14.103.131.92

{
    "protocol_emulated": true,
    "emulator_response": "5353482d322e302d4f70656e5353485f382e397031205562756e74752d347562756e7475302e360d0a",
    "emulator_response_len": 41,
    "bytes_in": 22,
    "payload_entropy": 3.879664004902593,
    "port_category": "well_known",
    "org": "China Telecom (Group)",
    "service": "ssh",
    "app_proto": "ssh",
    "asn": 4811,
    "country": "CN",
    "dst_port": 22,
    "risk_waf": 8,
    "risk_classification": 50,
    "risk_behavior": 0,
    "risk_geo": 0,
    "risk_protocol": 36,
    "risk_novelty": 0,
    "risk_boost": 0,
    "risk_granularity": 4.9,
    "risk_breakdown": {
        "waf": 8,
        "classification": 50,
        "behavior": 0,
        "geo": 0,
        "protocol": 36,
        "novelty": 0
    },
    "risk_score": 50,
    "tag_count": 4,
    "anomaly_count": 0,
    "campaign_key": "1efbef00a6a3897d4246673af2d8877c22845cca",
    "event_fingerprint": "bc4e3fa786c83e0db7c1c892cb0c288f6b14388f",
    "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
    "confidence": 1,
    "classification_confidence": 1,
    "precision_score": 195,
    "precision_signals": [
        "INT-ssh-libssh-ua",
        "pat-0391",
        "pat-0392",
        "INT-upstream"
    ],
    "kb_rule_ids": [
        "INT-ssh-libssh-ua",
        "pat-0391",
        "pat-0392",
        "INT-upstream"
    ],
    "matched_patterns": [
        "pat-0391",
        "pat-0392"
    ],
    "matched_pattern_names": [
        "SSH-2.0 banner RFC4253",
        "libssh banner"
    ],
    "pattern_ids": [
        "pat-0391",
        "pat-0392"
    ],
    "confidence_breakdown": {
        "waf": 8,
        "classification": 50,
        "behavior": 0,
        "geo": 0,
        "protocol": 36,
        "novelty": 0,
        "risk_score": 50
    },
    "named_classification_skipped": false,
    "service_name": "ssh",
    "risk_confidence_factor": 100,
    "city": null,
    "is_datacenter": false,
    "is_tor_hint": false,
    "geo": {
        "country": "CN",
        "asn": 4811,
        "org": "China Telecom (Group)",
        "is_datacenter": false,
        "is_tor_hint": false
    },
    "fingerprint": {
        "payload_hash": "c6c435cd5755c7361597477daa7a2618",
        "path_pattern_hash": "4368b1c212b6962fb95d1d1144451aca"
    },
    "target_context": {
        "dst_port": 22,
        "service": "ssh",
        "service_name": "ssh",
        "risk_score": 50
    },
    "payload_preview": "SSH-2.0-libssh_0.9.6\r\n",
    "request_sample": "SSH-2.0-libssh_0.9.6\r\n",
    "payload_snippet": "SSH-2.0-libssh_0.9.6",
    "evidence": {
        "request_sample": "SSH-2.0-libssh_0.9.6\r\n",
        "payload_snippet": "SSH-2.0-libssh_0.9.6",
        "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%"
    },
    "attack_stage": "probe",
    "mitre_tactics": [
        "TA0007",
        "TA0001"
    ],
    "mitre_techniques": [
        "T1046",
        "T1595"
    ],
    "mitre": "T1046",
    "threat_family": [
        "scanner"
    ],
    "recommended_client_action": "investigate",
    "policy_mode": "intelligence",
    "sensor_role": "threat_intelligence",
    "event_signature": "90fe9e307095e3c59ec7b378ee8ff1a926ebaab6",
    "protocol_details": {
        "ssh_banner": "SSH-2.0-libssh_0.9.6",
        "port": 22,
        "service": "ssh",
        "service_label_fr": "SSH"
    },
    "evidence_snippet": "SSH-2.0-libssh_0.9.6",
    "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
    "target_port_label": "22 \u00b7 SSH",
    "emulator_service": "ssh",
    "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
    "site_display": {
        "classification": null,
        "classification_reason": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
        "classification_reason_label_fr": "Banni\u00e8re client SSH re\u00e7ue \u00b7 confiance 100%",
        "confidence_pct": 100,
        "confidence_breakdown": {
            "waf": 8,
            "classification": 50,
            "behavior": 0,
            "geo": 0,
            "protocol": 36,
            "novelty": 0,
            "risk_score": 50
        },
        "attack_stage": "probe",
        "attack_stage_label": "Sonde \/ probe",
        "attack_chain_stage": "discovery",
        "attack_chain_stage_label_fr": "D\u00e9couverte",
        "risk_score": 50,
        "risk_label": "Moyen",
        "service_name": "ssh",
        "service_label_fr": "SSH",
        "dst_port": 22,
        "protocol_emulated": true,
        "tags_summary": [
            "INT-ssh-libssh-ua",
            "pat-0391",
            "pat-0392",
            "INT-upstream"
        ],
        "tags_summary_labels_fr": [
            "Client SSH libssh\/paramiko (scanner)",
            "pat-0391",
            "pat-0392",
            "Upstream"
        ],
        "recommended_action": "investigate",
        "recommended_action_label": "Investiguer",
        "mitre": "T1046",
        "mitre_technique": "T1046",
        "persona_hostname": "mail.sensor-1.internal",
        "persona_service_banner": "OpenSSH_8.9p1 Ubuntu",
        "correlation_flags": null,
        "correlation_flags_labels_fr": null,
        "sensor_role": "threat_intelligence",
        "sensor_role_label_fr": "Renseignement menaces",
        "confidence_hint_fr": null,
        "protocol_details": {
            "ssh_banner": "SSH-2.0-libssh_0.9.6",
            "port": 22,
            "service": "ssh",
            "service_label_fr": "SSH"
        },
        "attack_vector": "Sonde SSH \u00b7 via SSH:22 \u00b7 (sonde \/ probe)",
        "evidence_snippet": "SSH-2.0-libssh_0.9.6",
        "target_port_label": "22 \u00b7 SSH",
        "emulator_service": "ssh",
        "confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9"
    },
    "honeypot_persona": {
        "sensor_id": "sensor-1",
        "hostname": "mail.sensor-1.internal",
        "mail_host": "mail.sensor-1.internal",
        "ldap_dc": "dc.sensor-1.internal",
        "k8s_cluster": "hp-sensor-1",
        "domain": "sensor-1.internal",
        "service_role": "ssh",
        "service_banner": "OpenSSH_8.9p1 Ubuntu",
        "service_os": "linux",
        "dst_port": "22"
    },
    "hostname": "mail.sensor-1.internal",
    "sensor_id": "sensor-1",
    "attack_chain_stage": "discovery",
    "ban_policy": "advisory_investigate",
    "tags_list": [
        "net_ssh_probe",
        "ssh_banner",
        "ssh_emulated",
        "ssh_libssh"
    ]
}