Détails IP 147.185.132.115

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_9999_tcp » (signaux protocolaires) · confiance 55%

Confiance 63 % — Score WAF 32 · Bonus corrélation +8 · 2 tag(s) WAF

Comparaison ASN / FAI

ASN 396982 · 147.185.132.0/22 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 19 événements sur la période pour cette IP.

34.79.100.73 Sonde port 8171/TCP 17/06/2026 07:01 UTC
34.52.186.237 Sonde port 12187/TCP 17/06/2026 07:01 UTC
35.195.254.25 Sonde port 7087/TCP 17/06/2026 07:01 UTC
34.133.37.84 Injection de commande 17/06/2026 07:00 UTC
34.23.238.40 Injection de commande 17/06/2026 07:00 UTC
34.140.200.16 Sonde port 12418/TCP 17/06/2026 06:57 UTC
35.205.32.71 imap bruteforce 17/06/2026 06:56 UTC
35.203.211.172 Scanner web 17/06/2026 06:54 UTC

IPs apparentées

Même FAI Google LLC — corrélation indicative.

34.79.100.73 Sonde port 8171/TCP
34.52.186.237 Sonde port 12187/TCP
35.195.254.25 Sonde port 7087/TCP
34.133.37.84 Injection de commande
34.23.238.40 Injection de commande

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

TLS TCP 6 HTTP TCP 3 Telnet TCP 1 ADMIN ALT TCP 1 BGP TCP 1 POP3S TCP 1

TLS

6

HTTP

3

Telnet

1

ADMIN ALT

1

BGP

1

POP3S

1

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

De

À

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

19 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
17/06/2026 05:52:08 UTC	TCP	9999 · HTTP	http	Sonde port 9999/TCP port 9999 tcp · via HTTP:9999 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA curl/7.68.0 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_ua_suspicious Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9999 Chemin / cible / Preuve honeypot — Sonde port 9999/TCP Connexion détectée sur le port 9999 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_9999_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:9999 User-Agent: curl/7.68.0 Accept: / Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": "83a22baaf629d53e39c79d30e6b18dca9da1a92c", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 79, "payload_entropy": 4.859310698323246, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 9999, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 5, "anomaly_count": 1, "campaign_key": "b8fb7ada1bb97cffe5967ee8d432eb1e63c7071f", "event_fingerprint": "ecd48aafed40d134f2187ce905312e064de2c91d", "classification_reason": "Type \u00ab port_9999_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "a3be1cb67950391c8934b898c9a589f2", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 9999, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/", "classification_reason": "Type \u00ab port_9999_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "94457477f8bca65079993feada5836471ec9915c", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 9999, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/", "attack_vector": "port 9999 tcp \u00b7 via HTTP:9999 \u00b7 (sonde \/ probe)", "target_port_label": "9999 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_9999_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_9999_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 38\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 30, "risk_score": 38, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 9999, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 9999, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 9999 tcp \u00b7 via HTTP:9999 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:9999\r\nUser-Agent: curl\/7.68.0\r\nAccept: \/", "target_port_label": "9999 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "9999" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "admin-alt", "http" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_ua_suspicious", "net_web_probe", "scanner-ua" ], "asn_dc_heuristic": true }
17/06/2026 05:52:07 UTC	TCP	9999 · ADMIN ALT	admin-alt	admin-alt admin-alt · via ADMIN ALT:9999 · (sonde / probe)	Faible	Faible · 12
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur ADMIN-ALT WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 9999 Chemin / cible — Service ADMIN ALT Payload ��Ѵ�� Pourquoi cette classification : Type « admin-alt » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Faible · 12 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0554 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��Ѵ�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 33, "payload_entropy": 4.695613058621275, "port_category": "registered", "org": "Google LLC", "service": "admin-alt", "app_proto": "admin-alt", "asn": 396982, "country": "US", "dst_port": 9999, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 22, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.7, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 15 }, "risk_score": 12, "tag_count": 0, "anomaly_count": 0, "campaign_key": "206c95a9eb725a1fc21f04db3e4cf4233b894a69", "event_fingerprint": "bdae3a5e708dccdbe307a2861747dd09885f206a", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab admin-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 15, "risk_score": 12 }, "service_name": "admin-alt", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "67537aa0335059caded6733cb46a7122", "path_pattern_hash": "d3aaa0a3d94e4e5a70802f7b7e17f9f7" }, "target_context": { "dst_port": 9999, "service": "admin-alt", "service_name": "admin-alt", "risk_score": 12 }, "payload_preview": "\u0000\u0000\u0000\u001d\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\uf536\u0474\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd", "request_sample": "\u0000\u0000\u0000\u001d\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\uf536\u0474\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd", "payload_snippet": "\u0000\u0000\u0000\u001d\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\uf536\u0474\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd", "evidence": { "request_sample": "\u0000\u0000\u0000\u001d\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\uf536\u0474\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd", "payload_snippet": "\u0000\u0000\u0000\u001d\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\uf536\u0474\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd", "classification_reason": "Type \u00ab admin-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a9441852faa773d40aed47ea488cf6f4dfa7ae3c", "protocol_details": { "payload_preview": "\u0000\u0000\u0000\u001d\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\uf536\u0474\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd", "port": 9999, "service": "admin-alt", "service_label_fr": "ADMIN ALT" }, "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\uf536\u0474\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd", "attack_vector": "admin-alt \u00b7 via ADMIN ALT:9999 \u00b7 (sonde \/ probe)", "target_port_label": "9999 \u00b7 ADMIN ALT", "emulator_service": "admin-alt", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab admin-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab admin-alt \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 15, "risk_score": 12 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 12, "risk_label": "Faible", "service_name": "admin-alt", "service_label_fr": "ADMIN ALT", "dst_port": 9999, "protocol_emulated": true, "tags_summary": [ "pat-0554" ], "tags_summary_labels_fr": [ "pat-0554" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-admin-alt", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0000\u0000\u0000\u001d\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\uf536\u0474\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd", "port": 9999, "service": "admin-alt", "service_label_fr": "ADMIN ALT" }, "attack_vector": "admin-alt \u00b7 via ADMIN ALT:9999 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\uf536\u0474\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd", "target_port_label": "9999 \u00b7 ADMIN ALT", "emulator_service": "admin-alt", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "admin_alt", "service_banner": "honeypot-admin-alt", "service_os": "linux", "dst_port": "9999" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
13/06/2026 19:49:12 UTC	TCP	995 · POP3S	pop3s	Sonde POP3 pop3 probe · via POP3S:995 · (sonde / probe)	Élevée	Moyen · 45
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur POP3S WAF — Recommandation Surveiller Tags net_pop3_probe pop3s_emulated tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 995 Chemin / cible — Service POP3S Payload okRH�#�:N�ⴂ/� T��y�h��="�� ,��n�Y�bhl�(=':��oȢד��幐(� �9k5=�� #��'3g2/< �� Pourquoi cette classification : Type « pop3_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 45 Confiance : Confiance 50 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0771 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) okRH�#�:N�ⴂ/� T��y�h��="�� ,��n�Y�bhl�(=':��oȢד��幐(� �9k5=�� #��'3g2/< �� Requête brute (extrait) okRH�#�:N�ⴂ/� T��y�h��="�� ,��n�Y�bhl�(=':��oȢד��幐(� �9k5=�� #��'3g2/< ��syndication.twimg.com� #��g`B��<�XO�iD��=]�L� ��B�� LDt}��`~G�h?2�(qݍ��(ى/� Meta JSON brut { "protocol_emulated": true, "emulator_response": "2b4f4b20504f503320686f6e6579706f742072656164790d0a", "emulator_response_len": 25, "bytes_in": 378, "payload_entropy": 6.862122963505114, "port_category": "well_known", "org": "Google LLC", "service": "pop3s", "app_proto": "pop3s", "asn": 396982, "country": "US", "dst_port": 995, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 45, "tag_count": 3, "anomaly_count": 0, "campaign_key": "71fb6554660ec7f81d99778d69d864b9864989b0", "event_fingerprint": "0353453bbb76e4d6b1b3ea18095b3c0820f92351", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0771" ], "classification_reason": "Type \u00ab pop3_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45 }, "service_name": "pop3s", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8b81809bfd53087ba03b6f3907cd619b", "path_pattern_hash": "44d5bece51c65fa33908cf3d76b6745a" }, "target_context": { "dst_port": 995, "service": "pop3s", "service_name": "pop3s", "risk_score": 45 }, "payload_snippet": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018", "evidence": { "request_sample": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018\u0000\u0000\u0015syndication.twimg.com\ufffd\u0001\u0000\u0001\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\ufffd\ufffd\u0001\u0019g`\u001e\u0004B\ufffd\ufffd\ufffd<\ufffdXO\ufffdiD\ufffd\u001d\ufffd\u0001\ufffd\ufffd\ufffd=]\ufffd\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\n\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\u0016`~G\u0007\u0015\ufffdh?2\ufffd(q\u074d\ufffd\ufffd\u0003\ufffd(\u0649\/\u000f\u0007\ufffd", "payload_snippet": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018", "classification_reason": "Type \u00ab pop3_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "34dfc52c96339dc873537613200b4c853d5aebc6", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018", "port": 995, "service": "pop3s", "service_label_fr": "POP3S" }, "evidence_snippet": "okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\"\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\n\ufffd9k5=\ufffd\ufffd\t\ufffd#\ufffd\ufffd\ufffd'3g2\/<\n\ufffd\ufffd", "attack_vector": "pop3 probe \u00b7 via POP3S:995 \u00b7 (sonde \/ probe)", "target_port_label": "995 \u00b7 POP3S", "emulator_service": "pop3s", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab pop3_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab pop3_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 45 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 45, "risk_label": "Moyen", "service_name": "pop3s", "service_label_fr": "POP3S", "dst_port": 995, "protocol_emulated": true, "tags_summary": [ "pat-0771" ], "tags_summary_labels_fr": [ "pat-0771" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-pop3s", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "pop3_auth_fr": "Sonde protocole POP3 (USER\/PASS)", "payload_preview": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018", "port": 995, "service": "pop3s", "service_label_fr": "POP3S" }, "attack_vector": "pop3 probe \u00b7 via POP3S:995 \u00b7 (sonde \/ probe)", "evidence_snippet": "okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\"\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\n\ufffd9k5=\ufffd\ufffd\t\ufffd#\ufffd\ufffd\ufffd'3g2\/<\n\ufffd\ufffd", "target_port_label": "995 \u00b7 POP3S", "emulator_service": "pop3s", "confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "pop3s", "service_banner": "honeypot-pop3s", "service_os": "linux", "dst_port": "995" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "net_pop3_probe", "pop3s_emulated", "tls_clienthello" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
07/06/2026 01:14:19 UTC	TCP	24156 · TLS	tls	Sonde port 24156/TCP	Élevée	Moyen · 40
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 24156 Chemin / cible — Preuve honeypot — Sonde port 24156/TCP Connexion détectée sur le port 24156 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_24156_tcp » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header ET H.323 setup Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ieU��random1random2random3random4/ 9�0 ,* Meta JSON brut { "tls_ja3_hash": "16ee84a07b55074cb2751329bf1c8811", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 5, "bytes_in": 110, "payload_entropy": 4.269606220838881, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 24156, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 2.2, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 0 }, "risk_score": 40, "tag_count": 3, "anomaly_count": 0, "campaign_key": "b993e8829173d0cf7bd7b3b07be46ca216166706", "event_fingerprint": "00fa988d254da9ce99697acb22140a02f81f6f79", "classification_reason": "Type \u00ab port_24156_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "ET H.323 setup", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0868", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 0, "risk_score": 40 }, "named_classification_skipped": true, "named_candidate": "rdp_probe", "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "16ee84a07b55074cb2751329bf1c8811", "payload_hash": "4ad5dce8143f2bcf1242885cff6e93f8", "path_pattern_hash": "cacac2204fc201922fb93e1a37026399", "ja4": "011b865e5f91ae5e1836c88110724dcb" }, "target_context": { "dst_port": 24156, "service": "tls", "service_name": "tls", "risk_score": 40 }, "payload_preview": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "request_sample": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "payload_snippet": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "evidence": { "request_sample": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "payload_snippet": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000*\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "classification_reason": "Type \u00ab port_24156_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "81897d9acbad9d8ffab59790fd6344861f0384b9", "tls_ja3": "771,47-10-19-57-4-255,13,,", "tls_ja4_hash": "011b865e5f91ae5e1836c88110724dcb", "tls_ja4": "t13d0106_3fdba35f04dc_d03502c43d74", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "24156" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
07/06/2026 01:14:19 UTC	TCP	24156 · TLS	tls	Sonde TLS	Élevée	Faible · 35
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 24156 Chemin / cible — Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �2��>��^�X!��}�5)l��4'ۿ�� #Q���5S��?s��a�3[�[u��)nD\|>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) �2��>��^�X!��}�5)l��4'ۿ�� # Q���5S��?s��a�3[�[u��)nD\|>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u # 0. + -3& Meta JSON brut { "tls_ja3_hash": "004556e859f3c26c5d19746b3a957c74", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "bytes_in": 517, "payload_entropy": 3.9526483192889468, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 24156, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 2.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 0 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "b993e8829173d0cf7bd7b3b07be46ca216166706", "event_fingerprint": "35f7940077c40eab1c2bde0f41819f9e55c4dfdf", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 0, "risk_score": 35 }, "service_name": "tls", "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "004556e859f3c26c5d19746b3a957c74", "payload_hash": "17d60bacd6f8f3e6e8bc972150e6d323", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 24156, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00032\ufffd\ufffd>\ufffd\u0013\ufffd^\ufffdX\u0006!\ufffd\ufffd\u001e}\ufffd\u00175)l\ufffd\ufffd\ufffd4\b'\u06ff\ufffd\ufffd \ufffd#\u001e\u000bQ\ufffd\ufffd\ufffd\ufffd5S\ufffd\ufffd\ufffd?s\ufffd\ufffda\ufffd3[\ufffd[u\ufffd\ufffd)nD\|\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00032\ufffd\ufffd>\ufffd\u0013\ufffd^\ufffdX\u0006!\ufffd\ufffd\u001e}\ufffd\u00175)l\ufffd\ufffd\ufffd4\b'\u06ff\ufffd\ufffd \ufffd#\u001e\u000bQ\ufffd\ufffd\ufffd\ufffd5S\ufffd\ufffd\ufffd?s\ufffd\ufffda\ufffd3[\ufffd[u\ufffd\ufffd)nD\|\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\f\u0000\n\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u00000\u0000.\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0002\u0003\u0003\u0001\u0002\u0001\u0003\u0002\u0002\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u0000-\u0000\u0002\u0001\u0001\u00003\u0000&\u0000", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00032\ufffd\ufffd>\ufffd\u0013\ufffd^\ufffdX\u0006!\ufffd\ufffd\u001e}\ufffd\u00175)l\ufffd\ufffd\ufffd4\b'\u06ff\ufffd\ufffd \ufffd#\u001e\u000bQ\ufffd\ufffd\ufffd\ufffd5S\ufffd\ufffd\ufffd?s\ufffd\ufffda\ufffd3[\ufffd[u\ufffd\ufffd)nD\|\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00032\ufffd\ufffd>\ufffd\u0013\ufffd^\ufffdX\u0006!\ufffd\ufffd\u001e}\ufffd\u00175)l\ufffd\ufffd\ufffd4\b'\u06ff\ufffd\ufffd \ufffd#\u001e\u000bQ\ufffd\ufffd\ufffd\ufffd5S\ufffd\ufffd\ufffd?s\ufffd\ufffda\ufffd3[\ufffd[u\ufffd\ufffd)nD\|\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\f\u0000\n\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u00000\u0000.\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0002\u0003\u0003\u0001\u0002\u0001\u0003\u0002\u0002\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u0000-\u0000\u0002\u0001\u0001\u00003\u0000&\u0000", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u00032\ufffd\ufffd>\ufffd\u0013\ufffd^\ufffdX\u0006!\ufffd\ufffd\u001e}\ufffd\u00175)l\ufffd\ufffd\ufffd4\b'\u06ff\ufffd\ufffd \ufffd#\u001e\u000bQ\ufffd*\ufffd\ufffd\ufffd5S\ufffd\ufffd\ufffd?s\ufffd\ufffda\ufffd3[\ufffd[u\ufffd\ufffd)nD\|\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9285c9f04b93444645f52055ea7d71bb377663d2", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "24156" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
07/06/2026 01:14:16 UTC	TCP	24156	—	Sonde port	Faible	Moyen · 44
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 24156 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Google LLC", "service": null, "app_proto": null, "asn": 396982, "country": "US", "dst_port": 24156, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 1.1, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "1147f5eddeb9af29a21e1cf611234fc72148800d", "event_fingerprint": "3556a79cfaecff9a4e3fa6b982a472079ea93b53", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0, "risk_score": 44 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 24156, "risk_score": 44 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "821220fef07c519d6de6df7e0025039d13248e9d", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "24156" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
06/06/2026 03:50:07 UTC	TCP	3905	tls	Sonde PostgreSQL	Élevée	Faible · 30
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3905 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Pw�k��W^�m��[޽�nψ\|1�5�' _��3I��m�rz]�)�Ǒi��&�+�/�,�0̨̩� �� /5� { Requête brute (extrait) ��Pw�k��W^�m��[޽�nψ\|1�5�' _��3I��m�rz]�)�Ǒi��&�+�/�,�0̨̩� �� /5� { �+ 3&$ <�s�\��E��U�3�t��tS�� Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 243, "payload_entropy": 5.815230851659709, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 3905, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 30, "tag_count": 3, "anomaly_count": 0, "campaign_key": "229515df8c3bbb594cc0c03549ec93f9eb14dafd", "event_fingerprint": "c1243a63260c7c27765b2da8e32602d903a84488", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "f01879fe226e966d328318fea563f637", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 3905, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdPw\u0018\ufffdk\ufffd\ufffdW^\ufffdm\u0011\ufffd\ufffd\u0012\ufffd[\u07bd\u0013\ufffdn\u03c8\|1\ufffd5\ufffd' _\ufffd\ufffd\ufffd\ufffd3\u0015I\ufffd\u001e\ufffd\u0015\u0001\ufffd\ufffd\ufffd\ufffdm\ufffdrz]\u0010\ufffd)\ufffd\u01d1i\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdPw\u0018\ufffdk\ufffd\ufffdW^\ufffdm\u0011\ufffd\ufffd\u0012\ufffd[\u07bd\u0013\ufffdn\u03c8\|1\ufffd5\ufffd' _\ufffd\ufffd\ufffd\ufffd3\u0015I\ufffd\u001e\ufffd\u0015\u0001\ufffd\ufffd\ufffd\ufffdm\ufffdrz]\u0010\ufffd)\ufffd\u01d1i\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 <\ufffds\ufffd\u001d\u0019\\\ufffd\ufffd\ufffdE\ufffd\ufffd\u0015\u0013\ufffd\ufffdU\ufffd3\ufffdt\ufffd\ufffd\ufffd\ufffd\u0011tS\ufffd\ufffd\u0018", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdPw\u0018\ufffdk\ufffd\ufffdW^\ufffdm\u0011\ufffd\ufffd\u0012\ufffd[\u07bd\u0013\ufffdn\u03c8\|1\ufffd5\ufffd' _\ufffd\ufffd\ufffd\ufffd3\u0015I\ufffd\u001e\ufffd\u0015\u0001\ufffd\ufffd\ufffd\ufffdm\ufffdrz]\u0010\ufffd)\ufffd\u01d1i\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdPw\u0018\ufffdk\ufffd\ufffdW^\ufffdm\u0011\ufffd\ufffd\u0012\ufffd[\u07bd\u0013\ufffdn\u03c8\|1\ufffd5\ufffd' _\ufffd\ufffd\ufffd\ufffd3\u0015I\ufffd\u001e\ufffd\u0015\u0001\ufffd\ufffd\ufffd\ufffdm\ufffdrz]\u0010\ufffd)\ufffd\u01d1i\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 <\ufffds\ufffd\u001d\u0019\\\ufffd\ufffd\ufffdE\ufffd\ufffd\u0015\u0013\ufffd\ufffdU\ufffd3\ufffdt\ufffd\ufffd\ufffd\ufffd\u0011tS\ufffd\ufffd\u0018", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdPw\u0018\ufffdk\ufffd\ufffdW^\ufffdm\u0011\ufffd\ufffd\u0012\ufffd[\u07bd\u0013\ufffdn\u03c8\|1\ufffd5\ufffd' _\ufffd\ufffd\ufffd\ufffd3\u0015I\ufffd\u001e\ufffd\u0015\u0001\ufffd\ufffd\ufffd\ufffdm\ufffdrz]\u0010\ufffd)\ufffd\u01d1i\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "70c5d8955ba97daee1988accfe933e979326337a", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
06/06/2026 03:50:07 UTC	TCP	3905	tls	Sonde PostgreSQL	Élevée	Faible · 30
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3905 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��;[�?�~A�]0��ס0�!��$3Ph��/�+�0�,��'�#�� (�$�� gk39��<=/5� Requête brute (extrait) ��;[�?�~A�]0�� ס0�!��$3Ph��/�+�0�,��'�#�� (�$�� gk39��<=/5� 2�8@fj��5 � Meta JSON brut { "tls_ja3_hash": "795bc7ce13f60d61e9ac03611dd36d90", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 29, "bytes_in": 207, "payload_entropy": 4.941711367920075, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 3905, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 5.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 30, "tag_count": 3, "anomaly_count": 0, "campaign_key": "229515df8c3bbb594cc0c03549ec93f9eb14dafd", "event_fingerprint": "9479949115bd9a9e1ab7251aba857dda75af3825", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "795bc7ce13f60d61e9ac03611dd36d90", "payload_hash": "b9ac990ef63daef76a502f13fa51a480", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 3905, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003;[\ufffd?\ufffd\u001d~\u0007A\ufffd]\u001d0\u001a\ufffd\ufffd\u000b\ufffd\ufffd\u0018\u05e10\ufffd!\ufffd\ufffd\ufffd\ufffd$3P\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003;[\ufffd?\ufffd\u001d~\u0007A\ufffd]\u001d0\u001a\ufffd\ufffd\u000b\ufffd\ufffd\u0018\u05e10\ufffd!\ufffd\ufffd\ufffd\ufffd$3P\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017\u00002\ufffd\b\u0000\u0012\u0000\u0013\u0000\u0015\u00008\u0000@\u0000f\u0000j\u0000\ufffd\u0000\ufffd\u0001\u0000\u00005\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\f\u0000\n\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0002\u0002\ufffd\u0001\u0000\u0001\u0000\u0000\u000f\u0000\u0001\u0001", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003;[\ufffd?\ufffd\u001d~\u0007A\ufffd]\u001d0\u001a\ufffd\ufffd\u000b\ufffd\ufffd\u0018\u05e10\ufffd!\ufffd\ufffd\ufffd\ufffd$3P\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003;[\ufffd?\ufffd\u001d~\u0007A\ufffd]\u001d0\u001a\ufffd\ufffd\u000b\ufffd\ufffd\u0018\u05e10\ufffd!\ufffd\ufffd\ufffd\ufffd$3P\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017\u00002\ufffd\b\u0000\u0012\u0000\u0013\u0000\u0015\u00008\u0000@\u0000f\u0000j\u0000\ufffd\u0000\ufffd\u0001\u0000\u00005\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\f\u0000\n\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0002\u0002\ufffd\u0001\u0000\u0001\u0000\u0000\u000f\u0000\u0001\u0001", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003;[\ufffd?\ufffd\u001d~\u0007A\ufffd]\u001d0\u001a\ufffd\ufffd\u000b\ufffd\ufffd\u0018\u05e10\ufffd!\ufffd\ufffd\ufffd\ufffd$3P\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6925e062963c5b93b7650ea4503eeb0e424eb7b6", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
05/06/2026 22:52:09 UTC	TCP	10001	tls	Sonde RDP	Élevée	Faible · 32
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 10001 Chemin / cible — Pourquoi cette classification : Type « rdp_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ieU��random1random2random3random4/ 9�0 ,* Meta JSON brut { "tls_ja3_hash": "16ee84a07b55074cb2751329bf1c8811", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 5, "bytes_in": 110, "payload_entropy": 4.269606220838881, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 10001, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 0 }, "risk_score": 32, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1dacb0b4a66d726e2b0656ec2d0f6d288e024c04", "event_fingerprint": "e6d894c5f693e06b951736f009634ef294987234", "classification_reason": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0554", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "16ee84a07b55074cb2751329bf1c8811", "payload_hash": "4ad5dce8143f2bcf1242885cff6e93f8", "path_pattern_hash": "5dd788b551ee7afb63321e74cfc538f6" }, "target_context": { "dst_port": 10001, "service": "tls" }, "payload_preview": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "request_sample": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "payload_snippet": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "evidence": { "request_sample": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "payload_snippet": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000*\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002", "classification_reason": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5b94fa668ca3c27414f615743dbe1d6520e6e415", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
05/06/2026 22:52:09 UTC	TCP	10001	tls	Sonde TLS	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 10001 Chemin / cible — Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��s�o��ɱa��,��K��c �F=�Q��NT�K��u�@]�6%Ī}ro�yn��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) ��s�o��ɱa��,��K��c �F =�Q��NT�K��u�@]�6%Ī}ro�yn��>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u # 0. + -3& Meta JSON brut { "tls_ja3_hash": "004556e859f3c26c5d19746b3a957c74", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "bytes_in": 517, "payload_entropy": 3.980624983887116, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 10001, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 4.1, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 0 }, "risk_score": 28, "tag_count": 3, "anomaly_count": 0, "campaign_key": "1dacb0b4a66d726e2b0656ec2d0f6d288e024c04", "event_fingerprint": "863c8deda4cdf43cfb8746e468025b72648a559c", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "004556e859f3c26c5d19746b3a957c74", "payload_hash": "4c605500a50734d7e04d1dbf52b4e586", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 10001, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0007s\ufffdo\ufffd\ufffd\u0271a\ufffd\ufffd\ufffd\u001f\ufffd,\ufffd\ufffdK\u0003\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\ufffd\ufffd\ufffdc \ufffdF\u000b=\ufffdQ\ufffd\ufffdNT\ufffdK\ufffd\ufffdu\ufffd@]\ufffd6%\u012a}r\u0006o\ufffdyn\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0007s\ufffdo\ufffd\ufffd\u0271a\ufffd\ufffd\ufffd\u001f\ufffd,\ufffd\ufffdK\u0003\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\ufffd\ufffd\ufffdc \ufffdF\u000b=\ufffdQ\ufffd\ufffdNT\ufffdK\ufffd\ufffdu\ufffd@]\ufffd6%\u012a}r\u0006o\ufffdyn\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\f\u0000\n\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u00000\u0000.\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0002\u0003\u0003\u0001\u0002\u0001\u0003\u0002\u0002\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u0000-\u0000\u0002\u0001\u0001\u00003\u0000&\u0000", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0007s\ufffdo\ufffd\ufffd\u0271a\ufffd\ufffd\ufffd\u001f\ufffd,\ufffd\ufffdK\u0003\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\ufffd\ufffd\ufffdc \ufffdF\u000b=\ufffdQ\ufffd\ufffdNT\ufffdK\ufffd\ufffdu\ufffd@]\ufffd6%\u012a}r\u0006o\ufffdyn\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0007s\ufffdo\ufffd\ufffd\u0271a\ufffd\ufffd\ufffd\u001f\ufffd,\ufffd\ufffdK\u0003\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\ufffd\ufffd\ufffdc \ufffdF\u000b=\ufffdQ\ufffd\ufffdNT\ufffdK\ufffd\ufffdu\ufffd@]\ufffd6%\u012a}r\u0006o\ufffdyn\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\f\u0000\n\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u00000\u0000.\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0002\u0003\u0003\u0001\u0002\u0001\u0003\u0002\u0002\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u0000-\u0000\u0002\u0001\u0001\u00003\u0000&\u0000", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\ufffd\ufffd\u0007s\ufffdo\ufffd\ufffd\u0271a\ufffd\ufffd\ufffd\u001f\ufffd,\ufffd\ufffdK\u0003\ufffd\ufffd\ufffd\ufffd\u001b\ufffd\ufffd\ufffd\ufffdc \ufffdF\u000b=\ufffdQ\ufffd\ufffdNT\ufffdK\ufffd\ufffdu\ufffd@]\ufffd6%\u012a}r\u0006o\ufffdyn\ufffd\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ba619b98e6bad5143b511bb37b6da4296380cd31", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
05/06/2026 22:52:05 UTC	TCP	10001	—	Sonde port	Faible	Faible · 23
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 10001 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Google LLC", "service": null, "app_proto": null, "asn": 396982, "country": "US", "dst_port": 10001, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0 }, "risk_score": 23, "tag_count": 0, "anomaly_count": 0, "campaign_key": "c8774c5c15555175ad0d02b850edd6ae05db22be", "event_fingerprint": "d094048d5224fc3a7572cc0a0bcf03454a1324a8", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-single-port" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 10001 }, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "fba8b8de4463ddb0658960215289983a389b4f95", "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
04/06/2026 03:08:50 UTC	TCP	4024	—	Sonde port	Faible	Faible · 20
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 4024 Chemin / cible — Confiance classification 55% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) 7net.tcp://127.0.0.1:4024/Microsoft/VisualStudio/msvsmon Meta JSON brut { "bytes_in": 65, "payload_entropy": 4.835915267201321, "port_category": "registered", "org": "Google LLC", "service": null, "app_proto": null, "asn": 396982, "country": "US", "dst_port": 4024, "risk_waf": 8, "risk_classification": 30, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4, "risk_breakdown": { "waf": 8, "classification": 30, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 15 }, "risk_score": 20, "tag_count": 0, "anomaly_count": 0, "campaign_key": "13277feb57ac275edeed4a0b3709ba19eebac788", "event_fingerprint": "c55e6d6c21f4bdf11d8e81017096efedd4a6b97d", "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7767f9a389d8318cbd4cff9e739a355a", "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 4024 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "confidence": 0.55, "classification_confidence": 0.55, "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "payload_preview": "\u0000\u0001\u0000\u0001\u0002\u00027net.tcp:\/\/127.0.0.1:4024\/Microsoft\/VisualStudio\/msvsmon\u0003\b\f", "event_signature": "02635ba137493fea038e23dfd3489420a16db2e3", "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
01/06/2026 00:21:13 UTC	TCP	2323	—	port attack	Élevée	Élevé · 72
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
28/05/2026 16:59:50 UTC	TCP	23	telnet	telnet attack	Élevée	Élevé · 72
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
25/05/2026 00:22:07 UTC	TCP	179	bgp	bgp	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
24/05/2026 03:38:50 UTC	TCP	4786	—	Sonde port	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
22/05/2026 05:50:19 UTC	TCP	10443	http	web attack	Élevée	Critique · 100
Étape — WAF 23 Recommandation — Tags 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10443 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Règles WAF 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d", "http_host_hash": "2cf5af0b13931b66cab59dd3d82974768acd327c", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 219, "payload_entropy": 5.102374078311707, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "tag_count": 4, "anomaly_count": 0, "risk_score": 100, "campaign_key": "809eacf92f6b496c74e4ddf39a279f1cbb12d542", "event_fingerprint": "abab8689f9cd2396c292ea70c91cf9363a23bbce", "tags_list": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
21/05/2026 02:03:54 UTC	TCP	1026	—	Sonde port	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
19/05/2026 00:52:08 UTC	TCP	7777	http	web attack	Élevée	Critique · 100
Étape — WAF 23 Recommandation — Tags 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7777 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Règles WAF 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d", "http_host_hash": "434883bb641a2e9cbc2ec385cba5dca817862768", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 218, "payload_entropy": 5.094935618782794, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "tag_count": 4, "anomaly_count": 0, "risk_score": 100, "campaign_key": "54f9763c3ba8f1a7138cb1edf591f010722ef189", "event_fingerprint": "6e39ae3fce5a2b2a87694047d2b6f225c18e7102", "tags_list": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

147.185.132.115

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence