0015x\u0005\ufffd\ufffd\u001b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8300,
"service": "consul-server",
"service_label_fr": "CONSUL SERVER"
},
"evidence_snippet": "\ufffd\ufffd\ufffd)D\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd\ufffd.\ufffd\ufffd\ufffd\ufffd\ufffdIH4I>2\ufffdek \ufffd[\u065ct\ufffd\ufffd\u03b7\ufffd;\ufffd\\9\ufffd\ufffdR\ufffdrQ;x\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via CONSUL SERVER:8300 \u00b7 (reconnaissance)",
"target_port_label": "8300 \u00b7 CONSUL SERVER",
"emulator_service": "consul-server",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CONSUL SERVER \u2014 multi-protocole (78 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "consul-server",
"service_label_fr": "CONSUL SERVER",
"dst_port": 8300,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-consul-server",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd)D\u0014\ufffd\ufffd\u0014\ufffd\ufffd\u001b!\ufffd\u001f\ufffd\u0000\ufffd.\u001a\ufffd\ufffd\ufffd\ufffd\ufffdIH4I>2\ufffdek \ufffd[\u065ct\ufffd\ufffd\u03b7\ufffd;\ufffd\u0016\\9\ufffd\u000e\u001c\ufffdR\ufffdr\u0013Q;\u0015x\u0005\ufffd\ufffd\u001b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8300,
"service": "consul-server",
"service_label_fr": "CONSUL SERVER"
},
"attack_vector": "port scan syn \u00b7 via CONSUL SERVER:8300 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd)D\ufffd\ufffd\ufffd\ufffd!\ufffd\ufffd\ufffd.\ufffd\ufffd\ufffd\ufffd\ufffdIH4I>2\ufffdek \ufffd[\u065ct\ufffd\ufffd\u03b7\ufffd;\ufffd\\9\ufffd\ufffdR\ufffdrQ;x\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8300 \u00b7 CONSUL SERVER",
"emulator_service": "consul-server",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "consul_server",
"service_banner": "honeypot-consul-server",
"service_os": "linux",
"dst_port": "8300"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 161,
"port_scan_ports_sample": [
81,
82,
83,
84,
85,
88,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 161,
"scan_velocity_ports_per_s": 60.47,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 78,
"multi_protocol_sample": [
"activemq-console",
"admin-alt",
"aws-ecs-agent",
"cassandra",
"cassandra-jmx",
"clickhouse-native",
"consul-server",
"consul-wan"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_flood",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8081 · HTTP ALT 8081
|
http-alt-8081
|
Scan de ports
port scan syn · via HTTP ALT 8081:8081 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8081
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8081
Chemin / cible
—
Service
HTTP ALT 8081
Payload
�������������$r k�٣�]|�� o?s������nvְ ��vo�+U�̫�������K�F���,�aNl3����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������$r k�٣�]|��
o?s������nvְ ��vo�+U�̫�������K�F���,�aNl3����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������$r k�٣�]|�� o?s������nvְ ��vo�+U�̫�������K�F���,�aNl3����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �����7Ҿ����i���v���T��|gK��I!
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.77095952139465,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8081",
"app_proto": "http-alt-8081",
"asn": 396982,
"country": "US",
"dst_port": 8081,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "cd1d82a6024378b479e220d6725545f6c5258d8d",
"event_fingerprint": "4b8d01bf5e0cd8f05e9c73ead2fc5951c1842a92",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-8081",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "be9f8b00761ba2bf74df78bd8f8522c2",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8081,
"service": "http-alt-8081",
"service_name": "http-alt-8081",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\uda23\udfa2\u0011$r\tk\ufffd\u0663\ufffd]|\ufffd\u0006\no?s\ufffd\ufffd\u001c\u0018\ufffd\u0016nv\u05b0 \u001a\ufffdvo\u0006+U\ufffd\u032b\u0010\ufffd\ufffd\ufffd\ufffd\ufffd\u000fK\ufffdF\ufffd\ufffd\ufffd,\ufffdaNl3\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\uda23\udfa2\u0011$r\tk\ufffd\u0663\ufffd]|\ufffd\u0006\no?s\ufffd\ufffd\u001c\u0018\ufffd\u0016nv\u05b0 \u001a\ufffdvo\u0006+U\ufffd\u032b\u0010\ufffd\ufffd\ufffd\ufffd\ufffd\u000fK\ufffdF\ufffd\ufffd\ufffd,\ufffdaNl3\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \n\ufffd\b\ufffd\ufffd\ufffd7\u04be\ufffd\ufffd\ufffd\ufffdi\ufffd\u001d\ufffdv\u0010\ufffd\ufffdT\ufffd\u0015|gK\ufffd\u0016I!",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\uda23\udfa2\u0011$r\tk\ufffd\u0663\ufffd]|\ufffd\u0006\no?s\ufffd\ufffd\u001c\u0018\ufffd\u0016nv\u05b0 \u001a\ufffdvo\u0006+U\ufffd\u032b\u0010\ufffd\ufffd\ufffd\ufffd\ufffd\u000fK\ufffdF\ufffd\ufffd\ufffd,\ufffdaNl3\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "abc6eb9f6316086df11bacc39a90ec4eb22bcb6a",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\uda23\udfa2\u0011$r\tk\ufffd\u0663\ufffd]|\ufffd\u0006\no?s\ufffd\ufffd\u001c\u0018\ufffd\u0016nv\u05b0 \u001a\ufffdvo\u0006+U\ufffd\u032b\u0010\ufffd\ufffd\ufffd\ufffd\ufffd\u000fK\ufffdF\ufffd\ufffd\ufffd,\ufffdaNl3\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8081,
"service": "http-alt-8081",
"service_label_fr": "HTTP ALT 8081"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\uda23\udfa2$r\tk\ufffd\u0663\ufffd]|\ufffd\no?s\ufffd\ufffd\ufffdnv\u05b0 \ufffdvo+U\ufffd\u032b\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffdF\ufffd\ufffd\ufffd,\ufffdaNl3\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8081:8081 \u00b7 (reconnaissance)",
"target_port_label": "8081 \u00b7 HTTP ALT 8081",
"emulator_service": "http-alt-8081",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8081 \u2014 multi-protocole (50 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8081",
"service_label_fr": "HTTP ALT 8081",
"dst_port": 8081,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8081",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\uda23\udfa2\u0011$r\tk\ufffd\u0663\ufffd]|\ufffd\u0006\no?s\ufffd\ufffd\u001c\u0018\ufffd\u0016nv\u05b0 \u001a\ufffdvo\u0006+U\ufffd\u032b\u0010\ufffd\ufffd\ufffd\ufffd\ufffd\u000fK\ufffdF\ufffd\ufffd\ufffd,\ufffdaNl3\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8081,
"service": "http-alt-8081",
"service_label_fr": "HTTP ALT 8081"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8081:8081 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\uda23\udfa2$r\tk\ufffd\u0663\ufffd]|\ufffd\no?s\ufffd\ufffd\ufffdnv\u05b0 \ufffdvo+U\ufffd\u032b\ufffd\ufffd\ufffd\ufffd\ufffdK\ufffdF\ufffd\ufffd\ufffd,\ufffdaNl3\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8081 \u00b7 HTTP ALT 8081",
"emulator_service": "http-alt-8081",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8081",
"service_banner": "honeypot-http-alt-8081",
"service_os": "linux",
"dst_port": "8081"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 80,
"port_scan_ports_sample": [
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376,
2379,
2380
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 80,
"scan_velocity_ports_per_s": 75.79,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 50,
"multi_protocol_sample": [
"aws-ecs-agent",
"cassandra-jmx",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm",
"docker",
"docker-tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8082 · HTTP ALT 8082
|
http-alt-8082
|
Scan de ports
port scan syn · via HTTP ALT 8082:8082 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8082
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8082
Chemin / cible
—
Service
HTTP ALT 8082
Payload
�����������zJ�2��ԛ6j�t��E��,�_A: �@���kUH ���HX�#N¦������Q�;��� ��օ}�Y6�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������zJ�2��ԛ6j�t��E��,�_A: �@���kUH ���HX�#N¦������Q�;��� ���օ}�Y6�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������zJ�2��ԛ6j�t��E��,�_A: �@���kUH ���HX�#N¦������Q�;��� ��օ}�Y6�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �x?�e�|{5J`f���A���'@llo���=�X4
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.90047675337115,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8082",
"app_proto": "http-alt-8082",
"asn": 396982,
"country": "US",
"dst_port": 8082,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "84fba105a94fa52fce2a4e0627b6a91e7419756f",
"event_fingerprint": "754fe1c1fd27dff7b9653c1ba3c9f4252e86ae83",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-8082",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "1dd26d86819559da04505fd98fe0514a",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8082,
"service": "http-alt-8082",
"service_name": "http-alt-8082",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003zJ\u00192\ufffd\ufffd\u051b6j\ufffdt\u001b\ufffdE\ufffd\u0018,\ufffd_A: \ufffd@\ufffd\u001b\u001ckUH \b\ufffd\ufffdHX\ufffd#N\u00a6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffd;\ufffd\ufffd\ufffd\t\u000b\ufffd\ufffd\u0585}\ufffdY6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003zJ\u00192\ufffd\ufffd\u051b6j\ufffdt\u001b\ufffdE\ufffd\u0018,\ufffd_A: \ufffd@\ufffd\u001b\u001ckUH \b\ufffd\ufffdHX\ufffd#N\u00a6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffd;\ufffd\ufffd\ufffd\t\u000b\ufffd\ufffd\u0585}\ufffdY6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdx?\ufffde\ufffd|{5J`f\u001f\ufffd\ufffdA\u0016\ufffd\ufffd'@llo\u0010\ufffd\ufffd=\ufffdX4\n",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003zJ\u00192\ufffd\ufffd\u051b6j\ufffdt\u001b\ufffdE\ufffd\u0018,\ufffd_A: \ufffd@\ufffd\u001b\u001ckUH \b\ufffd\ufffdHX\ufffd#N\u00a6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffd;\ufffd\ufffd\ufffd\t\u000b\ufffd\ufffd\u0585}\ufffdY6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "57d19276b8229865bca908cb69e512a3bac62451",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003zJ\u00192\ufffd\ufffd\u051b6j\ufffdt\u001b\ufffdE\ufffd\u0018,\ufffd_A: \ufffd@\ufffd\u001b\u001ckUH \b\ufffd\ufffdHX\ufffd#N\u00a6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffd;\ufffd\ufffd\ufffd\t\u000b\ufffd\ufffd\u0585}\ufffdY6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8082,
"service": "http-alt-8082",
"service_label_fr": "HTTP ALT 8082"
},
"evidence_snippet": "\ufffd\ufffdzJ2\ufffd\ufffd\u051b6j\ufffdt\ufffdE\ufffd,\ufffd_A: \ufffd@\ufffdkUH \ufffd\ufffdHX\ufffd#N\u00a6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffd;\ufffd\ufffd\ufffd\t\ufffd\ufffd\u0585}\ufffdY6&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8082:8082 \u00b7 (reconnaissance)",
"target_port_label": "8082 \u00b7 HTTP ALT 8082",
"emulator_service": "http-alt-8082",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8082 \u2014 multi-protocole (51 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8082",
"service_label_fr": "HTTP ALT 8082",
"dst_port": 8082,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8082",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003zJ\u00192\ufffd\ufffd\u051b6j\ufffdt\u001b\ufffdE\ufffd\u0018,\ufffd_A: \ufffd@\ufffd\u001b\u001ckUH \b\ufffd\ufffdHX\ufffd#N\u00a6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffd;\ufffd\ufffd\ufffd\t\u000b\ufffd\ufffd\u0585}\ufffdY6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8082,
"service": "http-alt-8082",
"service_label_fr": "HTTP ALT 8082"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8082:8082 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdzJ2\ufffd\ufffd\u051b6j\ufffdt\ufffdE\ufffd,\ufffd_A: \ufffd@\ufffdkUH \ufffd\ufffdHX\ufffd#N\u00a6\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdQ\ufffd;\ufffd\ufffd\ufffd\t\ufffd\ufffd\u0585}\ufffdY6&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8082 \u00b7 HTTP ALT 8082",
"emulator_service": "http-alt-8082",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8082",
"service_banner": "honeypot-http-alt-8082",
"service_os": "linux",
"dst_port": "8082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 81,
"port_scan_ports_sample": [
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376,
2379,
2380
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 81,
"scan_velocity_ports_per_s": 76.21,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 51,
"multi_protocol_sample": [
"aws-ecs-agent",
"cassandra-jmx",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm",
"docker",
"docker-tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8083 · HTTP ALT 8083
|
http-alt-8083
|
Scan de ports
port scan syn · via HTTP ALT 8083:8083 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8083
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8083
Chemin / cible
—
Service
HTTP ALT 8083
Payload
�������������0�8rd�!���4�ˬ�����i��@�zk髅� )а�nwu9��Ye[Xc���68���xI�yNB���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������0�8rd�!���4�ˬ�����i��@�zk髅� )а�nwu9��Ye[Xc���68���xI�yNB���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������0�8rd�!���4�ˬ�����i��@�zk髅� )а�nwu9��Ye[Xc���68���xI�yNB���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ����3w��Q+έ����V�E�H����?��(�F
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.875891030638163,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8083",
"app_proto": "http-alt-8083",
"asn": 396982,
"country": "US",
"dst_port": 8083,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "0113b855e5d431e7bddfbfbfa2fc76ac9c48ff75",
"event_fingerprint": "71c003d0195dba527dd81a49830f0708a66991f2",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-8083",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "88da5c1504fc4128c2aba25a8679f1c1",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8083,
"service": "http-alt-8083",
"service_name": "http-alt-8083",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd0\u00138rd\ufffd!\ufffd\ufffd\ufffd4\u000f\u02ec\ufffd\u0007\ufffd\ufffd\ufffdi\u0001\ufffd@\ufffdzk\u9ac5\ufffd )\u0430\ufffdnwu9\ufffd\ufffdYe[Xc\ufffd\u0014\ufffd68\ufffd\u0012\ufffdxI\ufffdyNB\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd0\u00138rd\ufffd!\ufffd\ufffd\ufffd4\u000f\u02ec\ufffd\u0007\ufffd\ufffd\ufffdi\u0001\ufffd@\ufffdzk\u9ac5\ufffd )\u0430\ufffdnwu9\ufffd\ufffdYe[Xc\ufffd\u0014\ufffd68\ufffd\u0012\ufffdxI\ufffdyNB\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\ufffd3w\u001d\ufffdQ+\u03ad\ufffd\ufffd\ufffd\u0012V\ufffdE\ufffdH\ufffd\ufffd\ufffd\u001f?\ufffd\ufffd(\ufffdF",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd0\u00138rd\ufffd!\ufffd\ufffd\ufffd4\u000f\u02ec\ufffd\u0007\ufffd\ufffd\ufffdi\u0001\ufffd@\ufffdzk\u9ac5\ufffd )\u0430\ufffdnwu9\ufffd\ufffdYe[Xc\ufffd\u0014\ufffd68\ufffd\u0012\ufffdxI\ufffdyNB\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c55303d8370364f62a6af6247b389c17d19e259f",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd0\u00138rd\ufffd!\ufffd\ufffd\ufffd4\u000f\u02ec\ufffd\u0007\ufffd\ufffd\ufffdi\u0001\ufffd@\ufffdzk\u9ac5\ufffd )\u0430\ufffdnwu9\ufffd\ufffdYe[Xc\ufffd\u0014\ufffd68\ufffd\u0012\ufffdxI\ufffdyNB\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8083,
"service": "http-alt-8083",
"service_label_fr": "HTTP ALT 8083"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd08rd\ufffd!\ufffd\ufffd\ufffd4\u02ec\ufffd\ufffd\ufffd\ufffdi\ufffd@\ufffdzk\u9ac5\ufffd )\u0430\ufffdnwu9\ufffd\ufffdYe[Xc\ufffd\ufffd68\ufffd\ufffdxI\ufffdyNB\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8083:8083 \u00b7 (reconnaissance)",
"target_port_label": "8083 \u00b7 HTTP ALT 8083",
"emulator_service": "http-alt-8083",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8083 \u2014 multi-protocole (52 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8083",
"service_label_fr": "HTTP ALT 8083",
"dst_port": 8083,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8083",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd0\u00138rd\ufffd!\ufffd\ufffd\ufffd4\u000f\u02ec\ufffd\u0007\ufffd\ufffd\ufffdi\u0001\ufffd@\ufffdzk\u9ac5\ufffd )\u0430\ufffdnwu9\ufffd\ufffdYe[Xc\ufffd\u0014\ufffd68\ufffd\u0012\ufffdxI\ufffdyNB\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8083,
"service": "http-alt-8083",
"service_label_fr": "HTTP ALT 8083"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8083:8083 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd08rd\ufffd!\ufffd\ufffd\ufffd4\u02ec\ufffd\ufffd\ufffd\ufffdi\ufffd@\ufffdzk\u9ac5\ufffd )\u0430\ufffdnwu9\ufffd\ufffdYe[Xc\ufffd\ufffd68\ufffd\ufffdxI\ufffdyNB\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8083 \u00b7 HTTP ALT 8083",
"emulator_service": "http-alt-8083",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8083",
"service_banner": "honeypot-http-alt-8083",
"service_os": "linux",
"dst_port": "8083"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 82,
"port_scan_ports_sample": [
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376,
2379,
2380
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 82,
"scan_velocity_ports_per_s": 76.62,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 52,
"multi_protocol_sample": [
"aws-ecs-agent",
"cassandra-jmx",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm",
"docker",
"docker-tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8084 · HTTP ALT 8084
|
http-alt-8084
|
Scan de ports
port scan syn · via HTTP ALT 8084:8084 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8084
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8084
Chemin / cible
—
Service
HTTP ALT 8084
Payload
������������'N�t��Z�>b�w�N�`Y� Ή}����ue�5 �������$�Y/���Sc��W8��ѯ�����*��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������'N�t��Z�>b�w�N�`Y�
Ή}����ue�5 �������$�Y/���Sc��W8��ѯ�����*��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������'N�t��Z�>b�w�N�`Y� Ή}����ue�5 �������$�Y/���Sc��W8��ѯ�����*��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���J��#���A�@�J���v�_ �t�pu�&���
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.752780506515567,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8084",
"app_proto": "http-alt-8084",
"asn": 396982,
"country": "US",
"dst_port": 8084,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.5,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "9387906417fb9adde04ed87e9e653149bf90a3eb",
"event_fingerprint": "9fc541ca5c19c906c01af9a9e3daaa9d695a1916",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-8084",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "11d43829b47191452cd237b304217e39",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8084,
"service": "http-alt-8084",
"service_name": "http-alt-8084",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd'N\ufffdt\ufffd\ufffdZ\ufffd>b\ufffdw\ufffdN\ufffd`Y\u0019\n\u0389}\u0002\ufffd\ufffd\ufffdue\ufffd5 \ufffd\ufffd\u0000\ufffd\ufffd\u0000\ufffd$\ufffdY\/\ufffd\ufffd\ufffdSc\ufffd\ufffdW8\ufffd\ufffd\u046f\ufffd\ufffd\ufffd\u0003\ufffd*\u0018\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd'N\ufffdt\ufffd\ufffdZ\ufffd>b\ufffdw\ufffdN\ufffd`Y\u0019\n\u0389}\u0002\ufffd\ufffd\ufffdue\ufffd5 \ufffd\ufffd\u0000\ufffd\ufffd\u0000\ufffd$\ufffdY\/\ufffd\ufffd\ufffdSc\ufffd\ufffdW8\ufffd\ufffd\u046f\ufffd\ufffd\ufffd\u0003\ufffd*\u0018\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffdJ\ufffd\ufffd#\ufffd\ufffd\ufffdA\ufffd@\ufffdJ\ufffd\ufffd\ufffdv\ufffd_\n\ufffdt\u0016pu\ufffd&\ufffd\u0001\u0002",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd'N\ufffdt\ufffd\ufffdZ\ufffd>b\ufffdw\ufffdN\ufffd`Y\u0019\n\u0389}\u0002\ufffd\ufffd\ufffdue\ufffd5 \ufffd\ufffd\u0000\ufffd\ufffd\u0000\ufffd$\ufffdY\/\ufffd\ufffd\ufffdSc\ufffd\ufffdW8\ufffd\ufffd\u046f\ufffd\ufffd\ufffd\u0003\ufffd*\u0018\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "59f5a0f211c9a99dac836dfd2c86e64f69015d5f",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd'N\ufffdt\ufffd\ufffdZ\ufffd>b\ufffdw\ufffdN\ufffd`Y\u0019\n\u0389}\u0002\ufffd\ufffd\ufffdue\ufffd5 \ufffd\ufffd\u0000\ufffd\ufffd\u0000\ufffd$\ufffdY\/\ufffd\ufffd\ufffdSc\ufffd\ufffdW8\ufffd\ufffd\u046f\ufffd\ufffd\ufffd\u0003\ufffd*\u0018\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8084,
"service": "http-alt-8084",
"service_label_fr": "HTTP ALT 8084"
},
"evidence_snippet": "\ufffd\ufffd\ufffd'N\ufffdt\ufffd\ufffdZ\ufffd>b\ufffdw\ufffdN\ufffd`Y\n\u0389}\ufffd\ufffd\ufffdue\ufffd5 \ufffd\ufffd\ufffd\ufffd\ufffd$\ufffdY\/\ufffd\ufffd\ufffdSc\ufffd\ufffdW8\ufffd\ufffd\u046f\ufffd\ufffd\ufffd\ufffd*&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8084:8084 \u00b7 (reconnaissance)",
"target_port_label": "8084 \u00b7 HTTP ALT 8084",
"emulator_service": "http-alt-8084",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8084 \u2014 multi-protocole (53 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8084",
"service_label_fr": "HTTP ALT 8084",
"dst_port": 8084,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8084",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd'N\ufffdt\ufffd\ufffdZ\ufffd>b\ufffdw\ufffdN\ufffd`Y\u0019\n\u0389}\u0002\ufffd\ufffd\ufffdue\ufffd5 \ufffd\ufffd\u0000\ufffd\ufffd\u0000\ufffd$\ufffdY\/\ufffd\ufffd\ufffdSc\ufffd\ufffdW8\ufffd\ufffd\u046f\ufffd\ufffd\ufffd\u0003\ufffd*\u0018\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8084,
"service": "http-alt-8084",
"service_label_fr": "HTTP ALT 8084"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8084:8084 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd'N\ufffdt\ufffd\ufffdZ\ufffd>b\ufffdw\ufffdN\ufffd`Y\n\u0389}\ufffd\ufffd\ufffdue\ufffd5 \ufffd\ufffd\ufffd\ufffd\ufffd$\ufffdY\/\ufffd\ufffd\ufffdSc\ufffd\ufffdW8\ufffd\ufffd\u046f\ufffd\ufffd\ufffd\ufffd*&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8084 \u00b7 HTTP ALT 8084",
"emulator_service": "http-alt-8084",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8084",
"service_banner": "honeypot-http-alt-8084",
"service_os": "linux",
"dst_port": "8084"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 83,
"port_scan_ports_sample": [
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376,
2379,
2380
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 83,
"scan_velocity_ports_per_s": 77.03,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 53,
"multi_protocol_sample": [
"aws-ecs-agent",
"cassandra-jmx",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm",
"docker",
"docker-tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8088 · HTTP ALT 8088
|
http-alt-8088
|
Scan de ports
port scan syn · via HTTP ALT 8088:8088 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8088
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8088
Chemin / cible
—
Service
HTTP ALT 8088
Payload
�����������I��/�x������1�>"k��^ϊ�yл�t�^� �kk�59@)ŗ�M1�?�Q��������AT�Ԫa��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������I��/�x������1�>"k��^ϊ�yл�t�^� �kk�59@)ŗ�M1�?�Q��������AT�Ԫa��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������I��/�x������1�>"k��^ϊ�yл�t�^� �kk�59@)ŗ�M1�?�Q��������AT�Ԫa��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� "����������K)��ݝM �I��yt���p��
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.824817218854287,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8088",
"app_proto": "http-alt-8088",
"asn": 396982,
"country": "US",
"dst_port": 8088,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "20649db00c017afb76b9b9615fea623b90049f9a",
"event_fingerprint": "d2258c613dacf1d3a6383f9a084716b29d5b7d2f",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-8088",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f10afe02413721ac99993ef96d06d402",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8088,
"service": "http-alt-8088",
"service_name": "http-alt-8088",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I\u0013\ufffd\/\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd>\"k\ufffd\ufffd^\u03ca\u0005y\u043b\ufffdt\ufffd^\ufffd \ufffdkk\ufffd59@)\u0157\ufffdM1\ufffd?\ufffdQ\ufffd\ufffd\u001f\ufffd\ufffd\ufffd\ufffd\ufffdAT\ufffd\u052aa\u0002\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I\u0013\ufffd\/\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd>\"k\ufffd\ufffd^\u03ca\u0005y\u043b\ufffdt\ufffd^\ufffd \ufffdkk\ufffd59@)\u0157\ufffdM1\ufffd?\ufffdQ\ufffd\ufffd\u001f\ufffd\ufffd\ufffd\ufffd\ufffdAT\ufffd\u052aa\u0002\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \"\ufffd\u0001\u0006\ufffd\u001a\ufffd\ufffd\ufffd\ufffd\ufffdK)\ufffd\ufffd\u075dM \ufffdI\ufffd\ufffdyt\ufffd\ufffd\ufffdp\ufffd\u0013",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I\u0013\ufffd\/\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd>\"k\ufffd\ufffd^\u03ca\u0005y\u043b\ufffdt\ufffd^\ufffd \ufffdkk\ufffd59@)\u0157\ufffdM1\ufffd?\ufffdQ\ufffd\ufffd\u001f\ufffd\ufffd\ufffd\ufffd\ufffdAT\ufffd\u052aa\u0002\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0eba777e4ad561a17f99a427d5b5ead3ea3f2d07",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I\u0013\ufffd\/\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd>\"k\ufffd\ufffd^\u03ca\u0005y\u043b\ufffdt\ufffd^\ufffd \ufffdkk\ufffd59@)\u0157\ufffdM1\ufffd?\ufffdQ\ufffd\ufffd\u001f\ufffd\ufffd\ufffd\ufffd\ufffdAT\ufffd\u052aa\u0002\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8088,
"service": "http-alt-8088",
"service_label_fr": "HTTP ALT 8088"
},
"evidence_snippet": "\ufffd\ufffdI\ufffd\/\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd>\"k\ufffd\ufffd^\u03cay\u043b\ufffdt\ufffd^\ufffd \ufffdkk\ufffd59@)\u0157\ufffdM1\ufffd?\ufffdQ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdAT\ufffd\u052aa&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8088:8088 \u00b7 (reconnaissance)",
"target_port_label": "8088 \u00b7 HTTP ALT 8088",
"emulator_service": "http-alt-8088",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8088 \u2014 multi-protocole (54 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8088",
"service_label_fr": "HTTP ALT 8088",
"dst_port": 8088,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8088",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I\u0013\ufffd\/\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd>\"k\ufffd\ufffd^\u03ca\u0005y\u043b\ufffdt\ufffd^\ufffd \ufffdkk\ufffd59@)\u0157\ufffdM1\ufffd?\ufffdQ\ufffd\ufffd\u001f\ufffd\ufffd\ufffd\ufffd\ufffdAT\ufffd\u052aa\u0002\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8088,
"service": "http-alt-8088",
"service_label_fr": "HTTP ALT 8088"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8088:8088 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdI\ufffd\/\ufffdx\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd1\ufffd>\"k\ufffd\ufffd^\u03cay\u043b\ufffdt\ufffd^\ufffd \ufffdkk\ufffd59@)\u0157\ufffdM1\ufffd?\ufffdQ\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdAT\ufffd\u052aa&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8088 \u00b7 HTTP ALT 8088",
"emulator_service": "http-alt-8088",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8088",
"service_banner": "honeypot-http-alt-8088",
"service_os": "linux",
"dst_port": "8088"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 84,
"port_scan_ports_sample": [
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376,
2379,
2380
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 84,
"scan_velocity_ports_per_s": 77.38,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 54,
"multi_protocol_sample": [
"aws-ecs-agent",
"cassandra-jmx",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm",
"docker",
"docker-tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8089 · SPLUNK
|
splunk
|
Scan de ports
port scan syn · via SPLUNK:8089 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
SPLUNK
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8089
Chemin / cible
—
Service
SPLUNK
Payload
�����������~J �V��5����W���@zz��Rdv���̫�� -h&v5�����Ax�RY������ ���q�A�z6�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������~J �V��5����W���@zz��Rdv���̫�� -h&v5�����Ax�RY����������q�A�z6�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������~J �V��5����W���@zz��Rdv���̫�� -h&v5�����Ax�RY������ ���q�A�z6�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �e/��v bBt����&�Ԯ������V��λd�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.734775798121294,
"port_category": "registered",
"org": "Google LLC",
"service": "splunk",
"app_proto": "splunk",
"asn": 396982,
"country": "US",
"dst_port": 8089,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "664c0cf7c47d4f5a2f7cc4f182d641f8941b3ea7",
"event_fingerprint": "00e61faeb05bf25fb6c40c4257543ce914eaf37e",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "splunk",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d5ce51f8ff91b671cc507e596fef90c9",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8089,
"service": "splunk",
"service_name": "splunk",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003~J \ufffdV\u0015\ufffd5\u000e\u0012\u0004\ufffdW\u0019\ufffd\ufffd@zz\ufffd\u001aRdv\ufffd\ufffd\ufffd\u032b\u0003\ufffd -h&v5\ufffd\ufffd\ufffd\ufffd\ufffdAx\ufffdRY\u0013\ufffd\ufffd\ufffd\ufffd\ufffd\f\ufffd\ufffd\ufffdq\ufffdA\ufffdz6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003~J \ufffdV\u0015\ufffd5\u000e\u0012\u0004\ufffdW\u0019\ufffd\ufffd@zz\ufffd\u001aRdv\ufffd\ufffd\ufffd\u032b\u0003\ufffd -h&v5\ufffd\ufffd\ufffd\ufffd\ufffdAx\ufffdRY\u0013\ufffd\ufffd\ufffd\ufffd\ufffd\f\ufffd\ufffd\ufffdq\ufffdA\ufffdz6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \n\ufffde\/\ufffd\ufffdv\rbBt\ufffd\ufffd\u0013\ufffd&\ufffd\u052e\ufffd\ufffd\u0003\ufffd\ufffd\ufffdV\ufffd\ufffd\u03bbd\u0001",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003~J \ufffdV\u0015\ufffd5\u000e\u0012\u0004\ufffdW\u0019\ufffd\ufffd@zz\ufffd\u001aRdv\ufffd\ufffd\ufffd\u032b\u0003\ufffd -h&v5\ufffd\ufffd\ufffd\ufffd\ufffdAx\ufffdRY\u0013\ufffd\ufffd\ufffd\ufffd\ufffd\f\ufffd\ufffd\ufffdq\ufffdA\ufffdz6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "31ece3876b3cba08be8bce4ecbac3cca49b0cd48",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003~J \ufffdV\u0015\ufffd5\u000e\u0012\u0004\ufffdW\u0019\ufffd\ufffd@zz\ufffd\u001aRdv\ufffd\ufffd\ufffd\u032b\u0003\ufffd -h&v5\ufffd\ufffd\ufffd\ufffd\ufffdAx\ufffdRY\u0013\ufffd\ufffd\ufffd\ufffd\ufffd\f\ufffd\ufffd\ufffdq\ufffdA\ufffdz6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8089,
"service": "splunk",
"service_label_fr": "SPLUNK"
},
"evidence_snippet": "\ufffd\ufffd~J \ufffdV\ufffd5\ufffdW\ufffd\ufffd@zz\ufffdRdv\ufffd\ufffd\ufffd\u032b\ufffd -h&v5\ufffd\ufffd\ufffd\ufffd\ufffdAx\ufffdRY\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdq\ufffdA\ufffdz6&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via SPLUNK:8089 \u00b7 (reconnaissance)",
"target_port_label": "8089 \u00b7 SPLUNK",
"emulator_service": "splunk",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SPLUNK \u2014 multi-protocole (55 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "splunk",
"service_label_fr": "SPLUNK",
"dst_port": 8089,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-splunk",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003~J \ufffdV\u0015\ufffd5\u000e\u0012\u0004\ufffdW\u0019\ufffd\ufffd@zz\ufffd\u001aRdv\ufffd\ufffd\ufffd\u032b\u0003\ufffd -h&v5\ufffd\ufffd\ufffd\ufffd\ufffdAx\ufffdRY\u0013\ufffd\ufffd\ufffd\ufffd\ufffd\f\ufffd\ufffd\ufffdq\ufffdA\ufffdz6\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8089,
"service": "splunk",
"service_label_fr": "SPLUNK"
},
"attack_vector": "port scan syn \u00b7 via SPLUNK:8089 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd~J \ufffdV\ufffd5\ufffdW\ufffd\ufffd@zz\ufffdRdv\ufffd\ufffd\ufffd\u032b\ufffd -h&v5\ufffd\ufffd\ufffd\ufffd\ufffdAx\ufffdRY\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdq\ufffdA\ufffdz6&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8089 \u00b7 SPLUNK",
"emulator_service": "splunk",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "splunk",
"service_banner": "honeypot-splunk",
"service_os": "linux",
"dst_port": "8089"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 85,
"port_scan_ports_sample": [
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376,
2379,
2380
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 85,
"scan_velocity_ports_per_s": 77.29,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 55,
"multi_protocol_sample": [
"aws-ecs-agent",
"cassandra-jmx",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm",
"docker",
"docker-tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8090 · HTTP ALT 8090
|
http-alt-8090
|
Scan de ports
port scan syn · via HTTP ALT 8090:8090 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-8090
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8090
Chemin / cible
—
Service
HTTP ALT 8090
Payload
������������f� ��42����{�wK�Pdj�Qz��]*U ���7m�U~s�F���w���.�?N�334y+N� G�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������f����42����{�wK�Pdj�Qz��]*U ���7m�U~s�F���w���.�?N�334y+N��G�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������f� ��42����{�wK�Pdj�Qz��]*U ���7m�U~s�F���w���.�?N�334y+N� G�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��K���=��I��yo�����S4g��w;ժi�
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.81459827301166,
"port_category": "registered",
"org": "Google LLC",
"service": "http-alt-8090",
"app_proto": "http-alt-8090",
"asn": 396982,
"country": "US",
"dst_port": 8090,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.5,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "db831ae30fe731a40f97149cdff9730ce0fb5158",
"event_fingerprint": "c8a7272a1f615ddc9077dacd4f81374b00ef075a",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-8090",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "fe733d0e190350ba6823b89dce54d9d8",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8090,
"service": "http-alt-8090",
"service_name": "http-alt-8090",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdf\ufffd\f\ufffd\u001d42\ufffd\ufffd\u0006\ufffd{\ufffdwK\ufffdPdj\u05cc\ufffdQz\ufffd\ufffd]*U \ufffd\ufffd\ufffd7m\u0003U~s\ufffdF\ufffd\ufffd\u0006w\ufffd\ufffd\u0001.\ufffd?N\ufffd334y+N\ufffd\fG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdf\ufffd\f\ufffd\u001d42\ufffd\ufffd\u0006\ufffd{\ufffdwK\ufffdPdj\u05cc\ufffdQz\ufffd\ufffd]*U \ufffd\ufffd\ufffd7m\u0003U~s\ufffdF\ufffd\ufffd\u0006w\ufffd\ufffd\u0001.\ufffd?N\ufffd334y+N\ufffd\fG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \t\ufffd\u001bK\u0006\ufffd\ufffd=\ufffd\u0003I\ufffd\u001cyo\ufffd\u0005\ufffd\ufffd\ufffdS4g\ufffd\ufffdw;\u056ai\ufffd",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdf\ufffd\f\ufffd\u001d42\ufffd\ufffd\u0006\ufffd{\ufffdwK\ufffdPdj\u05cc\ufffdQz\ufffd\ufffd]*U \ufffd\ufffd\ufffd7m\u0003U~s\ufffdF\ufffd\ufffd\u0006w\ufffd\ufffd\u0001.\ufffd?N\ufffd334y+N\ufffd\fG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2c55a20052d46ac5fa777368d76ed9f0d214d309",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdf\ufffd\f\ufffd\u001d42\ufffd\ufffd\u0006\ufffd{\ufffdwK\ufffdPdj\u05cc\ufffdQz\ufffd\ufffd]*U \ufffd\ufffd\ufffd7m\u0003U~s\ufffdF\ufffd\ufffd\u0006w\ufffd\ufffd\u0001.\ufffd?N\ufffd334y+N\ufffd\fG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"evidence_snippet": "\ufffd\ufffd\ufffdf\ufffd\ufffd42\ufffd\ufffd\ufffd{\ufffdwK\ufffdPdj\u05cc\ufffdQz\ufffd\ufffd]*U \ufffd\ufffd\ufffd7mU~s\ufffdF\ufffd\ufffdw\ufffd\ufffd.\ufffd?N\ufffd334y+N\ufffdG&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8090:8090 \u00b7 (reconnaissance)",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 8090 \u2014 multi-protocole (56 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090",
"dst_port": 8090,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-8090",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdf\ufffd\f\ufffd\u001d42\ufffd\ufffd\u0006\ufffd{\ufffdwK\ufffdPdj\u05cc\ufffdQz\ufffd\ufffd]*U \ufffd\ufffd\ufffd7m\u0003U~s\ufffdF\ufffd\ufffd\u0006w\ufffd\ufffd\u0001.\ufffd?N\ufffd334y+N\ufffd\fG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8090,
"service": "http-alt-8090",
"service_label_fr": "HTTP ALT 8090"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 8090:8090 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffdf\ufffd\ufffd42\ufffd\ufffd\ufffd{\ufffdwK\ufffdPdj\u05cc\ufffdQz\ufffd\ufffd]*U \ufffd\ufffd\ufffd7mU~s\ufffdF\ufffd\ufffdw\ufffd\ufffd.\ufffd?N\ufffd334y+N\ufffdG&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8090 \u00b7 HTTP ALT 8090",
"emulator_service": "http-alt-8090",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_8090",
"service_banner": "honeypot-http-alt-8090",
"service_os": "linux",
"dst_port": "8090"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 86,
"port_scan_ports_sample": [
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376,
2379,
2380
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 86,
"scan_velocity_ports_per_s": 77.54,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 56,
"multi_protocol_sample": [
"aws-ecs-agent",
"cassandra-jmx",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm",
"docker",
"docker-tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8091 · COUCHBASE
|
couchbase
|
Scan de ports
port scan syn · via COUCHBASE:8091 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
COUCHBASE
WAF
—
Recommandation
Surveiller
Tags
couchbase_emulated
couchbase_payload
net_port_scan_fast
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8091
Chemin / cible
—
Service
COUCHBASE
Payload
������������$�;a,58ϊ~�~��t`�}'Z��^g�o�?��� ���i�V��{�u��pi�V¬I�(��a{Yd����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������$�;a,58ϊ~�~��t`�}'Z��^g�o�?��� ���i�V��{�u��pi�V¬I�(��a{Yd����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������$�;a,58ϊ~�~��t`�}'Z��^g�o�?��� ���i�V��{�u��pi�V¬I�(��a{Yd����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �'EY�OIٱ�˶��Wy�ލ�\�4 +�) p�4D
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f7420636f7563686261736520726561647920706f72743d383039310d0a",
"emulator_response_len": 40,
"bytes_in": 239,
"payload_entropy": 5.881936400671869,
"port_category": "registered",
"org": "Google LLC",
"service": "couchbase",
"app_proto": "couchbase",
"asn": 396982,
"country": "US",
"dst_port": 8091,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "b311cc7f989fb93ad181b7f43a4a458c57e0fcac",
"event_fingerprint": "3b60071144288aefe5f7d3a92b0e4863e95fe8f5",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "couchbase",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "20053d0e82d90e51ebc34cebdbe3f9d8",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8091,
"service": "couchbase",
"service_name": "couchbase",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd$\ufffd;a,58\u03ca~\ufffd~\ufffd\ufffdt`\u0016}'Z\ufffd\ufffd^g\ufffdo\ufffd?\ufffd\ufffd\ufffd \ufffd\ufffd\ufffdi\u0011V\ufffd\ufffd{\ufffdu\ufffd\u0002pi\ufffdV\u00acI\ufffd(\ufffd\ufffda{Yd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd$\ufffd;a,58\u03ca~\ufffd~\ufffd\ufffdt`\u0016}'Z\ufffd\ufffd^g\ufffdo\ufffd?\ufffd\ufffd\ufffd \ufffd\ufffd\ufffdi\u0011V\ufffd\ufffd{\ufffdu\ufffd\u0002pi\ufffdV\u00acI\ufffd(\ufffd\ufffda{Yd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd'EY\u0001OI\u0671\u000e\u02f6\ufffd\ufffdWy\u001c\u078d\ufffd\\\u000e4\f+\b)\np\ufffd4D",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd$\ufffd;a,58\u03ca~\ufffd~\ufffd\ufffdt`\u0016}'Z\ufffd\ufffd^g\ufffdo\ufffd?\ufffd\ufffd\ufffd \ufffd\ufffd\ufffdi\u0011V\ufffd\ufffd{\ufffdu\ufffd\u0002pi\ufffdV\u00acI\ufffd(\ufffd\ufffda{Yd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d01de83c157ed0efeeb444fec6ca66cd2971c0e5",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd$\ufffd;a,58\u03ca~\ufffd~\ufffd\ufffdt`\u0016}'Z\ufffd\ufffd^g\ufffdo\ufffd?\ufffd\ufffd\ufffd \ufffd\ufffd\ufffdi\u0011V\ufffd\ufffd{\ufffdu\ufffd\u0002pi\ufffdV\u00acI\ufffd(\ufffd\ufffda{Yd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8091,
"service": "couchbase",
"service_label_fr": "COUCHBASE"
},
"evidence_snippet": "\ufffd\ufffd\ufffd$\ufffd;a,58\u03ca~\ufffd~\ufffd\ufffdt`}'Z\ufffd\ufffd^g\ufffdo\ufffd?\ufffd\ufffd\ufffd \ufffd\ufffd\ufffdiV\ufffd\ufffd{\ufffdu\ufffdpi\ufffdV\u00acI\ufffd(\ufffd\ufffda{Yd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via COUCHBASE:8091 \u00b7 (reconnaissance)",
"target_port_label": "8091 \u00b7 COUCHBASE",
"emulator_service": "couchbase",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via COUCHBASE \u2014 multi-protocole (57 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "couchbase",
"service_label_fr": "COUCHBASE",
"dst_port": 8091,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-couchbase",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd$\ufffd;a,58\u03ca~\ufffd~\ufffd\ufffdt`\u0016}'Z\ufffd\ufffd^g\ufffdo\ufffd?\ufffd\ufffd\ufffd \ufffd\ufffd\ufffdi\u0011V\ufffd\ufffd{\ufffdu\ufffd\u0002pi\ufffdV\u00acI\ufffd(\ufffd\ufffda{Yd\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8091,
"service": "couchbase",
"service_label_fr": "COUCHBASE"
},
"attack_vector": "port scan syn \u00b7 via COUCHBASE:8091 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd$\ufffd;a,58\u03ca~\ufffd~\ufffd\ufffdt`}'Z\ufffd\ufffd^g\ufffdo\ufffd?\ufffd\ufffd\ufffd \ufffd\ufffd\ufffdiV\ufffd\ufffd{\ufffdu\ufffdpi\ufffdV\u00acI\ufffd(\ufffd\ufffda{Yd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8091 \u00b7 COUCHBASE",
"emulator_service": "couchbase",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "couchbase",
"service_banner": "honeypot-couchbase",
"service_os": "linux",
"dst_port": "8091"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 87,
"port_scan_ports_sample": [
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376,
2379,
2380
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 87,
"scan_velocity_ports_per_s": 77.74,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 57,
"multi_protocol_sample": [
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm",
"docker"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"couchbase_emulated",
"couchbase_payload",
"net_port_scan_fast",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8099 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8099 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8099
Chemin / cible
—
Service
TLS
Payload
������������&�n�`Y�NP�t��b�Z����v���67�c��� I1�Q#�����3��������6�9�qV���/�B�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������&�n�`Y�NP�t��b�Z����v���67�c��� I1�Q#�����3��������6�9�qV���/�B�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������&�n�`Y�NP�t��b�Z����v���67�c��� I1�Q#�����3��������6�9�qV���/�B�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� wIJ����V/r3�tUẈ�-�w������ ��{
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.878112828819072,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8099,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "d859d364e285dfa8434bb8a89bb80d11623901ac",
"event_fingerprint": "b36187b9324950e56db7e6bb795fbb3777779762",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "f2a83c4d9c38cdf6f81af4b1f96ddb21",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8099,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd&\ufffdn\ufffd`Y\ufffdNP\ufffdt\ufffd\ufffdb\ufffdZ\ufffd\ufffd\ufffd\ufffdv\u0011\ufffd\ufffd67\ufffdc\u0006\ufffd\ufffd I1\ufffdQ#\ufffd\ufffd\u001f\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd6\ufffd9\u0019qV\ufffd\ufffd\ufffd\/\ufffdB\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd&\ufffdn\ufffd`Y\ufffdNP\ufffdt\ufffd\ufffdb\ufffdZ\ufffd\ufffd\ufffd\ufffdv\u0011\ufffd\ufffd67\ufffdc\u0006\ufffd\ufffd I1\ufffdQ#\ufffd\ufffd\u001f\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd6\ufffd9\u0019qV\ufffd\ufffd\ufffd\/\ufffdB\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 wIJ\ufffd\ufffd\ufffd\u001aV\/r3\ufffdtUW\u0323\ufffd-\ufffdw\u0002\ufffd\ufffd\ufffd\ufffd\ufffd\t\ufffd\ufffd{",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd&\ufffdn\ufffd`Y\ufffdNP\ufffdt\ufffd\ufffdb\ufffdZ\ufffd\ufffd\ufffd\ufffdv\u0011\ufffd\ufffd67\ufffdc\u0006\ufffd\ufffd I1\ufffdQ#\ufffd\ufffd\u001f\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd6\ufffd9\u0019qV\ufffd\ufffd\ufffd\/\ufffdB\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "00523e8190a6b39e0c5569c1ec6a4ccbcc80d447",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd&\ufffdn\ufffd`Y\ufffdNP\ufffdt\ufffd\ufffdb\ufffdZ\ufffd\ufffd\ufffd\ufffdv\u0011\ufffd\ufffd67\ufffdc\u0006\ufffd\ufffd I1\ufffdQ#\ufffd\ufffd\u001f\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd6\ufffd9\u0019qV\ufffd\ufffd\ufffd\/\ufffdB\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8099,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd&\ufffdn\ufffd`Y\ufffdNP\ufffdt\ufffd\ufffdb\ufffdZ\ufffd\ufffd\ufffd\ufffdv\ufffd\ufffd67\ufffdc\ufffd\ufffd I1\ufffdQ#\ufffd\ufffd\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffd9qV\ufffd\ufffd\ufffd\/\ufffdB&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8099 \u00b7 (reconnaissance)",
"target_port_label": "8099 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (57 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8099,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd&\ufffdn\ufffd`Y\ufffdNP\ufffdt\ufffd\ufffdb\ufffdZ\ufffd\ufffd\ufffd\ufffdv\u0011\ufffd\ufffd67\ufffdc\u0006\ufffd\ufffd I1\ufffdQ#\ufffd\ufffd\u001f\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd6\ufffd9\u0019qV\ufffd\ufffd\ufffd\/\ufffdB\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8099,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8099 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd&\ufffdn\ufffd`Y\ufffdNP\ufffdt\ufffd\ufffdb\ufffdZ\ufffd\ufffd\ufffd\ufffdv\ufffd\ufffd67\ufffdc\ufffd\ufffd I1\ufffdQ#\ufffd\ufffd\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd6\ufffd9qV\ufffd\ufffd\ufffd\/\ufffdB&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8099 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8099"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 88,
"port_scan_ports_sample": [
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376,
2379,
2380
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 88,
"scan_velocity_ports_per_s": 78.12,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 57,
"multi_protocol_sample": [
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm",
"docker"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
81 · HTTP ALT 81
|
http-alt-81
|
Scan de ports
port scan syn · via HTTP ALT 81:81 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTP-ALT-81
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
81
Chemin / cible
—
Service
HTTP ALT 81
Payload
�������������j���� q��a��/����� ��d lo�x �I�?�⫹1o�VF�)��:���ʻ����Z�ߓY�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������j���� q��a��/�����
���d�lo�x �I�?�⫹1o�VF�)��:���ʻ����Z�ߓY�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������j���� q��a��/����� ��d lo�x �I�?�⫹1o�VF�)��:���ʻ����Z�ߓY�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���# a�����X:��n�#�F� ҹ[��k1
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.824388539343877,
"port_category": "well_known",
"org": "Google LLC",
"service": "http-alt-81",
"app_proto": "http-alt-81",
"asn": 396982,
"country": "US",
"dst_port": 81,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.7,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "89c0072ca1543bf42b03c035e295679c72889ba7",
"event_fingerprint": "49582ecc49f559a2f1bb1cd217766a10acf24b29",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "http-alt-81",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "7bb0436af27305cedf32a237f21f166d",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 81,
"service": "http-alt-81",
"service_name": "http-alt-81",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\ufffdj\u001c\ufffd\u0016\ufffd\tq\ufffd\ufffda\u0016\u0017\/\ufffd\ufffd\ufffd\u0003\u0015\n\u000b\ufffd\u0007d\u000blo\ufffdx \ufffdI\ufffd?\ufffd\u2af91o\ufffdVF\ufffd)\ufffd\u0002:\ufffd\ufffd\ufffd\u02bb\ufffd\ufffd\ufffd\ufffdZ\ufffd\u07d3Y\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\ufffdj\u001c\ufffd\u0016\ufffd\tq\ufffd\ufffda\u0016\u0017\/\ufffd\ufffd\ufffd\u0003\u0015\n\u000b\ufffd\u0007d\u000blo\ufffdx \ufffdI\ufffd?\ufffd\u2af91o\ufffdVF\ufffd)\ufffd\u0002:\ufffd\ufffd\ufffd\u02bb\ufffd\ufffd\ufffd\ufffdZ\ufffd\u07d3Y\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u001f\ufffd#\u000ba\ufffd\u0015\ufffd\ufffd\ufffdX:\u0011\ufffdn\ufffd#\ufffdF\ufffd\f\u04b9[\ufffd\ufffdk1",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\ufffdj\u001c\ufffd\u0016\ufffd\tq\ufffd\ufffda\u0016\u0017\/\ufffd\ufffd\ufffd\u0003\u0015\n\u000b\ufffd\u0007d\u000blo\ufffdx \ufffdI\ufffd?\ufffd\u2af91o\ufffdVF\ufffd)\ufffd\u0002:\ufffd\ufffd\ufffd\u02bb\ufffd\ufffd\ufffd\ufffdZ\ufffd\u07d3Y\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4f0860a58967d32729a73b73a02830e60f46d57c",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\ufffdj\u001c\ufffd\u0016\ufffd\tq\ufffd\ufffda\u0016\u0017\/\ufffd\ufffd\ufffd\u0003\u0015\n\u000b\ufffd\u0007d\u000blo\ufffdx \ufffdI\ufffd?\ufffd\u2af91o\ufffdVF\ufffd)\ufffd\u0002:\ufffd\ufffd\ufffd\u02bb\ufffd\ufffd\ufffd\ufffdZ\ufffd\u07d3Y\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 81,
"service": "http-alt-81",
"service_label_fr": "HTTP ALT 81"
},
"evidence_snippet": "\ufffd\ufffd\ufffdj\ufffd\ufffd\tq\ufffd\ufffda\/\ufffd\ufffd\ufffd\n\ufffddlo\ufffdx \ufffdI\ufffd?\ufffd\u2af91o\ufffdVF\ufffd)\ufffd:\ufffd\ufffd\ufffd\u02bb\ufffd\ufffd\ufffd\ufffdZ\ufffd\u07d3Y&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTP ALT 81:81 \u00b7 (reconnaissance)",
"target_port_label": "81 \u00b7 HTTP ALT 81",
"emulator_service": "http-alt-81",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTP ALT 81 \u2014 multi-protocole (58 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http-alt-81",
"service_label_fr": "HTTP ALT 81",
"dst_port": 81,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http-alt-81",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\ufffdj\u001c\ufffd\u0016\ufffd\tq\ufffd\ufffda\u0016\u0017\/\ufffd\ufffd\ufffd\u0003\u0015\n\u000b\ufffd\u0007d\u000blo\ufffdx \ufffdI\ufffd?\ufffd\u2af91o\ufffdVF\ufffd)\ufffd\u0002:\ufffd\ufffd\ufffd\u02bb\ufffd\ufffd\ufffd\ufffdZ\ufffd\u07d3Y\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 81,
"service": "http-alt-81",
"service_label_fr": "HTTP ALT 81"
},
"attack_vector": "port scan syn \u00b7 via HTTP ALT 81:81 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffdj\ufffd\ufffd\tq\ufffd\ufffda\/\ufffd\ufffd\ufffd\n\ufffddlo\ufffdx \ufffdI\ufffd?\ufffd\u2af91o\ufffdVF\ufffd)\ufffd:\ufffd\ufffd\ufffd\u02bb\ufffd\ufffd\ufffd\ufffdZ\ufffd\u07d3Y&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "81 \u00b7 HTTP ALT 81",
"emulator_service": "http-alt-81",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http_alt_81",
"service_banner": "honeypot-http-alt-81",
"service_os": "linux",
"dst_port": "81"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 89,
"port_scan_ports_sample": [
81,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376,
2379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 89,
"scan_velocity_ports_per_s": 78.56,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 58,
"multi_protocol_sample": [
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm",
"docker"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8100 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8100 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8100
Chemin / cible
—
Service
TLS
Payload
������������1�2J�k: ��1!X��<��[p���/N��g�F- �������9���6Y�ٷ��\���&b�?~Q7���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������1�2J�k: ��1!X��<��[p���/N��g�F- �������9���6Y�ٷ��\���&b�?~Q7���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������1�2J�k: ��1!X��<��[p���/N��g�F- �������9���6Y�ٷ��\���&b�?~Q7���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �eΓr�����&�$92M���������7������
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.842746763456445,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8100,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "78938edfecf93a5ab1fa3867902897a585426f7c",
"event_fingerprint": "7eaa8dde51729a3be6d0337dffeb8ff1ed4bf778",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "f35b98bdd032fc22da14f454ef413ec3",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8100,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd1\ufffd2J\u0007k: \ufffd\u00071!X\ufffd\ufffd<\ufffd\ufffd[p\ufffd\u0019\ufffd\/N\ufffd\ufffdg\ufffdF- \u0005\ufffd\u000f\u001e\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd6Y\ufffd\u0677\ufffd\ufffd\\\u0010\ufffd\u001e&b\ufffd?~Q7\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd1\ufffd2J\u0007k: \ufffd\u00071!X\ufffd\ufffd<\ufffd\ufffd[p\ufffd\u0019\ufffd\/N\ufffd\ufffdg\ufffdF- \u0005\ufffd\u000f\u001e\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd6Y\ufffd\u0677\ufffd\ufffd\\\u0010\ufffd\u001e&b\ufffd?~Q7\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffde\u0393r\ufffd\ufffd\ufffd\u0013\u0003&\ufffd$92M\ufffd\ufffd\ufffd\u001d\ufffd\ufffd\ufffd\ufffd\ufffd7\ufffd\ufffd\ufffd\ufffd\ufffd\u0013",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd1\ufffd2J\u0007k: \ufffd\u00071!X\ufffd\ufffd<\ufffd\ufffd[p\ufffd\u0019\ufffd\/N\ufffd\ufffdg\ufffdF- \u0005\ufffd\u000f\u001e\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd6Y\ufffd\u0677\ufffd\ufffd\\\u0010\ufffd\u001e&b\ufffd?~Q7\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "51c97c15b99dddf25aac25b41f84004e6e3a2374",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd1\ufffd2J\u0007k: \ufffd\u00071!X\ufffd\ufffd<\ufffd\ufffd[p\ufffd\u0019\ufffd\/N\ufffd\ufffdg\ufffdF- \u0005\ufffd\u000f\u001e\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd6Y\ufffd\u0677\ufffd\ufffd\\\u0010\ufffd\u001e&b\ufffd?~Q7\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8100,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd1\ufffd2Jk: \ufffd1!X\ufffd\ufffd<\ufffd\ufffd[p\ufffd\ufffd\/N\ufffd\ufffdg\ufffdF- \ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd6Y\ufffd\u0677\ufffd\ufffd\\\ufffd&b\ufffd?~Q7\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8100 \u00b7 (reconnaissance)",
"target_port_label": "8100 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (58 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8100,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd1\ufffd2J\u0007k: \ufffd\u00071!X\ufffd\ufffd<\ufffd\ufffd[p\ufffd\u0019\ufffd\/N\ufffd\ufffdg\ufffdF- \u0005\ufffd\u000f\u001e\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd6Y\ufffd\u0677\ufffd\ufffd\\\u0010\ufffd\u001e&b\ufffd?~Q7\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8100,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8100 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd1\ufffd2Jk: \ufffd1!X\ufffd\ufffd<\ufffd\ufffd[p\ufffd\ufffd\/N\ufffd\ufffdg\ufffdF- \ufffd\ufffd\ufffd\ufffd9\ufffd\ufffd\ufffd6Y\ufffd\u0677\ufffd\ufffd\\\ufffd&b\ufffd?~Q7\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8100 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8100"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 90,
"port_scan_ports_sample": [
81,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376,
2379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 90,
"scan_velocity_ports_per_s": 78.94,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 58,
"multi_protocol_sample": [
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm",
"docker"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8110 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8110 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8110
Chemin / cible
—
Service
TLS
Payload
�������������������=6z�Z�$�Axs�X��$1���v�K� � Nd�a��:�|�NЎ�����栣�ߣ��Ad�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������������=6z�Z�$�Axs�X��$1���v�K� �
Nd�a��:�|�NЎ�����栣�ߣ��Ad�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������������=6z�Z�$�Axs�X��$1���v�K� � Nd�a��:�|�NЎ�����栣�ߣ��Ad�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��[ �a��v��O��� �/��V�EEj��LM
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.766033514802171,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8110,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "98b5cfb611b7e052bc7ea83c0937122c5e0892a3",
"event_fingerprint": "3e7d8c1cc2845f26c38690e9bbe62cc072f7f725",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "5a66572622751db76583b7ebd76a6f8b",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8110,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd=6z\u0006Z\ufffd$\ufffdAxs\ufffdX\ufffd\ufffd$1\u001d\ufffd\u0000v\ufffdK\u0006 \ufffd\nNd\u05ff\ufffda\ufffd\u001f:\ufffd|\ufffdN\u040e\ufffd\ufffd\ufffd\ufffd\ufffd\u6823\ufffd\u07e3\ufffd\u001aAd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd=6z\u0006Z\ufffd$\ufffdAxs\ufffdX\ufffd\ufffd$1\u001d\ufffd\u0000v\ufffdK\u0006 \ufffd\nNd\u05ff\ufffda\ufffd\u001f:\ufffd|\ufffdN\u040e\ufffd\ufffd\ufffd\ufffd\ufffd\u6823\ufffd\u07e3\ufffd\u001aAd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0006[\f\u0001a\ufffd\ufffdv\ufffd\u0005O\ufffd\ufffd\u000f\f\ufffd\/\u0017\ufffdV\ufffdEEj\u0001\ufffdLM",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd=6z\u0006Z\ufffd$\ufffdAxs\ufffdX\ufffd\ufffd$1\u001d\ufffd\u0000v\ufffdK\u0006 \ufffd\nNd\u05ff\ufffda\ufffd\u001f:\ufffd|\ufffdN\u040e\ufffd\ufffd\ufffd\ufffd\ufffd\u6823\ufffd\u07e3\ufffd\u001aAd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "be32b3cb25c1be87303eba630f2a5db9beb74db5",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd=6z\u0006Z\ufffd$\ufffdAxs\ufffdX\ufffd\ufffd$1\u001d\ufffd\u0000v\ufffdK\u0006 \ufffd\nNd\u05ff\ufffda\ufffd\u001f:\ufffd|\ufffdN\u040e\ufffd\ufffd\ufffd\ufffd\ufffd\u6823\ufffd\u07e3\ufffd\u001aAd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8110,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd=6zZ\ufffd$\ufffdAxs\ufffdX\ufffd\ufffd$1\ufffdv\ufffdK \ufffd\nNd\u05ff\ufffda\ufffd:\ufffd|\ufffdN\u040e\ufffd\ufffd\ufffd\ufffd\ufffd\u6823\ufffd\u07e3\ufffdAd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8110 \u00b7 (reconnaissance)",
"target_port_label": "8110 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (58 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8110,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0018\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd=6z\u0006Z\ufffd$\ufffdAxs\ufffdX\ufffd\ufffd$1\u001d\ufffd\u0000v\ufffdK\u0006 \ufffd\nNd\u05ff\ufffda\ufffd\u001f:\ufffd|\ufffdN\u040e\ufffd\ufffd\ufffd\ufffd\ufffd\u6823\ufffd\u07e3\ufffd\u001aAd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8110,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8110 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd=6zZ\ufffd$\ufffdAxs\ufffdX\ufffd\ufffd$1\ufffdv\ufffdK \ufffd\nNd\u05ff\ufffda\ufffd:\ufffd|\ufffdN\u040e\ufffd\ufffd\ufffd\ufffd\ufffd\u6823\ufffd\u07e3\ufffdAd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8110 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8110"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 91,
"port_scan_ports_sample": [
81,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376,
2379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 91,
"scan_velocity_ports_per_s": 79.35,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 58,
"multi_protocol_sample": [
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm",
"docker"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8120 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8120 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8120
Chemin / cible
—
Service
TLS
Payload
������������ˊ똁r63+��f�b: ��!�����K����gZ �Qb��=���q�Aש�L� ]'y{�J�R^�N �&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������ˊ똁r63+��f�b:���!�����K����gZ �Qb��=���q�Aש�L����]'y{�J�R^�N��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������ˊ똁r63+��f�b: ��!�����K����gZ �Qb��=���q�Aש�L� ]'y{�J�R^�N �&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ������F-����ѿ��4�H��,dz���DS��
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.839935082328498,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8120,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "d86248cf8c41f6ce35ee02e7db238c125ea946fc",
"event_fingerprint": "af86fd0c5d69cf392d149a18228d89afb422191a",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "d5fe0d23a3106f72e48cfbdba3b55edb",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8120,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u02ca\ub601r63+\ufffd\ufffdf\u0019b:\f\ufffd\ufffd!\u0015\ufffd\u001d\u0013\ufffdK\ufffd\ufffd\ufffd\ufffdgZ \u0016Qb\ufffd\ufffd=\ufffd\u0005\ufffdq\ufffdA\u05e9\ufffdL\ufffd\f\f\u000b]'y{\ufffdJ\ufffdR^\ufffdN\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u02ca\ub601r63+\ufffd\ufffdf\u0019b:\f\ufffd\ufffd!\u0015\ufffd\u001d\u0013\ufffdK\ufffd\ufffd\ufffd\ufffdgZ \u0016Qb\ufffd\ufffd=\ufffd\u0005\ufffdq\ufffdA\u05e9\ufffdL\ufffd\f\f\u000b]'y{\ufffdJ\ufffdR^\ufffdN\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\u001a\ufffd\u0000F-\ufffd\ufffd\u001a\ufffd\u047f\ufffd\ufffd4\ufffdH\ufffd\u001a,dz\ufffd\ufffd\ufffdDS\ufffd\ufffd\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u02ca\ub601r63+\ufffd\ufffdf\u0019b:\f\ufffd\ufffd!\u0015\ufffd\u001d\u0013\ufffdK\ufffd\ufffd\ufffd\ufffdgZ \u0016Qb\ufffd\ufffd=\ufffd\u0005\ufffdq\ufffdA\u05e9\ufffdL\ufffd\f\f\u000b]'y{\ufffdJ\ufffdR^\ufffdN\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "c5dcd02a5c7a1cdd33e077c462072566a3f422d9",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u02ca\ub601r63+\ufffd\ufffdf\u0019b:\f\ufffd\ufffd!\u0015\ufffd\u001d\u0013\ufffdK\ufffd\ufffd\ufffd\ufffdgZ \u0016Qb\ufffd\ufffd=\ufffd\u0005\ufffdq\ufffdA\u05e9\ufffdL\ufffd\f\f\u000b]'y{\ufffdJ\ufffdR^\ufffdN\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8120,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\u02ca\ub601r63+\ufffd\ufffdfb:\ufffd\ufffd!\ufffd\ufffdK\ufffd\ufffd\ufffd\ufffdgZ Qb\ufffd\ufffd=\ufffd\ufffdq\ufffdA\u05e9\ufffdL\ufffd]'y{\ufffdJ\ufffdR^\ufffdN&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8120 \u00b7 (reconnaissance)",
"target_port_label": "8120 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (58 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8120,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u02ca\ub601r63+\ufffd\ufffdf\u0019b:\f\ufffd\ufffd!\u0015\ufffd\u001d\u0013\ufffdK\ufffd\ufffd\ufffd\ufffdgZ \u0016Qb\ufffd\ufffd=\ufffd\u0005\ufffdq\ufffdA\u05e9\ufffdL\ufffd\f\f\u000b]'y{\ufffdJ\ufffdR^\ufffdN\f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8120,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8120 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\u02ca\ub601r63+\ufffd\ufffdfb:\ufffd\ufffd!\ufffd\ufffdK\ufffd\ufffd\ufffd\ufffdgZ Qb\ufffd\ufffd=\ufffd\ufffdq\ufffdA\u05e9\ufffdL\ufffd]'y{\ufffdJ\ufffdR^\ufffdN&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8120 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8120"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 92,
"port_scan_ports_sample": [
81,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376,
2379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 92,
"scan_velocity_ports_per_s": 79.42,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 58,
"multi_protocol_sample": [
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm",
"docker"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8150 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8150 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8150
Chemin / cible
—
Service
TLS
Payload
������������k ����퇙c���9]��ҁ0�:�VĪ���/q �������m/,���d���EY��(��ef�L]S ��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������k
����퇙c���9]��ҁ0�:�VĪ���/q �������m/,���d���EY��(��ef�L]S ��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������k ����퇙c���9]��ҁ0�:�VĪ���/q �������m/,���d���EY��(��ef�L]S ��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ������SS���a7N��Y��� �w����5� �^
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.796481971060377,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8150,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "46e1745027743b1ca5db3d04af2236e936c8daa0",
"event_fingerprint": "e18c776668cc18537fe7f13aaddafda6a21c4a22",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "34a06e548d826fea19186e340a459558",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8150,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001ek\n\ufffd\u001c\ufffd\ufffd\ud1d9c\ufffd\ufffd\ufffd9]\ufffd\ufffd\u04810\ufffd:\ufffdV\u012a\ufffd\ufffd\ufffd\/q \ufffd\ufffd\u0002\ufffd\u000f\u000e\ufffdm\/,\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffdEY\ufffd\ufffd(\ufffd\ufffdef\ufffdL]S \ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001ek\n\ufffd\u001c\ufffd\ufffd\ud1d9c\ufffd\ufffd\ufffd9]\ufffd\ufffd\u04810\ufffd:\ufffdV\u012a\ufffd\ufffd\ufffd\/q \ufffd\ufffd\u0002\ufffd\u000f\u000e\ufffdm\/,\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffdEY\ufffd\ufffd(\ufffd\ufffdef\ufffdL]S \ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\u0006\ufffd\ufffdSS\b\ufffd\ufffda7N\ufffd\ufffdY\ufffd\ufffd\ufffd\t\ufffdw\u001a\ufffd\ufffd\ufffd5\ufffd\r\ufffd^",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001ek\n\ufffd\u001c\ufffd\ufffd\ud1d9c\ufffd\ufffd\ufffd9]\ufffd\ufffd\u04810\ufffd:\ufffdV\u012a\ufffd\ufffd\ufffd\/q \ufffd\ufffd\u0002\ufffd\u000f\u000e\ufffdm\/,\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffdEY\ufffd\ufffd(\ufffd\ufffdef\ufffdL]S \ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "08940cfe350b264a30d9ba05bce7d5823f09a531",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001ek\n\ufffd\u001c\ufffd\ufffd\ud1d9c\ufffd\ufffd\ufffd9]\ufffd\ufffd\u04810\ufffd:\ufffdV\u012a\ufffd\ufffd\ufffd\/q \ufffd\ufffd\u0002\ufffd\u000f\u000e\ufffdm\/,\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffdEY\ufffd\ufffd(\ufffd\ufffdef\ufffdL]S \ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8150,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdk\n\ufffd\ufffd\ufffd\ud1d9c\ufffd\ufffd\ufffd9]\ufffd\ufffd\u04810\ufffd:\ufffdV\u012a\ufffd\ufffd\ufffd\/q \ufffd\ufffd\ufffd\ufffdm\/,\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffdEY\ufffd\ufffd(\ufffd\ufffdef\ufffdL]S \ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8150 \u00b7 (reconnaissance)",
"target_port_label": "8150 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (58 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8150,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u001ek\n\ufffd\u001c\ufffd\ufffd\ud1d9c\ufffd\ufffd\ufffd9]\ufffd\ufffd\u04810\ufffd:\ufffdV\u012a\ufffd\ufffd\ufffd\/q \ufffd\ufffd\u0002\ufffd\u000f\u000e\ufffdm\/,\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffdEY\ufffd\ufffd(\ufffd\ufffdef\ufffdL]S \ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8150,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8150 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdk\n\ufffd\ufffd\ufffd\ud1d9c\ufffd\ufffd\ufffd9]\ufffd\ufffd\u04810\ufffd:\ufffdV\u012a\ufffd\ufffd\ufffd\/q \ufffd\ufffd\ufffd\ufffdm\/,\ufffd\ufffd\ufffdd\ufffd\ufffd\ufffdEY\ufffd\ufffd(\ufffd\ufffdef\ufffdL]S \ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8150 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8150"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 93,
"port_scan_ports_sample": [
81,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376,
2379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 93,
"scan_velocity_ports_per_s": 79.28,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 58,
"multi_protocol_sample": [
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm",
"docker"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8160 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8160 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8160
Chemin / cible
—
Service
TLS
Payload
��������������{����b��i`��� �'ޢ���J C`����L����I��m�`�)�#\�p��ƛll���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������{����b��i`��� �'ޢ���J C`����L����I��m�`�)�#\�p��ƛll���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������{����b��i`��� �'ޢ���J C`����L����I��m�`�)�#\�p��ƛll���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �C*o�G�L���_KH�.��GR@�L�ĉU��ty�
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.920789527313717,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8160,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "93358b30bec5b71932698e131d264b12b63b8826",
"event_fingerprint": "c0e0ba5cea80698bdf4f20b52e779197df88e8f3",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "726294a94eb646f8347a87e189e6f6ad",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8160,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\uee06\ufffd{\u0011\ufffd\ufffd\ufffdb\ufffd\ufffdi`\ufffd\u0017\ufffd \ufffd'\u07a2\ufffd\udb6a\uddb8\ufffd\ufffdJ C`\ufffd\u0018\u000e\ufffdL\ufffd\ufffd\ufffd\ufffdI\ufffd\ufffdm\ufffd`\ufffd)\ufffd#\\\ufffdp\ufffd\u0012\u019bll\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\uee06\ufffd{\u0011\ufffd\ufffd\ufffdb\ufffd\ufffdi`\ufffd\u0017\ufffd \ufffd'\u07a2\ufffd\udb6a\uddb8\ufffd\ufffdJ C`\ufffd\u0018\u000e\ufffdL\ufffd\ufffd\ufffd\ufffdI\ufffd\ufffdm\ufffd`\ufffd)\ufffd#\\\ufffdp\ufffd\u0012\u019bll\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdC*o\u0016G\ufffdL\ufffd\ufffd\ufffd_KH\ufffd.\ufffd\ufffdGR@\ufffdL\ufffd\u0109U\ufffd\u0019ty\u0004",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\uee06\ufffd{\u0011\ufffd\ufffd\ufffdb\ufffd\ufffdi`\ufffd\u0017\ufffd \ufffd'\u07a2\ufffd\udb6a\uddb8\ufffd\ufffdJ C`\ufffd\u0018\u000e\ufffdL\ufffd\ufffd\ufffd\ufffdI\ufffd\ufffdm\ufffd`\ufffd)\ufffd#\\\ufffdp\ufffd\u0012\u019bll\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "519a670496bc8af6393a0d6122e54fbd5562e360",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\uee06\ufffd{\u0011\ufffd\ufffd\ufffdb\ufffd\ufffdi`\ufffd\u0017\ufffd \ufffd'\u07a2\ufffd\udb6a\uddb8\ufffd\ufffdJ C`\ufffd\u0018\u000e\ufffdL\ufffd\ufffd\ufffd\ufffdI\ufffd\ufffdm\ufffd`\ufffd)\ufffd#\\\ufffdp\ufffd\u0012\u019bll\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8160,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\uee06\ufffd{\ufffd\ufffd\ufffdb\ufffd\ufffdi`\ufffd\ufffd \ufffd'\u07a2\ufffd\udb6a\uddb8\ufffd\ufffdJ C`\ufffd\ufffdL\ufffd\ufffd\ufffd\ufffdI\ufffd\ufffdm\ufffd`\ufffd)\ufffd#\\\ufffdp\ufffd\u019bll\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8160 \u00b7 (reconnaissance)",
"target_port_label": "8160 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (58 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8160,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\uee06\ufffd{\u0011\ufffd\ufffd\ufffdb\ufffd\ufffdi`\ufffd\u0017\ufffd \ufffd'\u07a2\ufffd\udb6a\uddb8\ufffd\ufffdJ C`\ufffd\u0018\u000e\ufffdL\ufffd\ufffd\ufffd\ufffdI\ufffd\ufffdm\ufffd`\ufffd)\ufffd#\\\ufffdp\ufffd\u0012\u019bll\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8160,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8160 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\uee06\ufffd{\ufffd\ufffd\ufffdb\ufffd\ufffdi`\ufffd\ufffd \ufffd'\u07a2\ufffd\udb6a\uddb8\ufffd\ufffdJ C`\ufffd\ufffdL\ufffd\ufffd\ufffd\ufffdI\ufffd\ufffdm\ufffd`\ufffd)\ufffd#\\\ufffdp\ufffd\u019bll\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8160 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8160"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 94,
"port_scan_ports_sample": [
81,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376,
2379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 94,
"scan_velocity_ports_per_s": 79.63,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 58,
"multi_protocol_sample": [
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm",
"docker"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8161 · ACTIVEMQ CONSOLE
|
activemq-console
|
Scan de ports
port scan syn · via ACTIVEMQ CONSOLE:8161 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
ACTIVEMQ-CONSOLE
WAF
—
Recommandation
Surveiller
Tags
activemq_emulated
net_port_scan_fast
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8161
Chemin / cible
—
Service
ACTIVEMQ CONSOLE
Payload
�����������ɭ��x�zK�����ҟ�kI���?���V��'߱� ������I�Ҏ��������C��~� C5{�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������ɭ��x�zK�����ҟ�kI���?���V��'߱� ������I�Ҏ��������C��~��C5{�����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������ɭ��x�zK�����ҟ�kI���?���V��'߱� ������I�Ҏ��������C��~� C5{�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �����ZJ�nǯ�pXPx^�_��O�B�.�pC3
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204a657474792f392e34204163746976654d512f352e31380d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2034390d0a0d0a3c68746d6c3e3c626f64793e417061636865204163746976654d5120436f6e",
"emulator_response_len": 146,
"bytes_in": 239,
"payload_entropy": 5.754663097460664,
"port_category": "registered",
"org": "Google LLC",
"service": "activemq-console",
"app_proto": "activemq-console",
"asn": 396982,
"country": "US",
"dst_port": 8161,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.3,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "be0e3acf8717152ea2cb6faf41b06de0c29e2c6b",
"event_fingerprint": "44825592aec6ff2f30a8a3bc2b5afee8968955f9",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "activemq-console",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6e26178774a82abbcbc09745d70c2df4",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8161,
"service": "activemq-console",
"service_name": "activemq-console",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u026d\ufffd\ufffdx\ufffdzK\ufffd\ufffd\ufffd\ufffd\ufffd\u049f\ufffdkI\u0018\ufffd\ufffd?\u001c\u0007\ufffdV\ufffd\ufffd'\u07f1\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\u0000I\ufffd\u048e\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffd~\ufffd\u000bC5{\u0001\ufffd\ufffd\u0005\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u026d\ufffd\ufffdx\ufffdzK\ufffd\ufffd\ufffd\ufffd\ufffd\u049f\ufffdkI\u0018\ufffd\ufffd?\u001c\u0007\ufffdV\ufffd\ufffd'\u07f1\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\u0000I\ufffd\u048e\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffd~\ufffd\u000bC5{\u0001\ufffd\ufffd\u0005\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\u0007\ufffdZJ\ufffdn\u01ef\ufffdpXPx^\u0603\ufffd_\u0006\ufffdO\ufffdB\ufffd.\ufffdpC3",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u026d\ufffd\ufffdx\ufffdzK\ufffd\ufffd\ufffd\ufffd\ufffd\u049f\ufffdkI\u0018\ufffd\ufffd?\u001c\u0007\ufffdV\ufffd\ufffd'\u07f1\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\u0000I\ufffd\u048e\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffd~\ufffd\u000bC5{\u0001\ufffd\ufffd\u0005\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f4945c7ce386ffdeb2ee22fc580347b9c087b69b",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u026d\ufffd\ufffdx\ufffdzK\ufffd\ufffd\ufffd\ufffd\ufffd\u049f\ufffdkI\u0018\ufffd\ufffd?\u001c\u0007\ufffdV\ufffd\ufffd'\u07f1\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\u0000I\ufffd\u048e\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffd~\ufffd\u000bC5{\u0001\ufffd\ufffd\u0005\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8161,
"service": "activemq-console",
"service_label_fr": "ACTIVEMQ CONSOLE"
},
"evidence_snippet": "\ufffd\ufffd\u026d\ufffd\ufffdx\ufffdzK\ufffd\ufffd\ufffd\ufffd\ufffd\u049f\ufffdkI\ufffd\ufffd?\ufffdV\ufffd\ufffd'\u07f1\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdI\ufffd\u048e\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffd~\ufffdC5{\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via ACTIVEMQ CONSOLE:8161 \u00b7 (reconnaissance)",
"target_port_label": "8161 \u00b7 ACTIVEMQ CONSOLE",
"emulator_service": "activemq-console",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via ACTIVEMQ CONSOLE \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "activemq-console",
"service_label_fr": "ACTIVEMQ CONSOLE",
"dst_port": 8161,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-activemq-console",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u026d\ufffd\ufffdx\ufffdzK\ufffd\ufffd\ufffd\ufffd\ufffd\u049f\ufffdkI\u0018\ufffd\ufffd?\u001c\u0007\ufffdV\ufffd\ufffd'\u07f1\ufffd \ufffd\ufffd\ufffd\ufffd\ufffd\u0000I\ufffd\u048e\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffd~\ufffd\u000bC5{\u0001\ufffd\ufffd\u0005\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8161,
"service": "activemq-console",
"service_label_fr": "ACTIVEMQ CONSOLE"
},
"attack_vector": "port scan syn \u00b7 via ACTIVEMQ CONSOLE:8161 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\u026d\ufffd\ufffdx\ufffdzK\ufffd\ufffd\ufffd\ufffd\ufffd\u049f\ufffdkI\ufffd\ufffd?\ufffdV\ufffd\ufffd'\u07f1\ufffd \ufffd\ufffd\ufffd\ufffd\ufffdI\ufffd\u048e\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdC\ufffd\ufffd~\ufffdC5{\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8161 \u00b7 ACTIVEMQ CONSOLE",
"emulator_service": "activemq-console",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "activemq_console",
"service_banner": "honeypot-activemq-console",
"service_os": "linux",
"dst_port": "8161"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 95,
"port_scan_ports_sample": [
81,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376,
2379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 95,
"scan_velocity_ports_per_s": 79.66,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"activemq_emulated",
"net_port_scan_fast",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8170 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8170 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8170
Chemin / cible
—
Service
TLS
Payload
�����������a�?��m�AG5��q���"��Q��B�ó�n^t�� �<�����3p����滰���Xv��.��gy Mr�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������a�?��m�AG5��q���"��Q��B�ó�n^t�� �<�����3p����滰���Xv��.��gy Mr�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������a�?��m�AG5��q���"��Q��B�ó�n^t�� �<�����3p����滰���Xv��.��gy Mr�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ����I�$�� � �'cI���� �l΅ ����.
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.886739527469016,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8170,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "c7f084a5d04876b86ba10a28ffafaba9695c7a00",
"event_fingerprint": "07dc6df27f277dc0559fa126fed4e7461f067d4d",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "afe7574fda4c1c4831b96d66331dc9e1",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8170,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003a\ufffd?\ufffd\u0018m\ufffdAG5\u0012\ufffdq\u0015\ufffd\ufffd\"\ufffd\ufffdQ\ufffd\u0010B\ufffd\u00f3\u0016n^t\ufffd\u001d \ufffd<\u0000\ufffd\u000e\u0017\ufffd3p\ufffd\u000f\ufffd\ufffd\u6ef0\ufffd\ufffd\ufffdXv\ufffd\u0010.\ufffd\ufffdgy\tMr\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003a\ufffd?\ufffd\u0018m\ufffdAG5\u0012\ufffdq\u0015\ufffd\ufffd\"\ufffd\ufffdQ\ufffd\u0010B\ufffd\u00f3\u0016n^t\ufffd\u001d \ufffd<\u0000\ufffd\u000e\u0017\ufffd3p\ufffd\u000f\ufffd\ufffd\u6ef0\ufffd\ufffd\ufffdXv\ufffd\u0010.\ufffd\ufffdgy\tMr\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\u001d\ufffdI\ufffd$\ufffd\ufffd\u000b\ufffd\n\ufffd'cI\ufffd\ufffd\ufffd\u0011 \u0001l\u0385\f\ufffd\ufffd\ufffd\ufffd.",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003a\ufffd?\ufffd\u0018m\ufffdAG5\u0012\ufffdq\u0015\ufffd\ufffd\"\ufffd\ufffdQ\ufffd\u0010B\ufffd\u00f3\u0016n^t\ufffd\u001d \ufffd<\u0000\ufffd\u000e\u0017\ufffd3p\ufffd\u000f\ufffd\ufffd\u6ef0\ufffd\ufffd\ufffdXv\ufffd\u0010.\ufffd\ufffdgy\tMr\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9f61e0b54a294cd89d2d7430129b70901ea793b5",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003a\ufffd?\ufffd\u0018m\ufffdAG5\u0012\ufffdq\u0015\ufffd\ufffd\"\ufffd\ufffdQ\ufffd\u0010B\ufffd\u00f3\u0016n^t\ufffd\u001d \ufffd<\u0000\ufffd\u000e\u0017\ufffd3p\ufffd\u000f\ufffd\ufffd\u6ef0\ufffd\ufffd\ufffdXv\ufffd\u0010.\ufffd\ufffdgy\tMr\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8170,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffda\ufffd?\ufffdm\ufffdAG5\ufffdq\ufffd\ufffd\"\ufffd\ufffdQ\ufffdB\ufffd\u00f3n^t\ufffd \ufffd<\ufffd\ufffd3p\ufffd\ufffd\ufffd\u6ef0\ufffd\ufffd\ufffdXv\ufffd.\ufffd\ufffdgy\tMr&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8170 \u00b7 (reconnaissance)",
"target_port_label": "8170 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8170,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003a\ufffd?\ufffd\u0018m\ufffdAG5\u0012\ufffdq\u0015\ufffd\ufffd\"\ufffd\ufffdQ\ufffd\u0010B\ufffd\u00f3\u0016n^t\ufffd\u001d \ufffd<\u0000\ufffd\u000e\u0017\ufffd3p\ufffd\u000f\ufffd\ufffd\u6ef0\ufffd\ufffd\ufffdXv\ufffd\u0010.\ufffd\ufffdgy\tMr\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8170,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8170 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffda\ufffd?\ufffdm\ufffdAG5\ufffdq\ufffd\ufffd\"\ufffd\ufffdQ\ufffdB\ufffd\u00f3n^t\ufffd \ufffd<\ufffd\ufffd3p\ufffd\ufffd\ufffd\u6ef0\ufffd\ufffd\ufffdXv\ufffd.\ufffd\ufffdgy\tMr&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8170 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8170"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 96,
"port_scan_ports_sample": [
81,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376,
2379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 96,
"scan_velocity_ports_per_s": 79.38,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8190 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8190 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8190
Chemin / cible
—
Service
TLS
Payload
������������(dj�/�l?r\ͺ�[���WvJ,9�^�x� ��{Tvy𦓯 ��7���g���Z@.�& Iê�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������(dj�/�l?r\ͺ�[���WvJ,9�^�x� ��{Tvy𦓯 ��7���g���Z@.�&
Iê�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������(dj�/�l?r\ͺ�[���WvJ,9�^�x� ��{Tvy𦓯 ��7���g���Z@.�& Iê�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� V��$%���g� �1<��`�E�wC9�FK�yQ$
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.896446572321917,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8190,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "f64dda5e248bf7b285f916b60d9f928299b4d060",
"event_fingerprint": "a9d27212826fd4895fcece556c4d09a86813dc99",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "a7fbe27c7446ce65fdf0ef529344f0ce",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8190,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(dj\ufffd\/\ufffdl?r\\\u037a\ufffd[\ufffd\ufffd\ufffdWvJ,9\u0006^\ufffdx\ufffd \ufffd\ufffd{Tvy\ud859\udcef \u0001\ufffd7\ufffd\ufffd\ufffdg\ufffd\ufffd\ufffdZ@.\ufffd&\rI\u00ea\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(dj\ufffd\/\ufffdl?r\\\u037a\ufffd[\ufffd\ufffd\ufffdWvJ,9\u0006^\ufffdx\ufffd \ufffd\ufffd{Tvy\ud859\udcef \u0001\ufffd7\ufffd\ufffd\ufffdg\ufffd\ufffd\ufffdZ@.\ufffd&\rI\u00ea\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 V\ufffd\ufffd$%\ufffd\ufffd\ufffdg\ufffd\f\u00051<\ufffd\ufffd`\ufffdE\u001ewC9\ufffdFK\ufffdyQ$",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(dj\ufffd\/\ufffdl?r\\\u037a\ufffd[\ufffd\ufffd\ufffdWvJ,9\u0006^\ufffdx\ufffd \ufffd\ufffd{Tvy\ud859\udcef \u0001\ufffd7\ufffd\ufffd\ufffdg\ufffd\ufffd\ufffdZ@.\ufffd&\rI\u00ea\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "10e4c0e35010bd52c7ca43bc0dbd8a80f51a24a6",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(dj\ufffd\/\ufffdl?r\\\u037a\ufffd[\ufffd\ufffd\ufffdWvJ,9\u0006^\ufffdx\ufffd \ufffd\ufffd{Tvy\ud859\udcef \u0001\ufffd7\ufffd\ufffd\ufffdg\ufffd\ufffd\ufffdZ@.\ufffd&\rI\u00ea\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd(dj\ufffd\/\ufffdl?r\\\u037a\ufffd[\ufffd\ufffd\ufffdWvJ,9^\ufffdx\ufffd \ufffd\ufffd{Tvy\ud859\udcef \ufffd7\ufffd\ufffd\ufffdg\ufffd\ufffd\ufffdZ@.\ufffd&\rI\u00ea&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8190 \u00b7 (reconnaissance)",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8190,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd(dj\ufffd\/\ufffdl?r\\\u037a\ufffd[\ufffd\ufffd\ufffdWvJ,9\u0006^\ufffdx\ufffd \ufffd\ufffd{Tvy\ud859\udcef \u0001\ufffd7\ufffd\ufffd\ufffdg\ufffd\ufffd\ufffdZ@.\ufffd&\rI\u00ea\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8190,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8190 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd(dj\ufffd\/\ufffdl?r\\\u037a\ufffd[\ufffd\ufffd\ufffdWvJ,9^\ufffdx\ufffd \ufffd\ufffd{Tvy\ud859\udcef \ufffd7\ufffd\ufffd\ufffdg\ufffd\ufffd\ufffdZ@.\ufffd&\rI\u00ea&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8190 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8190"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 97,
"port_scan_ports_sample": [
81,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376,
2379
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 97,
"scan_velocity_ports_per_s": 79.75,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
82 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:82 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
82
Chemin / cible
—
Service
TLS
Payload
�����������I.��8}v���1Elp z�&j���;Z��vR�T �%�#����Ls��1o���8G�CD��c�ɰ)²o�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������I.��8}v���1Elp�z�&j���;Z��vR�T �%�#����Ls��1o���8G�CD��c�ɰ)²o�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������I.��8}v���1Elp z�&j���;Z��vR�T �%�#����Ls��1o���8G�CD��c�ɰ)²o�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �q&/GK� ��c�?(�Y9�Aa �#{9���
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.829966072636912,
"port_category": "well_known",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 82,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "bd38ef31cf2b19e09b7529808360e6e8d6ea344a",
"event_fingerprint": "3d4e75f22d3f9fb8a3ba3e82b74fc64f77938f0d",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "ff41ee763f926a61452e70fc21633e4c",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 82,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I.\ufffd\u001e8}v\ufffd\ufffd\ufffd1Elp\u000bz\u0018&j\u0012\ufffd\ufffd;Z\ufffd\ufffdvR\ufffdT \ufffd%\ufffd#\ufffd\u0000\ufffd\ufffdLs\ufffd\ufffd1o\u0016\u0012\ufffd8G\u0016CD\ufffd\ufffdc\ufffd\u0270)\u00b2o\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I.\ufffd\u001e8}v\ufffd\ufffd\ufffd1Elp\u000bz\u0018&j\u0012\ufffd\ufffd;Z\ufffd\ufffdvR\ufffdT \ufffd%\ufffd#\ufffd\u0000\ufffd\ufffdLs\ufffd\ufffd1o\u0016\u0012\ufffd8G\u0016CD\ufffd\ufffdc\ufffd\u0270)\u00b2o\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdq&\/GK\ufffd\u000b\ufffd\ufffdc\ufffd?(\ufffdY9\ufffdAa\u000b\u000f#{9\ufffd\ufffd\ufffd ",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I.\ufffd\u001e8}v\ufffd\ufffd\ufffd1Elp\u000bz\u0018&j\u0012\ufffd\ufffd;Z\ufffd\ufffdvR\ufffdT \ufffd%\ufffd#\ufffd\u0000\ufffd\ufffdLs\ufffd\ufffd1o\u0016\u0012\ufffd8G\u0016CD\ufffd\ufffdc\ufffd\u0270)\u00b2o\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "40c1e3b427f6ebd146e1be1d1d90d7d9902f60cf",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I.\ufffd\u001e8}v\ufffd\ufffd\ufffd1Elp\u000bz\u0018&j\u0012\ufffd\ufffd;Z\ufffd\ufffdvR\ufffdT \ufffd%\ufffd#\ufffd\u0000\ufffd\ufffdLs\ufffd\ufffd1o\u0016\u0012\ufffd8G\u0016CD\ufffd\ufffdc\ufffd\u0270)\u00b2o\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 82,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdI.\ufffd8}v\ufffd\ufffd\ufffd1Elpz&j\ufffd\ufffd;Z\ufffd\ufffdvR\ufffdT \ufffd%\ufffd#\ufffd\ufffd\ufffdLs\ufffd\ufffd1o\ufffd8GCD\ufffd\ufffdc\ufffd\u0270)\u00b2o&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:82 \u00b7 (reconnaissance)",
"target_port_label": "82 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 82,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003I.\ufffd\u001e8}v\ufffd\ufffd\ufffd1Elp\u000bz\u0018&j\u0012\ufffd\ufffd;Z\ufffd\ufffdvR\ufffdT \ufffd%\ufffd#\ufffd\u0000\ufffd\ufffdLs\ufffd\ufffd1o\u0016\u0012\ufffd8G\u0016CD\ufffd\ufffdc\ufffd\u0270)\u00b2o\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 82,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:82 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdI.\ufffd8}v\ufffd\ufffd\ufffd1Elpz&j\ufffd\ufffd;Z\ufffd\ufffdvR\ufffdT \ufffd%\ufffd#\ufffd\ufffd\ufffdLs\ufffd\ufffd1o\ufffd8GCD\ufffd\ufffdc\ufffd\u0270)\u00b2o&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "82 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "82"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 98,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 98,
"scan_velocity_ports_per_s": 80.09,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8230 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8230 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8230
Chemin / cible
—
Service
TLS
Payload
������������0�z^W�L�H0uQgÉ:3���D]��xxIe��� �`�3�Rd�}D ���!7C�J���=z,%������&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������0�z^W�L�H0uQgÉ:3���D]��xxIe��� �`�3�Rd�}D ���!7C�J���=z,%������&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������0�z^W�L�H0uQgÉ:3���D]��xxIe��� �`�3�Rd�}D ���!7C�J���=z,%������&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �������r��+�� T���Kr���feγr�=
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.818900134254491,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8230,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "47b035ef0e3f9e23abf6446eb7603c697a506b5a",
"event_fingerprint": "3c05a9a0a7285148a1ad4213226446c169314807",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "7a67e4084a00488914621f34354a8a93",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8230,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd0\ufffdz^W\ufffdL\ufffdH0uQg\u00c9:3\ufffd\ufffd\u0011D]\ufffd\ufffdxxIe\ufffd\u0003\ufffd \u0001`\ufffd3\ufffdRd\ufffd}D \ufffd\ufffd\u0014!7C\ufffdJ\ufffd\ufffd\ufffd=z,%\ufffd\ufffd\ufffd\u001c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd0\ufffdz^W\ufffdL\ufffdH0uQg\u00c9:3\ufffd\ufffd\u0011D]\ufffd\ufffdxxIe\ufffd\u0003\ufffd \u0001`\ufffd3\ufffdRd\ufffd}D \ufffd\ufffd\u0014!7C\ufffdJ\ufffd\ufffd\ufffd=z,%\ufffd\ufffd\ufffd\u001c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffd\u0012\u000f\ufffd\ufffdr\ufffd\u001c+\ufffd\ufffd\tT\ufffd\ufffd\ufffdKr\ufffd\ufffd\ufffdfe\u03b3r\ufffd=",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd0\ufffdz^W\ufffdL\ufffdH0uQg\u00c9:3\ufffd\ufffd\u0011D]\ufffd\ufffdxxIe\ufffd\u0003\ufffd \u0001`\ufffd3\ufffdRd\ufffd}D \ufffd\ufffd\u0014!7C\ufffdJ\ufffd\ufffd\ufffd=z,%\ufffd\ufffd\ufffd\u001c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a0ccc36b84f285f117e741272e01a5077aa90d80",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd0\ufffdz^W\ufffdL\ufffdH0uQg\u00c9:3\ufffd\ufffd\u0011D]\ufffd\ufffdxxIe\ufffd\u0003\ufffd \u0001`\ufffd3\ufffdRd\ufffd}D \ufffd\ufffd\u0014!7C\ufffdJ\ufffd\ufffd\ufffd=z,%\ufffd\ufffd\ufffd\u001c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8230,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd0\ufffdz^W\ufffdL\ufffdH0uQg\u00c9:3\ufffd\ufffdD]\ufffd\ufffdxxIe\ufffd\ufffd `\ufffd3\ufffdRd\ufffd}D \ufffd\ufffd!7C\ufffdJ\ufffd\ufffd\ufffd=z,%\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8230 \u00b7 (reconnaissance)",
"target_port_label": "8230 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8230,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd0\ufffdz^W\ufffdL\ufffdH0uQg\u00c9:3\ufffd\ufffd\u0011D]\ufffd\ufffdxxIe\ufffd\u0003\ufffd \u0001`\ufffd3\ufffdRd\ufffd}D \ufffd\ufffd\u0014!7C\ufffdJ\ufffd\ufffd\ufffd=z,%\ufffd\ufffd\ufffd\u001c\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8230,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8230 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd0\ufffdz^W\ufffdL\ufffdH0uQg\u00c9:3\ufffd\ufffdD]\ufffd\ufffdxxIe\ufffd\ufffd `\ufffd3\ufffdRd\ufffd}D \ufffd\ufffd!7C\ufffdJ\ufffd\ufffd\ufffd=z,%\ufffd\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8230 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8230"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 99,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 99,
"scan_velocity_ports_per_s": 80.27,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8220 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8220 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8220
Chemin / cible
—
Service
TLS
Payload
�����������d��54D �q�h��1�N 7az�4��$�=�Ѹ�J s�H(�ڹ�a�����U��4�P�FЩ���R!�M��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������d��54D��q�h��1�N�7az�4��$�=�Ѹ�J s�H(�ڹ�a�����U��4�P�FЩ���R!�M��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������d��54D �q�h��1�N 7az�4��$�=�Ѹ�J s�H(�ڹ�a�����U��4�P�FЩ���R!�M��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��[�<�R|v4�������|���+ �.��"�
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.907308251533241,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8220,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "d64462d1221b346e10274f9711ee41f9eaac46ad",
"event_fingerprint": "a141f536eba1a078898c55822d0f91da1557a31d",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "3871f9c4876e70499864a833f9c366be",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8220,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d\ufffd\ufffd54D\f\ufffdq\u0010h\u0005\u00191\ufffdN\u000b7az\ufffd4\ufffd\ufffd$\ufffd=\u0011\u0478\ufffdJ s\ufffdH(\ufffd\u06b9\ufffda\ufffd\ufffd\ufffd\ufffd\ufffdU\u001d\ufffd4\ufffdP\ufffdF\u0429\ufffd\ufffd\u0014R!\ufffdM\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d\ufffd\ufffd54D\f\ufffdq\u0010h\u0005\u00191\ufffdN\u000b7az\ufffd4\ufffd\ufffd$\ufffd=\u0011\u0478\ufffdJ s\ufffdH(\ufffd\u06b9\ufffda\ufffd\ufffd\ufffd\ufffd\ufffdU\u001d\ufffd4\ufffdP\ufffdF\u0429\ufffd\ufffd\u0014R!\ufffdM\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd[\ufffd<\ufffdR|v4\ufffd\ufffd\u0006\ufffd\ufffd\ufffd\u0378\ufffd|\u001b\ufffd\ufffd+\t\ufffd.\ufffd\ufffd\"\u001c",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d\ufffd\ufffd54D\f\ufffdq\u0010h\u0005\u00191\ufffdN\u000b7az\ufffd4\ufffd\ufffd$\ufffd=\u0011\u0478\ufffdJ s\ufffdH(\ufffd\u06b9\ufffda\ufffd\ufffd\ufffd\ufffd\ufffdU\u001d\ufffd4\ufffdP\ufffdF\u0429\ufffd\ufffd\u0014R!\ufffdM\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "cad125ce9bf474d4da98874d4284fe9756979da5",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d\ufffd\ufffd54D\f\ufffdq\u0010h\u0005\u00191\ufffdN\u000b7az\ufffd4\ufffd\ufffd$\ufffd=\u0011\u0478\ufffdJ s\ufffdH(\ufffd\u06b9\ufffda\ufffd\ufffd\ufffd\ufffd\ufffdU\u001d\ufffd4\ufffdP\ufffdF\u0429\ufffd\ufffd\u0014R!\ufffdM\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8220,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdd\ufffd\ufffd54D\ufffdqh1\ufffdN7az\ufffd4\ufffd\ufffd$\ufffd=\u0478\ufffdJ s\ufffdH(\ufffd\u06b9\ufffda\ufffd\ufffd\ufffd\ufffd\ufffdU\ufffd4\ufffdP\ufffdF\u0429\ufffd\ufffdR!\ufffdM\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8220 \u00b7 (reconnaissance)",
"target_port_label": "8220 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8220,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d\ufffd\ufffd54D\f\ufffdq\u0010h\u0005\u00191\ufffdN\u000b7az\ufffd4\ufffd\ufffd$\ufffd=\u0011\u0478\ufffdJ s\ufffdH(\ufffd\u06b9\ufffda\ufffd\ufffd\ufffd\ufffd\ufffdU\u001d\ufffd4\ufffdP\ufffdF\u0429\ufffd\ufffd\u0014R!\ufffdM\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8220,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8220 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdd\ufffd\ufffd54D\ufffdqh1\ufffdN7az\ufffd4\ufffd\ufffd$\ufffd=\u0478\ufffdJ s\ufffdH(\ufffd\u06b9\ufffda\ufffd\ufffd\ufffd\ufffd\ufffdU\ufffd4\ufffdP\ufffdF\u0429\ufffd\ufffdR!\ufffdM\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8220 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8220"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 100,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 100,
"scan_velocity_ports_per_s": 80.55,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8240 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8240 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8240
Chemin / cible
—
Service
TLS
Payload
�����������-��F� �]�6���s�q��2�k��Y����$� +�����u1��l�) N0((������[�۶����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������-��F���]�6���s�q��2�k��Y����$�� +�����u1��l�)
N0((������[�۶����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������-��F� �]�6���s�q��2�k��Y����$� +�����u1��l�) N0((������[�۶����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� S����ܻ���#�����������6l=A=�\�+
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.668138341167149,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8240,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "916dad66c0f10609c330e76702d39363a25534cd",
"event_fingerprint": "0efcae02401011f08c4e2f8d650aff4e5f6df513",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "15146795ba57d9eee48bfa6d5b0bc507",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8240,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-\u0015\ufffdF\u0001\u000b\u0015]\ufffd6\ufffd\ufffd\ufffds\ufffdq\u001d\ufffd2\ufffdk\ufffd\ufffdY\ufffd\u0000\u000f\ufffd$\ufffd\u000b +\u0006\ufffd\u0003\u0013\u0018u1\u0003\u0017l\u000e)\rN0((\ufffd\ufffd\b\u000f\ufffd\u001c[\ufffd\u06f6\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-\u0015\ufffdF\u0001\u000b\u0015]\ufffd6\ufffd\ufffd\ufffds\ufffdq\u001d\ufffd2\ufffdk\ufffd\ufffdY\ufffd\u0000\u000f\ufffd$\ufffd\u000b +\u0006\ufffd\u0003\u0013\u0018u1\u0003\u0017l\u000e)\rN0((\ufffd\ufffd\b\u000f\ufffd\u001c[\ufffd\u06f6\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 S\ufffd\ufffd\ufffd\ufffd\u073b\ufffd\u000f\ufffd#\u0004\ufffd\u0004\ufffd\u001b\u0002\u0001\u000e\ufffd\ufffd\ufffd6l=A=\ufffd\\\ufffd+",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-\u0015\ufffdF\u0001\u000b\u0015]\ufffd6\ufffd\ufffd\ufffds\ufffdq\u001d\ufffd2\ufffdk\ufffd\ufffdY\ufffd\u0000\u000f\ufffd$\ufffd\u000b +\u0006\ufffd\u0003\u0013\u0018u1\u0003\u0017l\u000e)\rN0((\ufffd\ufffd\b\u000f\ufffd\u001c[\ufffd\u06f6\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "aba034b886b46fcaaf5e1cdcc3856af9302a3e1f",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-\u0015\ufffdF\u0001\u000b\u0015]\ufffd6\ufffd\ufffd\ufffds\ufffdq\u001d\ufffd2\ufffdk\ufffd\ufffdY\ufffd\u0000\u000f\ufffd$\ufffd\u000b +\u0006\ufffd\u0003\u0013\u0018u1\u0003\u0017l\u000e)\rN0((\ufffd\ufffd\b\u000f\ufffd\u001c[\ufffd\u06f6\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8240,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd-\ufffdF]\ufffd6\ufffd\ufffd\ufffds\ufffdq\ufffd2\ufffdk\ufffd\ufffdY\ufffd\ufffd$\ufffd +\ufffdu1l)\rN0((\ufffd\ufffd\ufffd[\ufffd\u06f6\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8240 \u00b7 (reconnaissance)",
"target_port_label": "8240 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8240,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-\u0015\ufffdF\u0001\u000b\u0015]\ufffd6\ufffd\ufffd\ufffds\ufffdq\u001d\ufffd2\ufffdk\ufffd\ufffdY\ufffd\u0000\u000f\ufffd$\ufffd\u000b +\u0006\ufffd\u0003\u0013\u0018u1\u0003\u0017l\u000e)\rN0((\ufffd\ufffd\b\u000f\ufffd\u001c[\ufffd\u06f6\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8240,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8240 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd-\ufffdF]\ufffd6\ufffd\ufffd\ufffds\ufffdq\ufffd2\ufffdk\ufffd\ufffdY\ufffd\ufffd$\ufffd +\ufffdu1l)\rN0((\ufffd\ufffd\ufffd[\ufffd\u06f6\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8240 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8240"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 101,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 101,
"scan_velocity_ports_per_s": 80.85,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8250 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8250 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8250
Chemin / cible
—
Service
TLS
Payload
������������G|BG�����K�zȟ�����I�32�I���S� t�W�)�~���2����ts��������.ÿ�<&k�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������G|BG�����K�zȟ�����I�32�I���S� t�W�)�~���2����ts��������.ÿ�<&k�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������G|BG�����K�zȟ�����I�32�I���S� t�W�)�~���2����ts��������.ÿ�<&k�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� $��� �ϋ+h/�@�.{�\����_����^�)AI
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.86068689979656,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8250,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "5b2003660a651dd25bd451efc5f1f298bfd63676",
"event_fingerprint": "ffcdd1ada2b787231f2e446dca5a5fc69c0bba21",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "f774c9f6121d181b5ec0076b60352260",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8250,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdG|BG\ufffd\ufffd\ufffd\ufffd\u0015K\ufffdz\u021f\ufffd\ufffd\ufffd\ufffd\ufffdI\ufffd32\ufffdI\ufffd\ufffd\ufffdS\ufffd t\u0006W\ufffd)\ufffd~\ufffd\ufffd\ufffd2\ufffd\u001b\ufffd\ufffdts\ufffd\ufffd\ufffd\ufffd\u0015\u0004\u001c\ufffd.\u00ff\ufffd<&k\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdG|BG\ufffd\ufffd\ufffd\ufffd\u0015K\ufffdz\u021f\ufffd\ufffd\ufffd\ufffd\ufffdI\ufffd32\ufffdI\ufffd\ufffd\ufffdS\ufffd t\u0006W\ufffd)\ufffd~\ufffd\ufffd\ufffd2\ufffd\u001b\ufffd\ufffdts\ufffd\ufffd\ufffd\ufffd\u0015\u0004\u001c\ufffd.\u00ff\ufffd<&k\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 $\ufffd\ufffd\ufffd \u0014\u03cb+h\/\ufffd@\ufffd.{\ufffd\\\ufffd\ufffd\ufffd\ufffd_\ufffd\u0002\ufffd\ufffd^\u0018)AI",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdG|BG\ufffd\ufffd\ufffd\ufffd\u0015K\ufffdz\u021f\ufffd\ufffd\ufffd\ufffd\ufffdI\ufffd32\ufffdI\ufffd\ufffd\ufffdS\ufffd t\u0006W\ufffd)\ufffd~\ufffd\ufffd\ufffd2\ufffd\u001b\ufffd\ufffdts\ufffd\ufffd\ufffd\ufffd\u0015\u0004\u001c\ufffd.\u00ff\ufffd<&k\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7a386ace35553e97b266545940f4643d06b5e09b",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdG|BG\ufffd\ufffd\ufffd\ufffd\u0015K\ufffdz\u021f\ufffd\ufffd\ufffd\ufffd\ufffdI\ufffd32\ufffdI\ufffd\ufffd\ufffdS\ufffd t\u0006W\ufffd)\ufffd~\ufffd\ufffd\ufffd2\ufffd\u001b\ufffd\ufffdts\ufffd\ufffd\ufffd\ufffd\u0015\u0004\u001c\ufffd.\u00ff\ufffd<&k\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8250,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffdG|BG\ufffd\ufffd\ufffd\ufffdK\ufffdz\u021f\ufffd\ufffd\ufffd\ufffd\ufffdI\ufffd32\ufffdI\ufffd\ufffd\ufffdS\ufffd tW\ufffd)\ufffd~\ufffd\ufffd\ufffd2\ufffd\ufffd\ufffdts\ufffd\ufffd\ufffd\ufffd\ufffd.\u00ff\ufffd<&k&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8250 \u00b7 (reconnaissance)",
"target_port_label": "8250 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8250,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdG|BG\ufffd\ufffd\ufffd\ufffd\u0015K\ufffdz\u021f\ufffd\ufffd\ufffd\ufffd\ufffdI\ufffd32\ufffdI\ufffd\ufffd\ufffdS\ufffd t\u0006W\ufffd)\ufffd~\ufffd\ufffd\ufffd2\ufffd\u001b\ufffd\ufffdts\ufffd\ufffd\ufffd\ufffd\u0015\u0004\u001c\ufffd.\u00ff\ufffd<&k\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8250,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8250 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffdG|BG\ufffd\ufffd\ufffd\ufffdK\ufffdz\u021f\ufffd\ufffd\ufffd\ufffd\ufffdI\ufffd32\ufffdI\ufffd\ufffd\ufffdS\ufffd tW\ufffd)\ufffd~\ufffd\ufffd\ufffd2\ufffd\ufffd\ufffdts\ufffd\ufffd\ufffd\ufffd\ufffd.\u00ff\ufffd<&k&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8250 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8250"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 102,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 102,
"scan_velocity_ports_per_s": 81.17,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
10000 · WEBMIN
|
webmin
|
Scan de ports
port scan syn · via WEBMIN:10000 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
WEBMIN
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_clienthello
webmin_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
10000
Chemin / cible
—
Service
WEBMIN
Payload
������������dW� �Gؼ����������m���I�d`�'9[� N*�� ����U���u[I�/�Ц���.���d����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������dW� �Gؼ����������m���I�d`�'9[� N*��
����U���u[I�/�Ц���.���d����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������dW� �Gؼ����������m���I�d`�'9[� N*�� ����U���u[I�/�Ц���.���d����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���J_l�Z�9�f�i|��r$������g��' %
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204d696e69536572762f322e3030300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e5765626d696e206c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 126,
"bytes_in": 239,
"payload_entropy": 5.831955935431768,
"port_category": "registered",
"org": "Google LLC",
"service": "webmin",
"app_proto": "webmin",
"asn": 396982,
"country": "US",
"dst_port": 10000,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.9,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "f1140f0228ceef479563918cb931f585796f6029",
"event_fingerprint": "554995d9e038ae76febd9668bd51aadb43bc3553",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "webmin",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b4ef0bad88547ba7536d67db864297d2",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 10000,
"service": "webmin",
"service_name": "webmin",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffddW\ufffd \ufffdG\u063c\ufffd\ufffd\u001d\ufffd\u001b\ufffd\ufffd\ufffd\ufffd\ufffdm\ufffd\u0004\u0000I\ufffdd`\ufffd'9[\ufffd N*\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffdU\ufffd\ufffd\u0015u[I\ufffd\/\ufffd\u0426\ufffd\ufffd\ufffd.\ufffd\u0015\ufffdd\u000f\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffddW\ufffd \ufffdG\u063c\ufffd\ufffd\u001d\ufffd\u001b\ufffd\ufffd\ufffd\ufffd\ufffdm\ufffd\u0004\u0000I\ufffdd`\ufffd'9[\ufffd N*\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffdU\ufffd\ufffd\u0015u[I\ufffd\/\ufffd\u0426\ufffd\ufffd\ufffd.\ufffd\u0015\ufffdd\u000f\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffdJ_l\ufffdZ\ufffd9\ufffdf\ufffdi|\ufffd\u0014r$\ufffd\ufffd\u0014\ufffd\ufffd\ufffdg\u0006\ufffd'\t%",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffddW\ufffd \ufffdG\u063c\ufffd\ufffd\u001d\ufffd\u001b\ufffd\ufffd\ufffd\ufffd\ufffdm\ufffd\u0004\u0000I\ufffdd`\ufffd'9[\ufffd N*\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffdU\ufffd\ufffd\u0015u[I\ufffd\/\ufffd\u0426\ufffd\ufffd\ufffd.\ufffd\u0015\ufffdd\u000f\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8bc902614b5601ba96a9e00fe51dae13e420a837",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffddW\ufffd \ufffdG\u063c\ufffd\ufffd\u001d\ufffd\u001b\ufffd\ufffd\ufffd\ufffd\ufffdm\ufffd\u0004\u0000I\ufffdd`\ufffd'9[\ufffd N*\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffdU\ufffd\ufffd\u0015u[I\ufffd\/\ufffd\u0426\ufffd\ufffd\ufffd.\ufffd\u0015\ufffdd\u000f\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 10000,
"service": "webmin",
"service_label_fr": "WEBMIN"
},
"evidence_snippet": "\ufffd\ufffd\ufffddW\ufffd \ufffdG\u063c\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdm\ufffdI\ufffdd`\ufffd'9[\ufffd N*\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffdU\ufffd\ufffdu[I\ufffd\/\ufffd\u0426\ufffd\ufffd\ufffd.\ufffd\ufffdd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via WEBMIN:10000 \u00b7 (reconnaissance)",
"target_port_label": "10000 \u00b7 WEBMIN",
"emulator_service": "webmin",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via WEBMIN \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "webmin",
"service_label_fr": "WEBMIN",
"dst_port": 10000,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-webmin",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffddW\ufffd \ufffdG\u063c\ufffd\ufffd\u001d\ufffd\u001b\ufffd\ufffd\ufffd\ufffd\ufffdm\ufffd\u0004\u0000I\ufffdd`\ufffd'9[\ufffd N*\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffdU\ufffd\ufffd\u0015u[I\ufffd\/\ufffd\u0426\ufffd\ufffd\ufffd.\ufffd\u0015\ufffdd\u000f\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 10000,
"service": "webmin",
"service_label_fr": "WEBMIN"
},
"attack_vector": "port scan syn \u00b7 via WEBMIN:10000 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffddW\ufffd \ufffdG\u063c\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdm\ufffdI\ufffdd`\ufffd'9[\ufffd N*\ufffd\ufffd\n\ufffd\ufffd\ufffd\ufffdU\ufffd\ufffdu[I\ufffd\/\ufffd\u0426\ufffd\ufffd\ufffd.\ufffd\ufffdd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "10000 \u00b7 WEBMIN",
"emulator_service": "webmin",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "webmin",
"service_banner": "honeypot-webmin",
"service_os": "linux",
"dst_port": "10000"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 102,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 102,
"scan_velocity_ports_per_s": 80.44,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_clienthello",
"webmin_emulated"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
1443 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:1443 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
1443
Chemin / cible
—
Service
TLS
Payload
�����������䚳����,�Y�Z'���dM�R����ZN�[O�e ��4�QH�4Z�2���H j{U��.B�Sa$\b��G�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������䚳����,�Y�Z'���dM�R����ZN�[O�e ��4�QH�4Z�2���H
j{U��.B�Sa$\b��G�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������䚳����,�Y�Z'���dM�R����ZN�[O�e ��4�QH�4Z�2���H j{U��.B�Sa$\b��G�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� :۔���&҆0}\�vL:$Z��3]�� ��$�:�f
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.792216071442576,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 1443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "d15883ab2a88cea50f1df351a01d17f43a00fa7e",
"event_fingerprint": "dc01da25bd36a9cc1e9242e47fe95e67f94ad316",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "fba04cb6f49a13156deca65edb3e844b",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 1443,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u46b3\ufffd\ufffd\u001f\ufffd,\ufffdY\u0011Z'\ufffd\ufffd\u0012dM\ufffdR\ufffd\ufffd\ufffd\u0019ZN\ufffd[O\ufffde \ufffd\ufffd4\ufffdQH\ufffd4Z\ufffd2\ufffd\ufffd\ufffdH\nj{U\ufffd\ufffd.B\ufffdSa$\\b\ufffd\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u46b3\ufffd\ufffd\u001f\ufffd,\ufffdY\u0011Z'\ufffd\ufffd\u0012dM\ufffdR\ufffd\ufffd\ufffd\u0019ZN\ufffd[O\ufffde \ufffd\ufffd4\ufffdQH\ufffd4Z\ufffd2\ufffd\ufffd\ufffdH\nj{U\ufffd\ufffd.B\ufffdSa$\\b\ufffd\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 :\u06d4\ufffd\ufffd\u001d&\u04860}\\\u0004vL:$Z\ufffd\ufffd3]\u0013\u0019\f\ufffd\u001a$\ufffd:\ufffdf",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u46b3\ufffd\ufffd\u001f\ufffd,\ufffdY\u0011Z'\ufffd\ufffd\u0012dM\ufffdR\ufffd\ufffd\ufffd\u0019ZN\ufffd[O\ufffde \ufffd\ufffd4\ufffdQH\ufffd4Z\ufffd2\ufffd\ufffd\ufffdH\nj{U\ufffd\ufffd.B\ufffdSa$\\b\ufffd\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7e6f5869011c75152cc2cd906cf5ed4349d88d54",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u46b3\ufffd\ufffd\u001f\ufffd,\ufffdY\u0011Z'\ufffd\ufffd\u0012dM\ufffdR\ufffd\ufffd\ufffd\u0019ZN\ufffd[O\ufffde \ufffd\ufffd4\ufffdQH\ufffd4Z\ufffd2\ufffd\ufffd\ufffdH\nj{U\ufffd\ufffd.B\ufffdSa$\\b\ufffd\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 1443,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\u46b3\ufffd\ufffd\ufffd,\ufffdYZ'\ufffd\ufffddM\ufffdR\ufffd\ufffd\ufffdZN\ufffd[O\ufffde \ufffd\ufffd4\ufffdQH\ufffd4Z\ufffd2\ufffd\ufffd\ufffdH\nj{U\ufffd\ufffd.B\ufffdSa$\\b\ufffd\ufffdG&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:1443 \u00b7 (reconnaissance)",
"target_port_label": "1443 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 1443,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u46b3\ufffd\ufffd\u001f\ufffd,\ufffdY\u0011Z'\ufffd\ufffd\u0012dM\ufffdR\ufffd\ufffd\ufffd\u0019ZN\ufffd[O\ufffde \ufffd\ufffd4\ufffdQH\ufffd4Z\ufffd2\ufffd\ufffd\ufffdH\nj{U\ufffd\ufffd.B\ufffdSa$\\b\ufffd\ufffdG\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 1443,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:1443 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\u46b3\ufffd\ufffd\ufffd,\ufffdYZ'\ufffd\ufffddM\ufffdR\ufffd\ufffd\ufffdZN\ufffd[O\ufffde \ufffd\ufffd4\ufffdQH\ufffd4Z\ufffd2\ufffd\ufffd\ufffdH\nj{U\ufffd\ufffd.B\ufffdSa$\\b\ufffd\ufffdG&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "1443 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "1443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 102,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 102,
"scan_velocity_ports_per_s": 79.83,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
18080 · MONERO P2P
|
monero-p2p
|
Scan de ports
port scan syn · via MONERO P2P:18080 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
MONERO-P2P
WAF
—
Recommandation
Surveiller
Tags
monero_p2p_emulated
monero_p2p_payload
net_port_scan_fast
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
18080
Chemin / cible
—
Service
MONERO P2P
Payload
������������֓����v� /T.<��x'���� )�ܦuW7�i _�y����L����Y��T ��;� z��6�G���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������֓����v�
/T.<��x'�����)�ܦuW7�i _�y����L����Y��T���;� z��6�G���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������֓����v� /T.<��x'���� )�ܦuW7�i _�y����L����Y��T ��;� z��6�G���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �_��1(�W��~P�еAAY�X���z�mMѦ �^
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "01110101010101010000000000000000",
"emulator_response_len": 16,
"bytes_in": 239,
"payload_entropy": 5.841481500358135,
"port_category": "registered",
"org": "Google LLC",
"service": "monero-p2p",
"app_proto": "monero-p2p",
"asn": 396982,
"country": "US",
"dst_port": 18080,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.5,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "91abc050e305387570a33f6b0205cc6e99222456",
"event_fingerprint": "dcb58f4e391de922f3c1df0ebedb19a15c75a020",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "monero-p2p",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "0c95ee16b3d4160b8d9a7b3cdb5a1265",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 18080,
"service": "monero-p2p",
"service_name": "monero-p2p",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0593\ufffd\ufffd\ufffd\ufffdv\ufffd\n\/T.<\ufffd\ufffdx'\ufffd\u0012\ufffd\ufffd\u000b)\ufffd\u0726uW7\u0017i _\ufffdy\ufffd\u001a\ufffd\ufffdL\u0014\u0011\ufffd\ufffdY\ufffd\ufffdT\u000b\ufffd\ufffd;\ufffd z\u0010\ufffd6\ufffdG\ufffd\u0016\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0593\ufffd\ufffd\ufffd\ufffdv\ufffd\n\/T.<\ufffd\ufffdx'\ufffd\u0012\ufffd\ufffd\u000b)\ufffd\u0726uW7\u0017i _\ufffdy\ufffd\u001a\ufffd\ufffdL\u0014\u0011\ufffd\ufffdY\ufffd\ufffdT\u000b\ufffd\ufffd;\ufffd z\u0010\ufffd6\ufffdG\ufffd\u0016\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd_\ufffd\ufffd1(\ufffdW\u000e\ufffd~P\ufffd\u0435AAY\ufffdX\ufffd\ufffd\ufffdz\ufffdmM\u0466\u000b\ufffd^",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0593\ufffd\ufffd\ufffd\ufffdv\ufffd\n\/T.<\ufffd\ufffdx'\ufffd\u0012\ufffd\ufffd\u000b)\ufffd\u0726uW7\u0017i _\ufffdy\ufffd\u001a\ufffd\ufffdL\u0014\u0011\ufffd\ufffdY\ufffd\ufffdT\u000b\ufffd\ufffd;\ufffd z\u0010\ufffd6\ufffdG\ufffd\u0016\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0597305e9e9d9e6ce854d41f3e6461a273de5847",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0593\ufffd\ufffd\ufffd\ufffdv\ufffd\n\/T.<\ufffd\ufffdx'\ufffd\u0012\ufffd\ufffd\u000b)\ufffd\u0726uW7\u0017i _\ufffdy\ufffd\u001a\ufffd\ufffdL\u0014\u0011\ufffd\ufffdY\ufffd\ufffdT\u000b\ufffd\ufffd;\ufffd z\u0010\ufffd6\ufffdG\ufffd\u0016\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 18080,
"service": "monero-p2p",
"service_label_fr": "MONERO P2P"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\u0593\ufffd\ufffd\ufffd\ufffdv\ufffd\n\/T.<\ufffd\ufffdx'\ufffd\ufffd\ufffd)\ufffd\u0726uW7i _\ufffdy\ufffd\ufffd\ufffdL\ufffd\ufffdY\ufffd\ufffdT\ufffd\ufffd;\ufffd z\ufffd6\ufffdG\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via MONERO P2P:18080 \u00b7 (reconnaissance)",
"target_port_label": "18080 \u00b7 MONERO P2P",
"emulator_service": "monero-p2p",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MONERO P2P \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "monero-p2p",
"service_label_fr": "MONERO P2P",
"dst_port": 18080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-monero-p2p",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0593\ufffd\ufffd\ufffd\ufffdv\ufffd\n\/T.<\ufffd\ufffdx'\ufffd\u0012\ufffd\ufffd\u000b)\ufffd\u0726uW7\u0017i _\ufffdy\ufffd\u001a\ufffd\ufffdL\u0014\u0011\ufffd\ufffdY\ufffd\ufffdT\u000b\ufffd\ufffd;\ufffd z\u0010\ufffd6\ufffdG\ufffd\u0016\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 18080,
"service": "monero-p2p",
"service_label_fr": "MONERO P2P"
},
"attack_vector": "port scan syn \u00b7 via MONERO P2P:18080 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\u0593\ufffd\ufffd\ufffd\ufffdv\ufffd\n\/T.<\ufffd\ufffdx'\ufffd\ufffd\ufffd)\ufffd\u0726uW7i _\ufffdy\ufffd\ufffd\ufffdL\ufffd\ufffdY\ufffd\ufffdT\ufffd\ufffd;\ufffd z\ufffd6\ufffdG\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "18080 \u00b7 MONERO P2P",
"emulator_service": "monero-p2p",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "monero_p2p",
"service_banner": "honeypot-monero-p2p",
"service_os": "linux",
"dst_port": "18080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 102,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 102,
"scan_velocity_ports_per_s": 79.41,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"monero_p2p_emulated",
"monero_p2p_payload",
"net_port_scan_fast",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
10443 · HTTPS
|
https
|
Scan de ports
port scan syn · via HTTPS:10443 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
HTTPS
WAF
—
Recommandation
Surveiller
Tags
http_alt_port
net_port_scan_fast
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
10443
Chemin / cible
—
Service
HTTPS
Payload
������������r�����S������sT�����z/b���g9P ��c���#��9`<F��/Y�7�������n�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������r�����S������sT�����z/b���g9P ��c���#��9`<F��/Y�7�������n�����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������r�����S������sT�����z/b���g9P ��c���#��9`<F��/Y�7�������n�����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���S.���V?���X��8 �8;k8��z���,L
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.866936769618551,
"port_category": "registered",
"org": "Google LLC",
"service": "https",
"app_proto": "https",
"asn": 396982,
"country": "US",
"dst_port": 10443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 33,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.4,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "51e0ea2696eb47d933501e9e4e547b380a3777d9",
"event_fingerprint": "7127e0cbe7d6c99cc93e9927b8c66f5194e98327",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "https",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "14c85924d98e9595e668cb0bbe26b1bf",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 10443,
"service": "https",
"service_name": "https",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0000r\ufffd\ufffd\u000f\u0007\ufffdS\ufffd\ufffd\ufffd\ufffd\u0016\u000esT\ufffd\ufffd\u001e\ufffd\u0004z\/b\ufffd\u0005\ufffd\u0098g9P \ufffd\ufffdc\ufffd\u0006\ufffd#\ufffd\ufffd9`<F\u001e\ufffd\/Y\ufffd7\ufffd\u0015\ufffd\ufffd\ufffd\ufffd\ufffdn\ufffd\u001a\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0000r\ufffd\ufffd\u000f\u0007\ufffdS\ufffd\ufffd\ufffd\ufffd\u0016\u000esT\ufffd\ufffd\u001e\ufffd\u0004z\/b\ufffd\u0005\ufffd\u0098g9P \ufffd\ufffdc\ufffd\u0006\ufffd#\ufffd\ufffd9`<F\u001e\ufffd\/Y\ufffd7\ufffd\u0015\ufffd\ufffd\ufffd\ufffd\ufffdn\ufffd\u001a\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\u000fS.\ufffd\ufffd\ufffdV?\ufffd\ufffd\ufffdX\ufffd\u00048 \u001b8;k8\ufffd\ufffdz\ufffd\ufffd\u0019,L",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0000r\ufffd\ufffd\u000f\u0007\ufffdS\ufffd\ufffd\ufffd\ufffd\u0016\u000esT\ufffd\ufffd\u001e\ufffd\u0004z\/b\ufffd\u0005\ufffd\u0098g9P \ufffd\ufffdc\ufffd\u0006\ufffd#\ufffd\ufffd9`<F\u001e\ufffd\/Y\ufffd7\ufffd\u0015\ufffd\ufffd\ufffd\ufffd\ufffdn\ufffd\u001a\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "55c242174744a7490ba1a429cfc538582b5dd71d",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0000r\ufffd\ufffd\u000f\u0007\ufffdS\ufffd\ufffd\ufffd\ufffd\u0016\u000esT\ufffd\ufffd\u001e\ufffd\u0004z\/b\ufffd\u0005\ufffd\u0098g9P \ufffd\ufffdc\ufffd\u0006\ufffd#\ufffd\ufffd9`<F\u001e\ufffd\/Y\ufffd7\ufffd\u0015\ufffd\ufffd\ufffd\ufffd\ufffdn\ufffd\u001a\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 10443,
"service": "https",
"service_label_fr": "HTTPS"
},
"evidence_snippet": "\ufffd\ufffdr\ufffd\ufffd\ufffdS\ufffd\ufffd\ufffd\ufffdsT\ufffd\ufffd\ufffdz\/b\ufffd\ufffd\u0098g9P \ufffd\ufffdc\ufffd\ufffd#\ufffd\ufffd9`<F\ufffd\/Y\ufffd7\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdn\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via HTTPS:10443 \u00b7 (reconnaissance)",
"target_port_label": "10443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via HTTPS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 33,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "https",
"service_label_fr": "HTTPS",
"dst_port": 10443,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-https",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0000r\ufffd\ufffd\u000f\u0007\ufffdS\ufffd\ufffd\ufffd\ufffd\u0016\u000esT\ufffd\ufffd\u001e\ufffd\u0004z\/b\ufffd\u0005\ufffd\u0098g9P \ufffd\ufffdc\ufffd\u0006\ufffd#\ufffd\ufffd9`<F\u001e\ufffd\/Y\ufffd7\ufffd\u0015\ufffd\ufffd\ufffd\ufffd\ufffdn\ufffd\u001a\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 10443,
"service": "https",
"service_label_fr": "HTTPS"
},
"attack_vector": "port scan syn \u00b7 via HTTPS:10443 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdr\ufffd\ufffd\ufffdS\ufffd\ufffd\ufffd\ufffdsT\ufffd\ufffd\ufffdz\/b\ufffd\ufffd\u0098g9P \ufffd\ufffdc\ufffd\ufffd#\ufffd\ufffd9`<F\ufffd\/Y\ufffd7\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdn\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "10443 \u00b7 HTTPS",
"emulator_service": "https",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "https",
"service_banner": "honeypot-https",
"service_os": "linux",
"dst_port": "10443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 102,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 102,
"scan_velocity_ports_per_s": 78.99,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"http_alt_port",
"net_port_scan_fast",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
15672 · RabbitMQ Management
|
rabbitmq-mgmt
|
Scan de ports
port scan syn · via RabbitMQ Management:15672 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
RABBITMQ-MGMT
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
rabbitmq_mgmt_emulated
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
15672
Chemin / cible
—
Service
RabbitMQ Management
Payload
������������Q1}l�쿜���E���݃��= ���ο��q;m ���<vI~��u'� �a�C��+�u�n.�~�{���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������Q1}l�쿜���E���݃��=
����q;m ���<vI~��u'�
�a�C��+�u�n.�~�{���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������Q1}l�쿜���E���݃��= ���ο��q;m ���<vI~��u'� �a�C��+�u�n.�~�{���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��o���D���+ص�����P||f��4ڼ����R
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.862815880380463,
"port_category": "registered",
"org": "Google LLC",
"service": "rabbitmq-mgmt",
"app_proto": "rabbitmq-mgmt",
"asn": 396982,
"country": "US",
"dst_port": 15672,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "ebd58b130a5fd1cc40cc7491cb6d6401ef48ca77",
"event_fingerprint": "457ef3ebe5a41038a591a4d492268aaeb6480900",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "rabbitmq-mgmt",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6236814fc7d5d4f08d23801413286a7e",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 15672,
"service": "rabbitmq-mgmt",
"service_name": "rabbitmq-mgmt",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdQ1}l\ufffd\ucfdc\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\u0743\ufffd\ufffd=\r\ufffd\ufffd\ufffd\u03bf\ufffd\ufffdq;m \ufffd\ufffd\u0010<vI~\ufffd\ufffdu'\ufffd\n\ufffda\ufffdC\ufffd\u001d+\ufffdu\ufffdn.\ufffd~\ufffd{\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdQ1}l\ufffd\ucfdc\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\u0743\ufffd\ufffd=\r\ufffd\ufffd\ufffd\u03bf\ufffd\ufffdq;m \ufffd\ufffd\u0010<vI~\ufffd\ufffdu'\ufffd\n\ufffda\ufffdC\ufffd\u001d+\ufffdu\ufffdn.\ufffd~\ufffd{\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\bo\ufffd\ufffd\ufffdD\u0017\ufffd\ufffd+\u0635\ufffd\u0001\ufffd\u0011\ufffdP||f\ufffd\u00044\u06bc\ufffd\ufffd\ufffd\ufffdR",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdQ1}l\ufffd\ucfdc\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\u0743\ufffd\ufffd=\r\ufffd\ufffd\ufffd\u03bf\ufffd\ufffdq;m \ufffd\ufffd\u0010<vI~\ufffd\ufffdu'\ufffd\n\ufffda\ufffdC\ufffd\u001d+\ufffdu\ufffdn.\ufffd~\ufffd{\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "5bd855fb565852aea333aadfe794c234defe6578",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdQ1}l\ufffd\ucfdc\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\u0743\ufffd\ufffd=\r\ufffd\ufffd\ufffd\u03bf\ufffd\ufffdq;m \ufffd\ufffd\u0010<vI~\ufffd\ufffdu'\ufffd\n\ufffda\ufffdC\ufffd\u001d+\ufffdu\ufffdn.\ufffd~\ufffd{\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 15672,
"service": "rabbitmq-mgmt",
"service_label_fr": "RabbitMQ Management"
},
"evidence_snippet": "\ufffd\ufffd\ufffdQ1}l\ufffd\ucfdc\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\u0743\ufffd\ufffd=\r\ufffd\ufffd\ufffd\u03bf\ufffd\ufffdq;m \ufffd\ufffd<vI~\ufffd\ufffdu'\ufffd\n\ufffda\ufffdC\ufffd+\ufffdu\ufffdn.\ufffd~\ufffd{\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via RabbitMQ Management:15672 \u00b7 (reconnaissance)",
"target_port_label": "15672 \u00b7 RabbitMQ Management",
"emulator_service": "rabbitmq-mgmt",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via RabbitMQ Management \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "rabbitmq-mgmt",
"service_label_fr": "RabbitMQ Management",
"dst_port": 15672,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-rabbitmq-mgmt",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdQ1}l\ufffd\ucfdc\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\u0743\ufffd\ufffd=\r\ufffd\ufffd\ufffd\u03bf\ufffd\ufffdq;m \ufffd\ufffd\u0010<vI~\ufffd\ufffdu'\ufffd\n\ufffda\ufffdC\ufffd\u001d+\ufffdu\ufffdn.\ufffd~\ufffd{\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 15672,
"service": "rabbitmq-mgmt",
"service_label_fr": "RabbitMQ Management"
},
"attack_vector": "port scan syn \u00b7 via RabbitMQ Management:15672 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffdQ1}l\ufffd\ucfdc\ufffd\ufffd\ufffdE\ufffd\ufffd\ufffd\u0743\ufffd\ufffd=\r\ufffd\ufffd\ufffd\u03bf\ufffd\ufffdq;m \ufffd\ufffd<vI~\ufffd\ufffdu'\ufffd\n\ufffda\ufffdC\ufffd+\ufffdu\ufffdn.\ufffd~\ufffd{\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "15672 \u00b7 RabbitMQ Management",
"emulator_service": "rabbitmq-mgmt",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "rabbitmq_mgmt",
"service_banner": "honeypot-rabbitmq-mgmt",
"service_os": "linux",
"dst_port": "15672"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 102,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 102,
"scan_velocity_ports_per_s": 78.56,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"rabbitmq_mgmt_emulated",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
16686 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:16686 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
16686
Chemin / cible
—
Service
TLS
Payload
���������������f�m��$�]��=>��x����|��@�� �>�S�Ƴ]���E;��eJ�6X_��fq��ݠ�I��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
���������������f�m��$�]��=>��x����|��@�� �>�S�Ƴ]���E;��eJ�6X_��fq��ݠ�I��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
���������������f�m��$�]��=>��x����|��@�� �>�S�Ƴ]���E;��eJ�6X_��fq��ݠ�I��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� w�� 4�JDP)�7� c�\�%�D�$�)Dm�7��)
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.885373655151744,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 16686,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.7,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "b145348de55c2363a6d4ddb900de3cb8fbc4e9c8",
"event_fingerprint": "c64d7d88655b0cfef285edd4823c0c9679e1068c",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "fe3da8d164941a18b76ff59f5abe77e0",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 16686,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0013f\ufffdm\ufffd\u001f$\ufffd]\ufffd\ufffd=\uf83f>\ufffd\ufffdx\u001d\u000f\u0015\ufffd|\ufffd\ufffd@\ufffd\ufffd \ufffd>\u001bS\ufffd\u01b3]\ufffd\ufffd\u000fE;\ufffd\ufffdeJ\ufffd6X_\ufffd\ufffdfq\ufffd\ufffd\u0760\ufffdI\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0013f\ufffdm\ufffd\u001f$\ufffd]\ufffd\ufffd=\uf83f>\ufffd\ufffdx\u001d\u000f\u0015\ufffd|\ufffd\ufffd@\ufffd\ufffd \ufffd>\u001bS\ufffd\u01b3]\ufffd\ufffd\u000fE;\ufffd\ufffdeJ\ufffd6X_\ufffd\ufffdfq\ufffd\ufffd\u0760\ufffdI\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 w\ufffd\ufffd 4\ufffdJDP)\ufffd7\ufffd\fc\ufffd\\\ufffd%\ufffdD\ufffd$\ufffd)Dm\ufffd7\ufffd\u001d)",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0013f\ufffdm\ufffd\u001f$\ufffd]\ufffd\ufffd=\uf83f>\ufffd\ufffdx\u001d\u000f\u0015\ufffd|\ufffd\ufffd@\ufffd\ufffd \ufffd>\u001bS\ufffd\u01b3]\ufffd\ufffd\u000fE;\ufffd\ufffdeJ\ufffd6X_\ufffd\ufffdfq\ufffd\ufffd\u0760\ufffdI\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8d89a091a642028fc46080161210b575947f5000",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0013f\ufffdm\ufffd\u001f$\ufffd]\ufffd\ufffd=\uf83f>\ufffd\ufffdx\u001d\u000f\u0015\ufffd|\ufffd\ufffd@\ufffd\ufffd \ufffd>\u001bS\ufffd\u01b3]\ufffd\ufffd\u000fE;\ufffd\ufffdeJ\ufffd6X_\ufffd\ufffdfq\ufffd\ufffd\u0760\ufffdI\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 16686,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdf\ufffdm\ufffd$\ufffd]\ufffd\ufffd=\uf83f>\ufffd\ufffdx\ufffd|\ufffd\ufffd@\ufffd\ufffd \ufffd>S\ufffd\u01b3]\ufffd\ufffdE;\ufffd\ufffdeJ\ufffd6X_\ufffd\ufffdfq\ufffd\ufffd\u0760\ufffdI\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:16686 \u00b7 (reconnaissance)",
"target_port_label": "16686 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 16686,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u0013f\ufffdm\ufffd\u001f$\ufffd]\ufffd\ufffd=\uf83f>\ufffd\ufffdx\u001d\u000f\u0015\ufffd|\ufffd\ufffd@\ufffd\ufffd \ufffd>\u001bS\ufffd\u01b3]\ufffd\ufffd\u000fE;\ufffd\ufffdeJ\ufffd6X_\ufffd\ufffdfq\ufffd\ufffd\u0760\ufffdI\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 16686,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:16686 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffdf\ufffdm\ufffd$\ufffd]\ufffd\ufffd=\uf83f>\ufffd\ufffdx\ufffd|\ufffd\ufffd@\ufffd\ufffd \ufffd>S\ufffd\u01b3]\ufffd\ufffdE;\ufffd\ufffdeJ\ufffd6X_\ufffd\ufffdfq\ufffd\ufffd\u0760\ufffdI\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "16686 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "16686"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 102,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 102,
"scan_velocity_ports_per_s": 78.16,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
10002 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:10002 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
10002
Chemin / cible
—
Service
TLS
Payload
�����������z�_�E����6oD��>��p������IM��4�� ���m� tB@�j�m/ �u� �6���,���I��x�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������z�_�E����6oD��>��p������IM��4�� ���m� tB@�j�m/
�u� �6���,���I��x�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������z�_�E����6oD��>��p������IM��4�� ���m� tB@�j�m/ �u� �6���,���I��x�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� 5�'�f�����N��:$yl��x�vg�CS�T9)+
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.8299375835877445,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 10002,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.6,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "5193c9f7bfa6c5fa2cff344047749d90593f1e74",
"event_fingerprint": "dc791c310c4ae920b8f35261634d6f0547a8c525",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "4753dd3517f559d452522d971f8c4f2d",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 10002,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003z\u001c_\ufffdE\ufffd\ufffd\u0001\ufffd6oD\u0019\ufffd>\ufffd\ufffdp\u0019\u000e\ufffd\ufffd\ufffd\ufffdIM\ufffd\ufffd4\ufffd\ufffd \u001d\ufffd\ufffdm\ufffd\ttB@\u0007j\ufffdm\/\n\ufffdu\ufffd\t\ufffd6\ufffd\ufffd\ufffd,\u0016\ufffd\ufffdI\ufffd\ufffdx\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003z\u001c_\ufffdE\ufffd\ufffd\u0001\ufffd6oD\u0019\ufffd>\ufffd\ufffdp\u0019\u000e\ufffd\ufffd\ufffd\ufffdIM\ufffd\ufffd4\ufffd\ufffd \u001d\ufffd\ufffdm\ufffd\ttB@\u0007j\ufffdm\/\n\ufffdu\ufffd\t\ufffd6\ufffd\ufffd\ufffd,\u0016\ufffd\ufffdI\ufffd\ufffdx\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 5\ufffd'\u000ef\ufffd\u0017\ufffd\ufffd\ufffdN\u0001\u0003:$yl\ufffd\ufffdx\ufffdvg\u0012CS\ufffdT9)+",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003z\u001c_\ufffdE\ufffd\ufffd\u0001\ufffd6oD\u0019\ufffd>\ufffd\ufffdp\u0019\u000e\ufffd\ufffd\ufffd\ufffdIM\ufffd\ufffd4\ufffd\ufffd \u001d\ufffd\ufffdm\ufffd\ttB@\u0007j\ufffdm\/\n\ufffdu\ufffd\t\ufffd6\ufffd\ufffd\ufffd,\u0016\ufffd\ufffdI\ufffd\ufffdx\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1a473558574bb7f600356cea649aa33c053dde0b",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003z\u001c_\ufffdE\ufffd\ufffd\u0001\ufffd6oD\u0019\ufffd>\ufffd\ufffdp\u0019\u000e\ufffd\ufffd\ufffd\ufffdIM\ufffd\ufffd4\ufffd\ufffd \u001d\ufffd\ufffdm\ufffd\ttB@\u0007j\ufffdm\/\n\ufffdu\ufffd\t\ufffd6\ufffd\ufffd\ufffd,\u0016\ufffd\ufffdI\ufffd\ufffdx\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 10002,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdz_\ufffdE\ufffd\ufffd\ufffd6oD\ufffd>\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffdIM\ufffd\ufffd4\ufffd\ufffd \ufffd\ufffdm\ufffd\ttB@j\ufffdm\/\n\ufffdu\ufffd\t\ufffd6\ufffd\ufffd\ufffd,\ufffd\ufffdI\ufffd\ufffdx&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:10002 \u00b7 (reconnaissance)",
"target_port_label": "10002 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 10002,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003z\u001c_\ufffdE\ufffd\ufffd\u0001\ufffd6oD\u0019\ufffd>\ufffd\ufffdp\u0019\u000e\ufffd\ufffd\ufffd\ufffdIM\ufffd\ufffd4\ufffd\ufffd \u001d\ufffd\ufffdm\ufffd\ttB@\u0007j\ufffdm\/\n\ufffdu\ufffd\t\ufffd6\ufffd\ufffd\ufffd,\u0016\ufffd\ufffdI\ufffd\ufffdx\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 10002,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:10002 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdz_\ufffdE\ufffd\ufffd\ufffd6oD\ufffd>\ufffd\ufffdp\ufffd\ufffd\ufffd\ufffdIM\ufffd\ufffd4\ufffd\ufffd \ufffd\ufffdm\ufffd\ttB@j\ufffdm\/\n\ufffdu\ufffd\t\ufffd6\ufffd\ufffd\ufffd,\ufffd\ufffdI\ufffd\ufffdx&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "10002 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "10002"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 102,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 102,
"scan_velocity_ports_per_s": 77.62,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
10001 · MEMCACHED ALT
|
memcached-alt
|
Scan de ports
port scan syn · via MEMCACHED ALT:10001 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
MEMCACHED-ALT
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
10001
Chemin / cible
—
Service
MEMCACHED ALT
Payload
������������ 3��ӱ� ���41�J%���/�pT~��S$$�_ L@$��� f���9�%q�D/�� �������2>k�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������ 3��ӱ� ���41�J%���/�pT~��S$$�_ L@$���
f���9�%q�D/����������2>k�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������ 3��ӱ� ���41�J%���/�pT~��S$$�_ L@$��� f���9�%q�D/�� �������2>k�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��,/����0Gz��K �����(^���F��[�!
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "56455253494f4e20312e362e360d0a",
"emulator_response_len": 15,
"bytes_in": 239,
"payload_entropy": 5.892798079883198,
"port_category": "registered",
"org": "Google LLC",
"service": "memcached-alt",
"app_proto": "memcached-alt",
"asn": 396982,
"country": "US",
"dst_port": 10001,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 3.7,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "c2cd898e1b1164e042bcf501cf6d78f191614d38",
"event_fingerprint": "5abcb3c760df18b6b70fb7132fd728170e5558d0",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "memcached-alt",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "6aed682c12d58fe60e28f6197dc8feeb",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 10001,
"service": "memcached-alt",
"service_name": "memcached-alt",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\t3\ufffd\u0019\u04f1\ufffd \ufffd\u0011\ufffd41\ufffdJ%\ufffd\u0014\ufffd\/\ufffdpT~\ufffd\ufffdS$$\ufffd_ L@$\ufffd\ufffd\ufffd\rf\ufffd\ufffd\ufffd9\ufffd%q\ufffdD\/\ufffd\ufffd\f\ufffd\ufffd\ufffd\ufffd\u001e\ufffd\u001b2>k\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\t3\ufffd\u0019\u04f1\ufffd \ufffd\u0011\ufffd41\ufffdJ%\ufffd\u0014\ufffd\/\ufffdpT~\ufffd\ufffdS$$\ufffd_ L@$\ufffd\ufffd\ufffd\rf\ufffd\ufffd\ufffd9\ufffd%q\ufffdD\/\ufffd\ufffd\f\ufffd\ufffd\ufffd\ufffd\u001e\ufffd\u001b2>k\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u000f\u000e,\/\ufffd\ufffd\ufffd\ufffd0Gz\ufffd\ufffdK\u000b\u000f\ufffd\ufffd\ufffd\ufffd(^\ufffd\ufffd\ufffdF\ufffd\ufffd[\ufffd!",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\t3\ufffd\u0019\u04f1\ufffd \ufffd\u0011\ufffd41\ufffdJ%\ufffd\u0014\ufffd\/\ufffdpT~\ufffd\ufffdS$$\ufffd_ L@$\ufffd\ufffd\ufffd\rf\ufffd\ufffd\ufffd9\ufffd%q\ufffdD\/\ufffd\ufffd\f\ufffd\ufffd\ufffd\ufffd\u001e\ufffd\u001b2>k\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "6b805aaddfb5b96576d373cbda225670e6455f93",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\t3\ufffd\u0019\u04f1\ufffd \ufffd\u0011\ufffd41\ufffdJ%\ufffd\u0014\ufffd\/\ufffdpT~\ufffd\ufffdS$$\ufffd_ L@$\ufffd\ufffd\ufffd\rf\ufffd\ufffd\ufffd9\ufffd%q\ufffdD\/\ufffd\ufffd\f\ufffd\ufffd\ufffd\ufffd\u001e\ufffd\u001b2>k\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 10001,
"service": "memcached-alt",
"service_label_fr": "MEMCACHED ALT"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\t3\ufffd\u04f1\ufffd \ufffd\ufffd41\ufffdJ%\ufffd\ufffd\/\ufffdpT~\ufffd\ufffdS$$\ufffd_ L@$\ufffd\ufffd\ufffd\rf\ufffd\ufffd\ufffd9\ufffd%q\ufffdD\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd2>k&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via MEMCACHED ALT:10001 \u00b7 (reconnaissance)",
"target_port_label": "10001 \u00b7 MEMCACHED ALT",
"emulator_service": "memcached-alt",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via MEMCACHED ALT \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "memcached-alt",
"service_label_fr": "MEMCACHED ALT",
"dst_port": 10001,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-memcached-alt",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\t3\ufffd\u0019\u04f1\ufffd \ufffd\u0011\ufffd41\ufffdJ%\ufffd\u0014\ufffd\/\ufffdpT~\ufffd\ufffdS$$\ufffd_ L@$\ufffd\ufffd\ufffd\rf\ufffd\ufffd\ufffd9\ufffd%q\ufffdD\/\ufffd\ufffd\f\ufffd\ufffd\ufffd\ufffd\u001e\ufffd\u001b2>k\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 10001,
"service": "memcached-alt",
"service_label_fr": "MEMCACHED ALT"
},
"attack_vector": "port scan syn \u00b7 via MEMCACHED ALT:10001 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\t3\ufffd\u04f1\ufffd \ufffd\ufffd41\ufffdJ%\ufffd\ufffd\/\ufffdpT~\ufffd\ufffdS$$\ufffd_ L@$\ufffd\ufffd\ufffd\rf\ufffd\ufffd\ufffd9\ufffd%q\ufffdD\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd2>k&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "10001 \u00b7 MEMCACHED ALT",
"emulator_service": "memcached-alt",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "memcached_alt",
"service_banner": "honeypot-memcached-alt",
"service_os": "linux",
"dst_port": "10001"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 102,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 102,
"scan_velocity_ports_per_s": 77.24,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
1080 · SOCKS5
|
socks5
|
Scan de ports
port scan syn · via SOCKS5:1080 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
SOCKS5
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
socks5_emulated
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
1080
Chemin / cible
—
Service
SOCKS5
Payload
�����������lw�4j�B�@%����"�?�V�������S�s��& ��$�:�?��-�!-(Q�#}��<��ҁ�v*r����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������lw�4j�B�@%����"�?�V�������S�s��& ��$�:�?��-�!-(Q�#}��<��ҁ�v*r����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������lw�4j�B�@%����"�?�V�������S�s��& ��$�:�?��-�!-(Q�#}��<��ҁ�v*r����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ���vz�U���#��<?���S���xnK748��
Meta JSON brut
{
"protocol_emulated": true,
"bytes_in": 239,
"payload_entropy": 5.842057236107577,
"port_category": "registered",
"org": "Google LLC",
"service": "socks5",
"app_proto": "socks5",
"asn": 396982,
"country": "US",
"dst_port": 1080,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "de10254ab77dcbc66caf515104f6605639f2a16b",
"event_fingerprint": "dc2e01e414bde3aa47dfa7a38a4e4393eddba8cb",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "socks5",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ab79ae9a8820af82950a7eb37e1d31a2",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 1080,
"service": "socks5",
"service_name": "socks5",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003lw\b4j\ufffdB\ufffd@%\ufffd\ufffd\u0006\ufffd\"\ufffd?\ufffdV\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffdS\ufffds\ufffd\ufffd& \ufffd\ufffd$\ufffd:\ufffd?\ufffd\u000e-\u0019!-(Q\ufffd#}\u001b\ufffd<\u001b\ufffd\u0481\ufffdv*r\u0014\b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003lw\b4j\ufffdB\ufffd@%\ufffd\ufffd\u0006\ufffd\"\ufffd?\ufffdV\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffdS\ufffds\ufffd\ufffd& \ufffd\ufffd$\ufffd:\ufffd?\ufffd\u000e-\u0019!-(Q\ufffd#}\u001b\ufffd<\u001b\ufffd\u0481\ufffdv*r\u0014\b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffdvz\ufffdU\ufffd\ufffd\u0018#\u0006\ufffd<?\ufffd\u0013\ufffdS\ufffd\ufffd\ufffdxnK748\u05cf\ufffd\u0003",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003lw\b4j\ufffdB\ufffd@%\ufffd\ufffd\u0006\ufffd\"\ufffd?\ufffdV\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffdS\ufffds\ufffd\ufffd& \ufffd\ufffd$\ufffd:\ufffd?\ufffd\u000e-\u0019!-(Q\ufffd#}\u001b\ufffd<\u001b\ufffd\u0481\ufffdv*r\u0014\b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ec250a621ec16301fb41946ea125ca0b90bac7a6",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003lw\b4j\ufffdB\ufffd@%\ufffd\ufffd\u0006\ufffd\"\ufffd?\ufffdV\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffdS\ufffds\ufffd\ufffd& \ufffd\ufffd$\ufffd:\ufffd?\ufffd\u000e-\u0019!-(Q\ufffd#}\u001b\ufffd<\u001b\ufffd\u0481\ufffdv*r\u0014\b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 1080,
"service": "socks5",
"service_label_fr": "SOCKS5"
},
"evidence_snippet": "\ufffd\ufffdlw4j\ufffdB\ufffd@%\ufffd\ufffd\ufffd\"\ufffd?\ufffdV\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffds\ufffd\ufffd& \ufffd\ufffd$\ufffd:\ufffd?\ufffd-!-(Q\ufffd#}\ufffd<\ufffd\u0481\ufffdv*r\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via SOCKS5:1080 \u00b7 (reconnaissance)",
"target_port_label": "1080 \u00b7 SOCKS5",
"emulator_service": "socks5",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via SOCKS5 \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "socks5",
"service_label_fr": "SOCKS5",
"dst_port": 1080,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-socks5",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003lw\b4j\ufffdB\ufffd@%\ufffd\ufffd\u0006\ufffd\"\ufffd?\ufffdV\ufffd\ufffd\u0011\ufffd\ufffd\ufffd\ufffdS\ufffds\ufffd\ufffd& \ufffd\ufffd$\ufffd:\ufffd?\ufffd\u000e-\u0019!-(Q\ufffd#}\u001b\ufffd<\u001b\ufffd\u0481\ufffdv*r\u0014\b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 1080,
"service": "socks5",
"service_label_fr": "SOCKS5"
},
"attack_vector": "port scan syn \u00b7 via SOCKS5:1080 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdlw4j\ufffdB\ufffd@%\ufffd\ufffd\ufffd\"\ufffd?\ufffdV\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdS\ufffds\ufffd\ufffd& \ufffd\ufffd$\ufffd:\ufffd?\ufffd-!-(Q\ufffd#}\ufffd<\ufffd\u0481\ufffdv*r\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "1080 \u00b7 SOCKS5",
"emulator_service": "socks5",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "socks5",
"service_banner": "honeypot-socks5",
"service_os": "linux",
"dst_port": "1080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 102,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 102,
"scan_velocity_ports_per_s": 76.88,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"socks5_emulated",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
11434 · OLLAMA
|
ollama
|
Scan de ports
port scan syn · via OLLAMA:11434 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
OLLAMA
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
11434
Chemin / cible
—
Service
OLLAMA
Payload
������������� �nQr�U����wTb��ԛ�|y8��8ѓ�� P2�n�_���3�o���*��3��1άQxan��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 2 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
���������������nQr�U����wTb��ԛ�|y8��8ѓ�� P2�n�_���3�o���*��3��1άQxan��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������� �nQr�U����wTb��ԛ�|y8��8ѓ�� P2�n�_���3�o���*��3��1άQxan��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��iخ�7��8�m����ԇ�� �0��͠��
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b",
"emulator_response_len": 82,
"bytes_in": 239,
"payload_entropy": 5.853555475898023,
"port_category": "registered",
"org": "Google LLC",
"service": "ollama",
"app_proto": "ollama",
"asn": 396982,
"country": "US",
"dst_port": 11434,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 4.9,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "57abb6d1022801af865ef2e0dac4c482cd4b99c1",
"event_fingerprint": "f89cdea6376e617051af8ec1f1fe46bce2665c80",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "ollama",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f1e5fef6fc47a9b6f94b91b1bef37193",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 11434,
"service": "ollama",
"service_name": "ollama",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\f\u001fnQr\ufffdU\ufffd\ufffd\ufffd\ufffdwTb\ufffd\ufffd\u051b\ufffd|y8\ufffd\u00048\u0453\ufffd\ufffd P2\ufffdn\ufffd_\ufffd\u0011\ufffd3\ufffdo\ufffd\u0000\ufffd*\u001f\ufffd3\ufffd\ufffd1\u03acQxan\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\f\u001fnQr\ufffdU\ufffd\ufffd\ufffd\ufffdwTb\ufffd\ufffd\u051b\ufffd|y8\ufffd\u00048\u0453\ufffd\ufffd P2\ufffdn\ufffd_\ufffd\u0011\ufffd3\ufffdo\ufffd\u0000\ufffd*\u001f\ufffd3\ufffd\ufffd1\u03acQxan\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u0001i\u062e\ufffd7\u000e\ufffd8\ufffdm\u000e\u001b\ufffd\ufffd\u0507\u0000\ufffd\u000b\ufffd0\ufffd\ufffd\u0360\ufffd\ufffd\f",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\f\u001fnQr\ufffdU\ufffd\ufffd\ufffd\ufffdwTb\ufffd\ufffd\u051b\ufffd|y8\ufffd\u00048\u0453\ufffd\ufffd P2\ufffdn\ufffd_\ufffd\u0011\ufffd3\ufffdo\ufffd\u0000\ufffd*\u001f\ufffd3\ufffd\ufffd1\u03acQxan\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9dfc882fd834260ceb4638ef53bd779643d69f0f",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\f\u001fnQr\ufffdU\ufffd\ufffd\ufffd\ufffdwTb\ufffd\ufffd\u051b\ufffd|y8\ufffd\u00048\u0453\ufffd\ufffd P2\ufffdn\ufffd_\ufffd\u0011\ufffd3\ufffdo\ufffd\u0000\ufffd*\u001f\ufffd3\ufffd\ufffd1\u03acQxan\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 11434,
"service": "ollama",
"service_label_fr": "OLLAMA"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdnQr\ufffdU\ufffd\ufffd\ufffd\ufffdwTb\ufffd\ufffd\u051b\ufffd|y8\ufffd8\u0453\ufffd\ufffd P2\ufffdn\ufffd_\ufffd\ufffd3\ufffdo\ufffd\ufffd*\ufffd3\ufffd\ufffd1\u03acQxan\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via OLLAMA:11434 \u00b7 (reconnaissance)",
"target_port_label": "11434 \u00b7 OLLAMA",
"emulator_service": "ollama",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via OLLAMA \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "ollama",
"service_label_fr": "OLLAMA",
"dst_port": 11434,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-ollama",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\f\u001fnQr\ufffdU\ufffd\ufffd\ufffd\ufffdwTb\ufffd\ufffd\u051b\ufffd|y8\ufffd\u00048\u0453\ufffd\ufffd P2\ufffdn\ufffd_\ufffd\u0011\ufffd3\ufffdo\ufffd\u0000\ufffd*\u001f\ufffd3\ufffd\ufffd1\u03acQxan\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 11434,
"service": "ollama",
"service_label_fr": "OLLAMA"
},
"attack_vector": "port scan syn \u00b7 via OLLAMA:11434 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdnQr\ufffdU\ufffd\ufffd\ufffd\ufffdwTb\ufffd\ufffd\u051b\ufffd|y8\ufffd8\u0453\ufffd\ufffd P2\ufffdn\ufffd_\ufffd\ufffd3\ufffdo\ufffd\ufffd*\ufffd3\ufffd\ufffd1\u03acQxan\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "11434 \u00b7 OLLAMA",
"emulator_service": "ollama",
"confidence_reason": "Confiance 100 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "ollama",
"service_banner": "honeypot-ollama",
"service_os": "linux",
"dst_port": "11434"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 102,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 102,
"scan_velocity_ports_per_s": 76.53,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
12000 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:12000 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
12000
Chemin / cible
—
Service
TLS
Payload
���������������J��y��ʨ�PGzon�����������R�M ºo�J����&�2��EP������ɐ��n"�e���&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
���������������J��y��ʨ�PGzon�����������R�M ºo�J����&�2��EP������ɐ��n"�e���&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
���������������J��y��ʨ�PGzon�����������R�M ºo�J����&�2��EP������ɐ��n"�e���&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� g���#R:�+�M�x>�[�_��� |"����� c
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.77565456639697,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 12000,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1.9,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "962d153e0076373456f914b42933f47ae2a3f5ab",
"event_fingerprint": "c30b8f7bb3e2d9fda101193e2bb143ed9d02838f",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "b826b0fd1384a2bfe169a9889deaae02",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 12000,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffdy\u0018\ufffd\u02a8\ufffdPGzon\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffdM \u00bao\ufffdJ\ufffd\ufffd\ufffd\ufffd&\ufffd2\ufffd\u0000EP\ufffd\u0016\ufffd\ufffd\ufffd\ufffd\u0250\ufffd\ufffdn\"\ufffde\u000e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffdy\u0018\ufffd\u02a8\ufffdPGzon\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffdM \u00bao\ufffdJ\ufffd\ufffd\ufffd\ufffd&\ufffd2\ufffd\u0000EP\ufffd\u0016\ufffd\ufffd\ufffd\ufffd\u0250\ufffd\ufffdn\"\ufffde\u000e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 g\ufffd\ufffd\ufffd#R:\ufffd+\ufffdM\ufffdx>\u000e[\ufffd_\u0003\ufffd\ufffd\r|\"\ufffd\u0010\ufffd\ufffd\ufffd\fc",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffdy\u0018\ufffd\u02a8\ufffdPGzon\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffdM \u00bao\ufffdJ\ufffd\ufffd\ufffd\ufffd&\ufffd2\ufffd\u0000EP\ufffd\u0016\ufffd\ufffd\ufffd\ufffd\u0250\ufffd\ufffdn\"\ufffde\u000e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2277bb3fe9b0aed679b612b6bde9708f97891e1e",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffdy\u0018\ufffd\u02a8\ufffdPGzon\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffdM \u00bao\ufffdJ\ufffd\ufffd\ufffd\ufffd&\ufffd2\ufffd\u0000EP\ufffd\u0016\ufffd\ufffd\ufffd\ufffd\u0250\ufffd\ufffdn\"\ufffde\u000e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 12000,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffdy\ufffd\u02a8\ufffdPGzon\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffdM \u00bao\ufffdJ\ufffd\ufffd\ufffd\ufffd&\ufffd2\ufffdEP\ufffd\ufffd\ufffd\ufffd\ufffd\u0250\ufffd\ufffdn\"\ufffde\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:12000 \u00b7 (reconnaissance)",
"target_port_label": "12000 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 12000,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffdy\u0018\ufffd\u02a8\ufffdPGzon\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffdM \u00bao\ufffdJ\ufffd\ufffd\ufffd\ufffd&\ufffd2\ufffd\u0000EP\ufffd\u0016\ufffd\ufffd\ufffd\ufffd\u0250\ufffd\ufffdn\"\ufffde\u000e\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 12000,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:12000 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdJ\ufffd\ufffdy\ufffd\u02a8\ufffdPGzon\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdR\ufffdM \u00bao\ufffdJ\ufffd\ufffd\ufffd\ufffd&\ufffd2\ufffdEP\ufffd\ufffd\ufffd\ufffd\ufffd\u0250\ufffd\ufffdn\"\ufffde\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "12000 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "12000"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 102,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 102,
"scan_velocity_ports_per_s": 76.17,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
10080 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:10080 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
10080
Chemin / cible
—
Service
TLS
Payload
�����������ٌ��_�[���p�6�w����������z���ؤ� ��G&��b)�h���X�����]��x�+�VY����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������ٌ��_�[���p�6�w����������z���ؤ� ��G&��b)�h���X�����]��x�+�VY����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������ٌ��_�[���p�6�w����������z���ؤ� ��G&��b)�h���X�����]��x�+�VY����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �<d���*N��T�NM�11�5\�NA��K��4~�K
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.88542346195109,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 10080,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "80fb14e3241312bd0db13afc9a41c4c9a1c1949a",
"event_fingerprint": "becff4b52807a032427917d87fd16df567595286",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "e88dcb08cd260b569394974d44416ed1",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 10080,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u064c\u001a\ufffd_\ufffd[\u0014\u001d\ufffdp\ufffd6\ufffdw\ufffd\ufffd\ufffd\ufffd\u001e\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\u0005\ufffd\u0624\ufffd \ufffd\ufffdG&\ufffd\ufffdb)\ufffdh\u0003\ufffd\u0007X\ufffd\ufffd\u0016\ufffd\u0019]\ufffd\ufffdx\ufffd+\ufffdVY\ufffd\u001d\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u064c\u001a\ufffd_\ufffd[\u0014\u001d\ufffdp\ufffd6\ufffdw\ufffd\ufffd\ufffd\ufffd\u001e\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\u0005\ufffd\u0624\ufffd \ufffd\ufffdG&\ufffd\ufffdb)\ufffdh\u0003\ufffd\u0007X\ufffd\ufffd\u0016\ufffd\u0019]\ufffd\ufffdx\ufffd+\ufffdVY\ufffd\u001d\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd<d\ufffd\ufffd\ufffd*N\ufffd\u000eT\ufffdNM\ufffd11\u000f5\\\ufffdNA\u0014\ufffdK\ufffd\ufffd4~\ufffdK",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u064c\u001a\ufffd_\ufffd[\u0014\u001d\ufffdp\ufffd6\ufffdw\ufffd\ufffd\ufffd\ufffd\u001e\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\u0005\ufffd\u0624\ufffd \ufffd\ufffdG&\ufffd\ufffdb)\ufffdh\u0003\ufffd\u0007X\ufffd\ufffd\u0016\ufffd\u0019]\ufffd\ufffdx\ufffd+\ufffdVY\ufffd\u001d\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "953a537e02015162bf5fcd42e995849c6b513aa5",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u064c\u001a\ufffd_\ufffd[\u0014\u001d\ufffdp\ufffd6\ufffdw\ufffd\ufffd\ufffd\ufffd\u001e\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\u0005\ufffd\u0624\ufffd \ufffd\ufffdG&\ufffd\ufffdb)\ufffdh\u0003\ufffd\u0007X\ufffd\ufffd\u0016\ufffd\u0019]\ufffd\ufffdx\ufffd+\ufffdVY\ufffd\u001d\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 10080,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\u064c\ufffd_\ufffd[\ufffdp\ufffd6\ufffdw\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffd\u0624\ufffd \ufffd\ufffdG&\ufffd\ufffdb)\ufffdh\ufffdX\ufffd\ufffd\ufffd]\ufffd\ufffdx\ufffd+\ufffdVY\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:10080 \u00b7 (reconnaissance)",
"target_port_label": "10080 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 10080,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u064c\u001a\ufffd_\ufffd[\u0014\u001d\ufffdp\ufffd6\ufffdw\ufffd\ufffd\ufffd\ufffd\u001e\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\u0005\ufffd\u0624\ufffd \ufffd\ufffdG&\ufffd\ufffdb)\ufffdh\u0003\ufffd\u0007X\ufffd\ufffd\u0016\ufffd\u0019]\ufffd\ufffdx\ufffd+\ufffdVY\ufffd\u001d\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 10080,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:10080 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\u064c\ufffd_\ufffd[\ufffdp\ufffd6\ufffdw\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdz\ufffd\ufffd\u0624\ufffd \ufffd\ufffdG&\ufffd\ufffdb)\ufffdh\ufffdX\ufffd\ufffd\ufffd]\ufffd\ufffdx\ufffd+\ufffdVY\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "10080 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "10080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 102,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 102,
"scan_velocity_ports_per_s": 75.8,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8260 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8260 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8260
Chemin / cible
—
Service
TLS
Payload
�����������0��;� C�J���ڛd��B�/b A�l��!�k� �R9�ǽ�#4��HUHy/��:��B��n��*��(��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������0��;�
C�J���ڛd��B�/b�A�l��!�k� �R9�ǽ�#4��HUHy/��:��B��n��*��(��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������0��;� C�J���ڛd��B�/b A�l��!�k� �R9�ǽ�#4��HUHy/��:��B��n��*��(��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ��с�}p�_�� �r�`/�IV���ֶXW�L��u
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.816196534921373,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8260,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "91ece135f2e98f1c9ecd76e25c011c53e90aebaf",
"event_fingerprint": "d289625850e231315e67875ce2571b9ad4b14629",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "7ced2d8af1c3b112d2b7cfc637d67be0",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8260,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030\u001f\ufffd;\ufffd\nC\u0010J\ufffd\ufffd\ufffd\u069bd\ufffd\ufffdB\ufffd\/b\u000bA\u001dl\ufffd\ufffd!\ufffdk\ufffd \ufffdR9\u0001\u01fd\ufffd#4\ufffd\u0002HUHy\/\ufffd\ufffd:\ufffd\ufffdB\u001d\u0000n\ufffd\u001f*\u0000\ufffd(\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030\u001f\ufffd;\ufffd\nC\u0010J\ufffd\ufffd\ufffd\u069bd\ufffd\ufffdB\ufffd\/b\u000bA\u001dl\ufffd\ufffd!\ufffdk\ufffd \ufffdR9\u0001\u01fd\ufffd#4\ufffd\u0002HUHy\/\ufffd\ufffd:\ufffd\ufffdB\u001d\u0000n\ufffd\u001f*\u0000\ufffd(\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\u0441\ufffd}p\u0015_\ufffd\u0011\u000b\ufffdr\ufffd`\/\u0013IV\ufffd\ufffd\u000e\u05b6XW\ufffdL\b\ufffdu",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030\u001f\ufffd;\ufffd\nC\u0010J\ufffd\ufffd\ufffd\u069bd\ufffd\ufffdB\ufffd\/b\u000bA\u001dl\ufffd\ufffd!\ufffdk\ufffd \ufffdR9\u0001\u01fd\ufffd#4\ufffd\u0002HUHy\/\ufffd\ufffd:\ufffd\ufffdB\u001d\u0000n\ufffd\u001f*\u0000\ufffd(\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8c77cffcc7813aaa40e70712a95fccd7a0459051",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030\u001f\ufffd;\ufffd\nC\u0010J\ufffd\ufffd\ufffd\u069bd\ufffd\ufffdB\ufffd\/b\u000bA\u001dl\ufffd\ufffd!\ufffdk\ufffd \ufffdR9\u0001\u01fd\ufffd#4\ufffd\u0002HUHy\/\ufffd\ufffd:\ufffd\ufffdB\u001d\u0000n\ufffd\u001f*\u0000\ufffd(\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd0\ufffd;\ufffd\nCJ\ufffd\ufffd\ufffd\u069bd\ufffd\ufffdB\ufffd\/bAl\ufffd\ufffd!\ufffdk\ufffd \ufffdR9\u01fd\ufffd#4\ufffdHUHy\/\ufffd\ufffd:\ufffd\ufffdBn\ufffd*\ufffd(\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8260 \u00b7 (reconnaissance)",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8260,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030\u001f\ufffd;\ufffd\nC\u0010J\ufffd\ufffd\ufffd\u069bd\ufffd\ufffdB\ufffd\/b\u000bA\u001dl\ufffd\ufffd!\ufffdk\ufffd \ufffdR9\u0001\u01fd\ufffd#4\ufffd\u0002HUHy\/\ufffd\ufffd:\ufffd\ufffdB\u001d\u0000n\ufffd\u001f*\u0000\ufffd(\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8260,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8260 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd0\ufffd;\ufffd\nCJ\ufffd\ufffd\ufffd\u069bd\ufffd\ufffdB\ufffd\/bAl\ufffd\ufffd!\ufffdk\ufffd \ufffdR9\u01fd\ufffd#4\ufffdHUHy\/\ufffd\ufffd:\ufffd\ufffdBn\ufffd*\ufffd(\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8260 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8260"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 103,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 103,
"scan_velocity_ports_per_s": 75.98,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8270 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8270 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8270
Chemin / cible
—
Service
TLS
Payload
�������������/��S�| �?� ����[,�����¯Ez���� 9�i���ϕ��*�l4N�,fu s�禘du���*�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������/��S�|
�?�
����[,�����¯Ez���� 9�i���ϕ��*�l4N�,fu
s�禘du���*�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�������������/��S�| �?� ����[,�����¯Ez���� 9�i���ϕ��*�l4N�,fu s�禘du���*�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ?���_�]��Ҹ#���:����ıN���xǖU
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.863674777338817,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8270,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "85c6655cbcbdc34b4902e85049bd5ebe1be8f2ef",
"event_fingerprint": "b3fc339bed268f5c6846cbd3e95ddaf25f9dfeb8",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "5f797bc27e3e9b8a81bf87ae26ed3ea6",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8270,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\/\ufffd\u001eS\ufffd|\r\ufffd?\ufffd\r\ufffd\ufffd\ufffd\ufffd[,\ufffd\ufffd\u0006\ufffd\ufffd\u00afEz\u001e\ufffd\ufffd\ufffd 9\ufffdi\ufffd\ufffd\ufffd\u03d5\ufffd\u0002*\ufffdl4N\ufffd,fu\ns\ufffd\u7998du\ufffd\ufffd\u0001*\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\/\ufffd\u001eS\ufffd|\r\ufffd?\ufffd\r\ufffd\ufffd\ufffd\ufffd[,\ufffd\ufffd\u0006\ufffd\ufffd\u00afEz\u001e\ufffd\ufffd\ufffd 9\ufffdi\ufffd\ufffd\ufffd\u03d5\ufffd\u0002*\ufffdl4N\ufffd,fu\ns\ufffd\u7998du\ufffd\ufffd\u0001*\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 ?\ufffd\ufffd\ufffd_\ufffd]\ufffd\ufffd\u04b8#\ufffd\u0007\ufffd:\ufffd\u0018\ufffd\ufffd\u0131N\ufffd\ufffd\u000ex\u01d6U",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\/\ufffd\u001eS\ufffd|\r\ufffd?\ufffd\r\ufffd\ufffd\ufffd\ufffd[,\ufffd\ufffd\u0006\ufffd\ufffd\u00afEz\u001e\ufffd\ufffd\ufffd 9\ufffdi\ufffd\ufffd\ufffd\u03d5\ufffd\u0002*\ufffdl4N\ufffd,fu\ns\ufffd\u7998du\ufffd\ufffd\u0001*\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ac4bd0c67d39ca6642e368f6c8ee661176de3d22",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\/\ufffd\u001eS\ufffd|\r\ufffd?\ufffd\r\ufffd\ufffd\ufffd\ufffd[,\ufffd\ufffd\u0006\ufffd\ufffd\u00afEz\u001e\ufffd\ufffd\ufffd 9\ufffdi\ufffd\ufffd\ufffd\u03d5\ufffd\u0002*\ufffdl4N\ufffd,fu\ns\ufffd\u7998du\ufffd\ufffd\u0001*\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8270,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\/\ufffdS\ufffd|\r\ufffd?\ufffd\r\ufffd\ufffd\ufffd\ufffd[,\ufffd\ufffd\ufffd\ufffd\u00afEz\ufffd\ufffd\ufffd 9\ufffdi\ufffd\ufffd\ufffd\u03d5\ufffd*\ufffdl4N\ufffd,fu\ns\ufffd\u7998du\ufffd\ufffd*&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8270 \u00b7 (reconnaissance)",
"target_port_label": "8270 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8270,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\/\ufffd\u001eS\ufffd|\r\ufffd?\ufffd\r\ufffd\ufffd\ufffd\ufffd[,\ufffd\ufffd\u0006\ufffd\ufffd\u00afEz\u001e\ufffd\ufffd\ufffd 9\ufffdi\ufffd\ufffd\ufffd\u03d5\ufffd\u0002*\ufffdl4N\ufffd,fu\ns\ufffd\u7998du\ufffd\ufffd\u0001*\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8270,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8270 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\/\ufffdS\ufffd|\r\ufffd?\ufffd\r\ufffd\ufffd\ufffd\ufffd[,\ufffd\ufffd\ufffd\ufffd\u00afEz\ufffd\ufffd\ufffd 9\ufffdi\ufffd\ufffd\ufffd\u03d5\ufffd*\ufffdl4N\ufffd,fu\ns\ufffd\u7998du\ufffd\ufffd*&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8270 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8270"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 104,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 104,
"scan_velocity_ports_per_s": 76.36,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8280 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8280 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8280
Chemin / cible
—
Service
TLS
Payload
������������bU}��8�dͣ�y�����Ei�է�������s� N5�[ �k�l���틃�PZt�)���(~�WV��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������bU}��8�dͣ�y�����Ei�է�������s� N5�[ �k�l���틃�PZt�)���(~�WV��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������bU}��8�dͣ�y�����Ei�է�������s� N5�[ �k�l���틃�PZt�)���(~�WV��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� `��]O0� +��qU���%J��ó���p6�w��
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.911059703216258,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8280,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 1.9,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "1be22c6fc36720f9ac3cc47f2213a7781d06f7d2",
"event_fingerprint": "98a97ee7bde8e6e9369b800c7e64fc1b5a0ec486",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "27bb8c0ad6f556e2843dd413543ea311",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8280,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdbU}\u001c\ufffd8\ufffdd\u0363\ufffdy\ufffd\ufffd\ufffd\ufffd\ufffdEi\ufffd\u0567\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\ufffds\u0004 N5\ufffd[ \ufffdk\ufffdl\u001d\ufffd\ufffd\ud2c3\ufffdPZt\ufffd)\ufffd\ufffd\ufffd(~\ufffdWV\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdbU}\u001c\ufffd8\ufffdd\u0363\ufffdy\ufffd\ufffd\ufffd\ufffd\ufffdEi\ufffd\u0567\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\ufffds\u0004 N5\ufffd[ \ufffdk\ufffdl\u001d\ufffd\ufffd\ud2c3\ufffdPZt\ufffd)\ufffd\ufffd\ufffd(~\ufffdWV\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 `\b\u0018]O0\ufffd +\ufffd\u0007qU\ufffd\ufffd\ufffd%J\ufffd\ufffd\u00f3\ufffd\ufffd\ufffdp6\ufffdw\ufffd\u0018",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdbU}\u001c\ufffd8\ufffdd\u0363\ufffdy\ufffd\ufffd\ufffd\ufffd\ufffdEi\ufffd\u0567\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\ufffds\u0004 N5\ufffd[ \ufffdk\ufffdl\u001d\ufffd\ufffd\ud2c3\ufffdPZt\ufffd)\ufffd\ufffd\ufffd(~\ufffdWV\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "39aec89bd1e008bd838f718d5b635af498772e37",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdbU}\u001c\ufffd8\ufffdd\u0363\ufffdy\ufffd\ufffd\ufffd\ufffd\ufffdEi\ufffd\u0567\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\ufffds\u0004 N5\ufffd[ \ufffdk\ufffdl\u001d\ufffd\ufffd\ud2c3\ufffdPZt\ufffd)\ufffd\ufffd\ufffd(~\ufffdWV\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8280,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffdbU}\ufffd8\ufffdd\u0363\ufffdy\ufffd\ufffd\ufffd\ufffd\ufffdEi\ufffd\u0567\ufffd\ufffd\ufffd\ufffd\ufffd\ufffds N5\ufffd[ \ufffdk\ufffdl\ufffd\ufffd\ud2c3\ufffdPZt\ufffd)\ufffd\ufffd\ufffd(~\ufffdWV\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8280 \u00b7 (reconnaissance)",
"target_port_label": "8280 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8280,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdbU}\u001c\ufffd8\ufffdd\u0363\ufffdy\ufffd\ufffd\ufffd\ufffd\ufffdEi\ufffd\u0567\ufffd\ufffd\ufffd\u0014\ufffd\ufffd\ufffds\u0004 N5\ufffd[ \ufffdk\ufffdl\u001d\ufffd\ufffd\ud2c3\ufffdPZt\ufffd)\ufffd\ufffd\ufffd(~\ufffdWV\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8280,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8280 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffdbU}\ufffd8\ufffdd\u0363\ufffdy\ufffd\ufffd\ufffd\ufffd\ufffdEi\ufffd\u0567\ufffd\ufffd\ufffd\ufffd\ufffd\ufffds N5\ufffd[ \ufffdk\ufffdl\ufffd\ufffd\ud2c3\ufffdPZt\ufffd)\ufffd\ufffd\ufffd(~\ufffdWV\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8280 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8280"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 105,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 105,
"scan_velocity_ports_per_s": 76.75,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8282 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8282 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8282
Chemin / cible
—
Service
TLS
Payload
��������������ˍ���u��x�b�?�����B���K��7U�> �/>3���j�L�U%�Z������u�[�nQ����&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������ˍ���u��x�b�?�����B���K��7U�> �/>3���j�L�U%�Z������u�[�nQ����&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������ˍ���u��x�b�?�����B���K��7U�> �/>3���j�L�U%�Z������u�[�nQ����&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� +��6dڡ��j�3�c��V�n��¥�v�rvoK�|
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.85846066977296,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8282,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "546c02cb4869215fbbd56bf8069ae4f0a6ca221e",
"event_fingerprint": "51a3f5122ee16de893600f89313aeae81610552c",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "e26ce46439976b01e2cf7c414e14c4dd",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8282,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u02cd\ufffd\ufffd\ufffdu\ufffd\ufffdx\bb\ufffd?\ufffd\ufffd\ufffd\u001c\ufffdB\ufffd\ufffd\ufffdK\u000f\ufffd7U\ufffd> \ufffd\/>3\u0012\u0015\ufffdj\ufffdL\ufffdU%\ufffdZ\ufffd\ufffd\ufffd\u0016\ufffd\ufffdu\ufffd[\ufffdnQ\u000e\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u02cd\ufffd\ufffd\ufffdu\ufffd\ufffdx\bb\ufffd?\ufffd\ufffd\ufffd\u001c\ufffdB\ufffd\ufffd\ufffdK\u000f\ufffd7U\ufffd> \ufffd\/>3\u0012\u0015\ufffdj\ufffdL\ufffdU%\ufffdZ\ufffd\ufffd\ufffd\u0016\ufffd\ufffdu\ufffd[\ufffdnQ\u000e\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 +\ufffd\ufffd6d\u06a1\ufffd\ufffdj\ufffd3\u0006c\ufffd\ufffdV\ufffdn\ufffd\ufffd\u00a5\u0005v\ufffdrvoK\ufffd|",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u02cd\ufffd\ufffd\ufffdu\ufffd\ufffdx\bb\ufffd?\ufffd\ufffd\ufffd\u001c\ufffdB\ufffd\ufffd\ufffdK\u000f\ufffd7U\ufffd> \ufffd\/>3\u0012\u0015\ufffdj\ufffdL\ufffdU%\ufffdZ\ufffd\ufffd\ufffd\u0016\ufffd\ufffdu\ufffd[\ufffdnQ\u000e\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1813bc4cfd4aa5410d3c2301c3df7c1be0370986",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u02cd\ufffd\ufffd\ufffdu\ufffd\ufffdx\bb\ufffd?\ufffd\ufffd\ufffd\u001c\ufffdB\ufffd\ufffd\ufffdK\u000f\ufffd7U\ufffd> \ufffd\/>3\u0012\u0015\ufffdj\ufffdL\ufffdU%\ufffdZ\ufffd\ufffd\ufffd\u0016\ufffd\ufffdu\ufffd[\ufffdnQ\u000e\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8282,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\u02cd\ufffd\ufffd\ufffdu\ufffd\ufffdxb\ufffd?\ufffd\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffdK\ufffd7U\ufffd> \ufffd\/>3\ufffdj\ufffdL\ufffdU%\ufffdZ\ufffd\ufffd\ufffd\ufffd\ufffdu\ufffd[\ufffdnQ\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8282 \u00b7 (reconnaissance)",
"target_port_label": "8282 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8282,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\u02cd\ufffd\ufffd\ufffdu\ufffd\ufffdx\bb\ufffd?\ufffd\ufffd\ufffd\u001c\ufffdB\ufffd\ufffd\ufffdK\u000f\ufffd7U\ufffd> \ufffd\/>3\u0012\u0015\ufffdj\ufffdL\ufffdU%\ufffdZ\ufffd\ufffd\ufffd\u0016\ufffd\ufffdu\ufffd[\ufffdnQ\u000e\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8282,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8282 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\u02cd\ufffd\ufffd\ufffdu\ufffd\ufffdxb\ufffd?\ufffd\ufffd\ufffd\ufffdB\ufffd\ufffd\ufffdK\ufffd7U\ufffd> \ufffd\/>3\ufffdj\ufffdL\ufffdU%\ufffdZ\ufffd\ufffd\ufffd\ufffd\ufffdu\ufffd[\ufffdnQ\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8282 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8282"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 106,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 106,
"scan_velocity_ports_per_s": 77.11,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
18443 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:18443 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
18443
Chemin / cible
—
Service
TLS
Payload
��������������l�u'��q���^+>��3����������0� ���Z(�o��0�-���I&�8�7عܩfW��=��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������l�u'��q���^+>��3����������0� ���Z(�o��0�-���I&�8�7عܩfW��=��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������l�u'��q���^+>��3����������0� ���Z(�o��0�-���I&�8�7عܩfW��=��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �U����i�D��YZ��30mr�Q�DU��_�}�5
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.832695452366041,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 18443,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 6,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "909c274bfe9375fd7e292dadf97aad55344692c1",
"event_fingerprint": "ea14a8fcc0195359aa7fe517f218582e40df492e",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "48c4da941469bf951146aed4d1e9a7e2",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 18443,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0016\ufffdl\u0019u'\ufffd\ufffdq\ufffd\u0015\ufffd^+>\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd0\ufffd \ufffd\u001a\ufffdZ(\ufffdo\u0004\ufffd0\ufffd-\ufffd\u0013\ufffdI&\ufffd8\ufffd7\u0639\u0729fW\ufffd\ufffd=\u001a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0016\ufffdl\u0019u'\ufffd\ufffdq\ufffd\u0015\ufffd^+>\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd0\ufffd \ufffd\u001a\ufffdZ(\ufffdo\u0004\ufffd0\ufffd-\ufffd\u0013\ufffdI&\ufffd8\ufffd7\u0639\u0729fW\ufffd\ufffd=\u001a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdU\u0015\ufffd\ufffd\u001bi\ufffdD\u001c\ufffdYZ\ufffd\ufffd30mr\ufffdQ\ufffdDU\ufffd\ufffd_\ufffd}\ufffd5",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0016\ufffdl\u0019u'\ufffd\ufffdq\ufffd\u0015\ufffd^+>\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd0\ufffd \ufffd\u001a\ufffdZ(\ufffdo\u0004\ufffd0\ufffd-\ufffd\u0013\ufffdI&\ufffd8\ufffd7\u0639\u0729fW\ufffd\ufffd=\u001a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "046367426e1a2ee3d51f75d4c78028061b93c7f8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0016\ufffdl\u0019u'\ufffd\ufffdq\ufffd\u0015\ufffd^+>\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd0\ufffd \ufffd\u001a\ufffdZ(\ufffdo\u0004\ufffd0\ufffd-\ufffd\u0013\ufffdI&\ufffd8\ufffd7\u0639\u0729fW\ufffd\ufffd=\u001a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 18443,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdlu'\ufffd\ufffdq\ufffd\ufffd^+>\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd0\ufffd \ufffd\ufffdZ(\ufffdo\ufffd0\ufffd-\ufffd\ufffdI&\ufffd8\ufffd7\u0639\u0729fW\ufffd\ufffd=&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:18443 \u00b7 (reconnaissance)",
"target_port_label": "18443 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 18443,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0016\ufffdl\u0019u'\ufffd\ufffdq\ufffd\u0015\ufffd^+>\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd0\ufffd \ufffd\u001a\ufffdZ(\ufffdo\u0004\ufffd0\ufffd-\ufffd\u0013\ufffdI&\ufffd8\ufffd7\u0639\u0729fW\ufffd\ufffd=\u001a\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 18443,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:18443 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdlu'\ufffd\ufffdq\ufffd\ufffd^+>\ufffd\ufffd3\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd0\ufffd \ufffd\ufffdZ(\ufffdo\ufffd0\ufffd-\ufffd\ufffdI&\ufffd8\ufffd7\u0639\u0729fW\ufffd\ufffd=&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "18443 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "18443"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 106,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 106,
"scan_velocity_ports_per_s": 76.72,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
20080 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:20080 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
20080
Chemin / cible
—
Service
TLS
Payload
�����������c!g�Li��N�p_���@�2���V�Jn��a� � �L�����:1�g$j����Z 8F!�_�O�Q�� ��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������c!g�Li��N�p_���@�2���V�Jn��a��� �L�����:1�g$j����Z
8F!�_�O�Q�� ��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
�����������c!g�Li��N�p_���@�2���V�Jn��a� � �L�����:1�g$j����Z 8F!�_�O�Q�� ��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� �:V��I�ʞy�ʰ�#����=��|��M�[Yo
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.861158985593866,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 20080,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 5.1,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "3c7aa836f4d2624089a1a1ca98b26d96aac202bf",
"event_fingerprint": "fe07a4d554f8a31d2606279d1a4a184be3523ee6",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "a222d841c113d5c7a6c6199579702cc8",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 20080,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c!g\u0003Li\u0002\ufffdN\ufffdp_\ufffd\ufffd\ufffd@\u00112\ufffd\ufffd\ufffdV\u0006Jn\ufffd\ufffda\ufffd\u000b\ufffd \ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd:1\ufffdg$j\u0011\ufffd\ufffd\ufffdZ\n8F!\u001f_\ufffdO\u0012Q\ufffd\ufffd\t\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c!g\u0003Li\u0002\ufffdN\ufffdp_\ufffd\ufffd\ufffd@\u00112\ufffd\ufffd\ufffdV\u0006Jn\ufffd\ufffda\ufffd\u000b\ufffd \ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd:1\ufffdg$j\u0011\ufffd\ufffd\ufffdZ\n8F!\u001f_\ufffdO\u0012Q\ufffd\ufffd\t\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd:V\ufffd\ufffdI\ufffd\u029ey\u0016\u02b0\ufffd#\ufffd\ufffd\u0003\ufffd=\ufffd\ufffd|\ufffd\ufffdM\ufffd[Yo",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c!g\u0003Li\u0002\ufffdN\ufffdp_\ufffd\ufffd\ufffd@\u00112\ufffd\ufffd\ufffdV\u0006Jn\ufffd\ufffda\ufffd\u000b\ufffd \ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd:1\ufffdg$j\u0011\ufffd\ufffd\ufffdZ\n8F!\u001f_\ufffdO\u0012Q\ufffd\ufffd\t\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a9c3ca8496d2618ab2133d0e6a04babf4248e2b8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c!g\u0003Li\u0002\ufffdN\ufffdp_\ufffd\ufffd\ufffd@\u00112\ufffd\ufffd\ufffdV\u0006Jn\ufffd\ufffda\ufffd\u000b\ufffd \ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd:1\ufffdg$j\u0011\ufffd\ufffd\ufffdZ\n8F!\u001f_\ufffdO\u0012Q\ufffd\ufffd\t\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 20080,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdc!gLi\ufffdN\ufffdp_\ufffd\ufffd\ufffd@2\ufffd\ufffd\ufffdVJn\ufffd\ufffda\ufffd\ufffd \ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd:1\ufffdg$j\ufffd\ufffd\ufffdZ\n8F!_\ufffdOQ\ufffd\ufffd\t&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:20080 \u00b7 (reconnaissance)",
"target_port_label": "20080 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 20080,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003c!g\u0003Li\u0002\ufffdN\ufffdp_\ufffd\ufffd\ufffd@\u00112\ufffd\ufffd\ufffdV\u0006Jn\ufffd\ufffda\ufffd\u000b\ufffd \ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd:1\ufffdg$j\u0011\ufffd\ufffd\ufffdZ\n8F!\u001f_\ufffdO\u0012Q\ufffd\ufffd\t\u0004\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 20080,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:20080 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffdc!gLi\ufffdN\ufffdp_\ufffd\ufffd\ufffd@2\ufffd\ufffd\ufffdVJn\ufffd\ufffda\ufffd\ufffd \ufffdL\ufffd\ufffd\ufffd\ufffd\ufffd:1\ufffdg$j\ufffd\ufffd\ufffdZ\n8F!_\ufffdOQ\ufffd\ufffd\t&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "20080 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "20080"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 106,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 106,
"scan_velocity_ports_per_s": 76.11,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
2082 · CPANEL
|
cpanel
|
Scan de ports
port scan syn · via CPANEL:2082 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
CPANEL
WAF
—
Recommandation
Surveiller
Tags
cpanel_emulated
net_port_scan_fast
tls_clienthello
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2082
Chemin / cible
—
Service
CPANEL
Payload
��������������1.b�P+��O������TE]&����@x\��> �� ���m����9��:�qh �A�T��^h�Q?��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 3 signal(aux) capteur
Protocole émulé
1
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������1.b�P+��O������TE]&����@x\��> ������m����9��:�qh �A�T��^h�Q?��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
��������������1.b�P+��O������TE]&����@x\��> �� ���m����9��:�qh �A�T��^h�Q?��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� =�f�� ���?$�|�A�@�.�82��=�c�Z��E
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206370737276642f31312e3131300d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2033380d0a0d0a3c68746d6c3e3c626f64793e6350616e656c204c6f67696e3c2f626f64793e3c2f68746d6c3e",
"emulator_response_len": 125,
"bytes_in": 239,
"payload_entropy": 5.80742706867075,
"port_category": "registered",
"org": "Google LLC",
"service": "cpanel",
"app_proto": "cpanel",
"asn": 396982,
"country": "US",
"dst_port": 2082,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "0b4a47a2f36e3235fd0c6d91053cdfb7836691d9",
"event_fingerprint": "a130665ff60459f5e004cdf43a9e128f62905988",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "cpanel",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "869fb59f96b45b5d7bb30cda0f471726",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja3": "19e29534fd49dd27d09234e639c4057e",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 2082,
"service": "cpanel",
"service_name": "cpanel",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u001d1.b\ufffdP+\ufffd\ufffdO\ufffd\ufffd\u0014\ufffd\ufffd\u001dTE]&\ufffd\u0002\ufffd\ufffd@x\\\ufffd\u0011> \ufffd\ufffd\f\ufffd\u0000\ufffdm\u0019\ufffd\b\ufffd9\ufffd\u001a:\ufffdqh\t\u0010A\u0006T\u0017\ufffd^h\ufffdQ?\b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u001d1.b\ufffdP+\ufffd\ufffdO\ufffd\ufffd\u0014\ufffd\ufffd\u001dTE]&\ufffd\u0002\ufffd\ufffd@x\\\ufffd\u0011> \ufffd\ufffd\f\ufffd\u0000\ufffdm\u0019\ufffd\b\ufffd9\ufffd\u001a:\ufffdqh\t\u0010A\u0006T\u0017\ufffd^h\ufffdQ?\b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 =\u0002f\ufffd\ufffd\u000b\u000f\u0016\ufffd?$\ufffd|\ufffdA\ufffd@\u001d.\ufffd82\ufffd\ufffd=\ufffdc\ufffdZ\ufffd\ufffdE",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u001d1.b\ufffdP+\ufffd\ufffdO\ufffd\ufffd\u0014\ufffd\ufffd\u001dTE]&\ufffd\u0002\ufffd\ufffd@x\\\ufffd\u0011> \ufffd\ufffd\f\ufffd\u0000\ufffdm\u0019\ufffd\b\ufffd9\ufffd\u001a:\ufffdqh\t\u0010A\u0006T\u0017\ufffd^h\ufffdQ?\b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "22f1c457bef306047b0e721c95c9774b40609abe",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u001d1.b\ufffdP+\ufffd\ufffdO\ufffd\ufffd\u0014\ufffd\ufffd\u001dTE]&\ufffd\u0002\ufffd\ufffd@x\\\ufffd\u0011> \ufffd\ufffd\f\ufffd\u0000\ufffdm\u0019\ufffd\b\ufffd9\ufffd\u001a:\ufffdqh\t\u0010A\u0006T\u0017\ufffd^h\ufffdQ?\b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 2082,
"service": "cpanel",
"service_label_fr": "CPANEL"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd1.b\ufffdP+\ufffd\ufffdO\ufffd\ufffd\ufffd\ufffdTE]&\ufffd\ufffd\ufffd@x\\\ufffd> \ufffd\ufffd\ufffd\ufffdm\ufffd\ufffd9\ufffd:\ufffdqh\tAT\ufffd^h\ufffdQ?&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via CPANEL:2082 \u00b7 (reconnaissance)",
"target_port_label": "2082 \u00b7 CPANEL",
"emulator_service": "cpanel",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via CPANEL \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 30,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "cpanel",
"service_label_fr": "CPANEL",
"dst_port": 2082,
"protocol_emulated": true,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-cpanel",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\u001d1.b\ufffdP+\ufffd\ufffdO\ufffd\ufffd\u0014\ufffd\ufffd\u001dTE]&\ufffd\u0002\ufffd\ufffd@x\\\ufffd\u0011> \ufffd\ufffd\f\ufffd\u0000\ufffdm\u0019\ufffd\b\ufffd9\ufffd\u001a:\ufffdqh\t\u0010A\u0006T\u0017\ufffd^h\ufffdQ?\b\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 2082,
"service": "cpanel",
"service_label_fr": "CPANEL"
},
"attack_vector": "port scan syn \u00b7 via CPANEL:2082 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd1.b\ufffdP+\ufffd\ufffdO\ufffd\ufffd\ufffd\ufffdTE]&\ufffd\ufffd\ufffd@x\\\ufffd> \ufffd\ufffd\ufffd\ufffdm\ufffd\ufffd9\ufffd:\ufffdqh\tAT\ufffd^h\ufffdQ?&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "2082 \u00b7 CPANEL",
"emulator_service": "cpanel",
"confidence_reason": "Confiance 100 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "cpanel",
"service_banner": "honeypot-cpanel",
"service_os": "linux",
"dst_port": "2082"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 106,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 106,
"scan_velocity_ports_per_s": 75.69,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"cpanel_emulated",
"net_port_scan_fast",
"tls_clienthello"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
2001 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:2001 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2001
Chemin / cible
—
Service
TLS
Payload
����������������'#���4kl����0��Ų�<�($��=� ����?���!��s �Z����$W���"�i��[9�&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����������������'#���4kl����0��Ų�<�($��=� ����?���!��s��Z����$W���"�i��[9�&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
����������������'#���4kl����0��Ų�<�($��=� ����?���!��s �Z����$W���"�i��[9�&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� @��U�v�y�*p*$m�.�R����\� Ч��Ln
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.902891907983136,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 2001,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "d8595c40490d443497cc2fa061f9cb5f9bc1ce9d",
"event_fingerprint": "4dc2e8b44b637d37953a96601da33c995aa8ecf8",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "f264785f3494411e8eea55e1a2d67044",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 2001,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0010\ufffd\u001a\ufffd'#\ufffd\ufffd\ufffd4kl\ufffd\ufffd\u0015\ufffd0\ufffd\ufffd\u0172\ufffd<\ufffd($\ufffd\ufffd=\ufffd \ufffd\ufffd\u0016\u0015?\ufffd\ufffd\ufffd!\u001f\ufffds\f\u0003Z\ufffd\ufffd\u0003\b$W\ufffd\ufffd\u001d\"\ufffdi\ufffd\ufffd[9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0010\ufffd\u001a\ufffd'#\ufffd\ufffd\ufffd4kl\ufffd\ufffd\u0015\ufffd0\ufffd\ufffd\u0172\ufffd<\ufffd($\ufffd\ufffd=\ufffd \ufffd\ufffd\u0016\u0015?\ufffd\ufffd\ufffd!\u001f\ufffds\f\u0003Z\ufffd\ufffd\u0003\b$W\ufffd\ufffd\u001d\"\ufffdi\ufffd\ufffd[9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 @\u001c\ufffdU\ufffdv\ufffdy\ufffd*p*$m\ufffd.\u001bR\ufffd\u001d\ufffd\u001c\\\u001b\t\u0427\ufffd\ufffdLn",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0010\ufffd\u001a\ufffd'#\ufffd\ufffd\ufffd4kl\ufffd\ufffd\u0015\ufffd0\ufffd\ufffd\u0172\ufffd<\ufffd($\ufffd\ufffd=\ufffd \ufffd\ufffd\u0016\u0015?\ufffd\ufffd\ufffd!\u001f\ufffds\f\u0003Z\ufffd\ufffd\u0003\b$W\ufffd\ufffd\u001d\"\ufffdi\ufffd\ufffd[9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8f22a2377a33b41f68b2dee257fe2228fdc057cf",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0010\ufffd\u001a\ufffd'#\ufffd\ufffd\ufffd4kl\ufffd\ufffd\u0015\ufffd0\ufffd\ufffd\u0172\ufffd<\ufffd($\ufffd\ufffd=\ufffd \ufffd\ufffd\u0016\u0015?\ufffd\ufffd\ufffd!\u001f\ufffds\f\u0003Z\ufffd\ufffd\u0003\b$W\ufffd\ufffd\u001d\"\ufffdi\ufffd\ufffd[9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 2001,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd'#\ufffd\ufffd\ufffd4kl\ufffd\ufffd\ufffd0\ufffd\ufffd\u0172\ufffd<\ufffd($\ufffd\ufffd=\ufffd \ufffd\ufffd?\ufffd\ufffd\ufffd!\ufffdsZ\ufffd\ufffd$W\ufffd\ufffd\"\ufffdi\ufffd\ufffd[9&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:2001 \u00b7 (reconnaissance)",
"target_port_label": "2001 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 2001,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\u0010\ufffd\u001a\ufffd'#\ufffd\ufffd\ufffd4kl\ufffd\ufffd\u0015\ufffd0\ufffd\ufffd\u0172\ufffd<\ufffd($\ufffd\ufffd=\ufffd \ufffd\ufffd\u0016\u0015?\ufffd\ufffd\ufffd!\u001f\ufffds\f\u0003Z\ufffd\ufffd\u0003\b$W\ufffd\ufffd\u001d\"\ufffdi\ufffd\ufffd[9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 2001,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:2001 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd'#\ufffd\ufffd\ufffd4kl\ufffd\ufffd\ufffd0\ufffd\ufffd\u0172\ufffd<\ufffd($\ufffd\ufffd=\ufffd \ufffd\ufffd?\ufffd\ufffd\ufffd!\ufffdsZ\ufffd\ufffd$W\ufffd\ufffd\"\ufffdi\ufffd\ufffd[9&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "2001 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "2001"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 106,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 106,
"scan_velocity_ports_per_s": 75.33,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|
|
|
TCP |
8290 · TLS
|
tls
|
Scan de ports
port scan syn · via TLS:8290 · (reconnaissance)
|
Élevée
|
Moyen · 42
|
|
Étape
Reconnaissance
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan rapide multi-ports
Campagne multi-ports
Multi-protocole corrélé (5 min)
Protocole
JA3 19e29534fd49dd27
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
net_port_scan_fast
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
8290
Chemin / cible
—
Service
TLS
Payload
������������Q���S�?��� m��9}̰8�R�U��L!V�Ґ #K����1�ۆ1B���JsW,�ra�!�gb��K��&�+�/�,�0̨̩� ��� �������/�5��� ���������w��������
Pourquoi cette classification : Type « port_scan_syn » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Corrélation +23
Risque capteur
Moyen
· 42
Confiance : Confiance 100 % — 4 signal(aux) capteur
Signaux
MITRE-T1046
SIGMA-net-port-scan
Beh Scan Burst
Beh Multi Port 60S
Tactiques MITRE
TA0043
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������Q���S�?��� m��9}̰8�R�U��L!V�Ґ #K����1�ۆ1B���JsW,�ra�!�gb��K��&�+�/�,�0̨̩� ���
�������/�5���
���������w�����
Requête brute (extrait)
������������Q���S�?��� m��9}̰8�R�U��L!V�Ґ #K����1�ۆ1B���JsW,�ra�!�gb��K��&�+�/�,�0̨̩� ��� �������/�5��� ���������w���������� � ����������� ����� ��������������������������������������+��������3�&�$��� ŷ �SR>��5���G�k���n���� �]F���+
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 239,
"payload_entropy": 5.798733527273596,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 8290,
"risk_waf": 8,
"risk_classification": 64,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 42,
"tag_count": 4,
"anomaly_count": 0,
"campaign_key": "50dbde776ffcac74d686397f119374cbd1654f8c",
"event_fingerprint": "be0c987559749b38926d68bbc3fb0e44f312d7e7",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 318,
"precision_signals": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"kb_rule_ids": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s",
"INT-upstream"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "82564259da11ba491300fa19b043c301",
"path_pattern_hash": "6a708bf69e8680803ad7dadb39e2e4d9",
"ja4": "7b5e3a15097abc10f88e98257ea51010",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0",
"tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010",
"tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 8290,
"service": "tls",
"service_name": "tls",
"risk_score": 42
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdQ\u0015\u0015\u0003S\u000e?\ufffd\ufffd\ufffd\tm\b\ufffd9}\u03308\ufffdR\ufffdU\ufffd\ufffdL!V\ufffd\u0490 #K\ufffd\ufffd\ufffd\ufffd1\ufffd\u06c61B\ufffd\u0001\ufffdJsW,\u0017ra\ufffd!\u001agb\u0004\ufffdK\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdQ\u0015\u0015\u0003S\u000e?\ufffd\ufffd\ufffd\tm\b\ufffd9}\u03308\ufffdR\ufffdU\ufffd\ufffdL!V\ufffd\u0490 #K\ufffd\ufffd\ufffd\ufffd1\ufffd\u06c61B\ufffd\u0001\ufffdJsW,\u0017ra\ufffd!\u001agb\u0004\ufffdK\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\u0005\u0004\u0003\u0004\u0003\u0003\u00003\u0000&\u0000$\u0000\u001d\u0000 \u0177\n\ufffdSR>\ufffd\ufffd5\u0002\ufffd\ufffdG\u0017k\ufffd\u000f\ufffdn\ufffd\u0012\ufffd\ufffd\f\ufffd]F\ufffd\u0016\ufffd+",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdQ\u0015\u0015\u0003S\u000e?\ufffd\ufffd\ufffd\tm\b\ufffd9}\u03308\ufffdR\ufffdU\ufffd\ufffdL!V\ufffd\u0490 #K\ufffd\ufffd\ufffd\ufffd1\ufffd\u06c61B\ufffd\u0001\ufffdJsW,\u0017ra\ufffd!\u001agb\u0004\ufffdK\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "recon",
"mitre_tactics": [
"TA0043"
],
"mitre_techniques": [
"T1046"
],
"mitre": "T1046",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "3ece21dbff6e1df0ec915e8160697a4c1711a9ee",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdQ\u0015\u0015\u0003S\u000e?\ufffd\ufffd\ufffd\tm\b\ufffd9}\u03308\ufffdR\ufffdU\ufffd\ufffdL!V\ufffd\u0490 #K\ufffd\ufffd\ufffd\ufffd1\ufffd\u06c61B\ufffd\u0001\ufffdJsW,\u0017ra\ufffd!\u001agb\u0004\ufffdK\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8290,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffdQS?\ufffd\ufffd\ufffd\tm\ufffd9}\u03308\ufffdR\ufffdU\ufffd\ufffdL!V\ufffd\u0490 #K\ufffd\ufffd\ufffd\ufffd1\ufffd\u06c61B\ufffd\ufffdJsW,ra\ufffd!gb\ufffdK\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"attack_vector": "port scan syn \u00b7 via TLS:8290 \u00b7 (reconnaissance)",
"target_port_label": "8290 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab port_scan_syn \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via TLS \u2014 multi-protocole (59 protocoles \u00b7 5 min)",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 64,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15,
"risk_score": 42,
"correlation_boost": 23
},
"attack_stage": "recon",
"attack_stage_label": "Reconnaissance",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 8290,
"protocol_emulated": null,
"tags_summary": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"INT-beh-scan-burst",
"INT-beh-multi-port-60s"
],
"tags_summary_labels_fr": [
"MITRE-T1046",
"SIGMA-net-port-scan",
"Beh Scan Burst",
"Beh Multi Port 60S"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1046",
"mitre_technique": "T1046",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_rapide",
"campagne_ports",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan rapide multi-ports",
"Campagne multi-ports",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +23",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdQ\u0015\u0015\u0003S\u000e?\ufffd\ufffd\ufffd\tm\b\ufffd9}\u03308\ufffdR\ufffdU\ufffd\ufffdL!V\ufffd\u0490 #K\ufffd\ufffd\ufffd\ufffd1\ufffd\u06c61B\ufffd\u0001\ufffdJsW,\u0017ra\ufffd!\u001agb\u0004\ufffdK\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000w\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"tls_ja3": "19e29534fd49dd27d09234e639c4057e",
"tls_ja4": "7b5e3a15097abc10f88e98257ea51010",
"port": 8290,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port scan syn \u00b7 via TLS:8290 \u00b7 (reconnaissance)",
"evidence_snippet": "\ufffd\ufffd\ufffdQS?\ufffd\ufffd\ufffd\tm\ufffd9}\u03308\ufffdR\ufffdU\ufffd\ufffdL!V\ufffd\u0490 #K\ufffd\ufffd\ufffd\ufffd1\ufffd\u06c61B\ufffd\ufffdJsW,ra\ufffd!gb\ufffdK\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\nw",
"target_port_label": "8290 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 100 % \u2014 4 signal(aux) capteur",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +23",
"campaign_hint_fr": "Campagne multi-ports d\u00e9tect\u00e9e sur une fen\u00eatre courte",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": true,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": false,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "8290"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"port_scan_campaign": true,
"port_scan_distinct_ports": 107,
"port_scan_ports_sample": [
81,
82,
554,
591,
1080,
1443,
2000,
2001,
2082,
2083,
2086,
2087,
2095,
2096,
2375,
2376
],
"rapid_port_scan": true,
"rapid_scan_distinct_ports": 107,
"scan_velocity_ports_per_s": 75.69,
"multi_category_scan": true,
"scan_category_diversity": [
"blockchain",
"cloud",
"game",
"web"
],
"multi_protocol_correlation": true,
"multi_protocol_count": 59,
"multi_protocol_sample": [
"activemq-console",
"aws-ecs-agent",
"cassandra-jmx",
"couchbase",
"couchdb",
"cpanel",
"cpanel-ssl",
"cpanel-whm"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"port_scan_campaign",
"rapid_port_scan",
"multi_category_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 23,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_port_scan_fast",
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
|