Détails IP 147.185.132.138

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « mssql_tds » (signaux protocolaires) · confiance 95%

Confiance 95 % — Score WAF 8

Comparaison ASN / FAI

ASN 396982 · 147.185.132.0/22 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 20 événements sur la période pour cette IP.

205.210.31.110 Scanner web 17/06/2026 19:22 UTC
198.235.24.167 Sonde port 17/06/2026 19:21 UTC
205.210.31.38 Sonde port 17/06/2026 19:19 UTC
147.185.132.201 Sonde PostgreSQL 17/06/2026 19:19 UTC
205.210.31.132 Sonde PostgreSQL 17/06/2026 19:19 UTC
198.235.24.82 Sonde PostgreSQL 17/06/2026 19:17 UTC
35.194.2.16 Sonde SMB 17/06/2026 19:17 UTC
198.235.24.201 Sonde IMAP 17/06/2026 19:17 UTC

IPs apparentées

Même FAI Google LLC — corrélation indicative.

205.210.31.110 Scanner web
198.235.24.167 Sonde port
205.210.31.38 Sonde port
147.185.132.201 Sonde PostgreSQL
205.210.31.132 Sonde PostgreSQL

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

TLS TCP 9 HTTP TCP 3 HTTP ALT 8082 TCP 2 MSSQL TCP 2 X11 2 TCP 1

TLS

9

HTTP

3

HTTP ALT 8082

2

MSSQL

2

X11 2

1

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

De

À

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

20 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
17/06/2026 16:13:18 UTC	TCP	1433 · MSSQL	mssql	Protocole TDS MSSQL mssql tds · via MSSQL:1433 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur MSSQL WAF — Recommandation Surveiller Tags mssql_emulated mssql_payload mssql_probe mssql_tds Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 1433 Chemin / cible — Service MSSQL Payload )� w Pourquoi cette classification : Type « mssql_tds » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Faible · 35 Confiance : Confiance 95 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0519 Upstream Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) MSSQL TDS prelogin Mumble ping STUN binding Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) )� w Meta JSON brut { "protocol_emulated": true, "emulator_response": "001f00001a00060000000000000000000000000000000000000000000000000000", "emulator_response_len": 33, "bytes_in": 41, "payload_entropy": 2.6815242952410756, "port_category": "registered", "org": "Google LLC", "service": "mssql", "app_proto": "mssql", "asn": 396982, "country": "US", "dst_port": 1433, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 36, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 2.9, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 10 }, "risk_score": 35, "tag_count": 5, "anomaly_count": 0, "campaign_key": "584dc8ab43572550a5af46f03637ac724e8c86c3", "event_fingerprint": "24635733bde8ab881cad2aa5e51b4b5bf5e45e9f", "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 83, "precision_signals": [ "pat-0519", "INT-upstream" ], "kb_rule_ids": [ "pat-0519", "INT-upstream" ], "matched_patterns": [ "pat-0519", "pat-0768", "pat-0771", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "MSSQL TDS prelogin", "Mumble ping", "STUN binding", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0519", "pat-0768", "pat-0771", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 10, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "mssql", "risk_confidence_factor": 95, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "3acc3d5dfc994aab3ac70f92a2b0e916", "path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2" }, "target_context": { "dst_port": 1433, "service": "mssql", "service_name": "mssql", "risk_score": 35 }, "payload_preview": "\u0012\u0001\u0000)\u0000\u0000\u0001\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\t\u0000\u0005w\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": "\u0012\u0001\u0000)\u0000\u0000\u0001\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\t\u0000\u0005w\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0012\u0001\u0000)\u0000\u0000\u0001\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\t\u0000\u0005w\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0012\u0001\u0000)\u0000\u0000\u0001\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\t\u0000\u0005w\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0012\u0001\u0000)\u0000\u0000\u0001\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\t\u0000\u0005w\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "24b8f524c37c4a2f2af2175c6474941eec8af0c6", "protocol_details": { "mssql_tds_fr": "Connexion TDS Microsoft SQL Server", "payload_preview": "\u0012\u0001\u0000)\u0000\u0000\u0001\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\t\u0000\u0005w\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 1433, "service": "mssql", "service_label_fr": "MSSQL" }, "evidence_snippet": ")\ufffd\tw", "attack_vector": "mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)", "target_port_label": "1433 \u00b7 MSSQL", "emulator_service": "mssql", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 40, "protocol": 36, "novelty": 10, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "mssql", "service_label_fr": "MSSQL", "dst_port": 1433, "protocol_emulated": true, "tags_summary": [ "pat-0519", "INT-upstream" ], "tags_summary_labels_fr": [ "pat-0519", "Upstream" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-mssql", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "mssql_tds_fr": "Connexion TDS Microsoft SQL Server", "payload_preview": "\u0012\u0001\u0000)\u0000\u0000\u0001\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\u0001\u0003\u0000\u001d\u0000\u0004\ufffd\t\u0000\u0005w\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "port": 1433, "service": "mssql", "service_label_fr": "MSSQL" }, "attack_vector": "mssql tds \u00b7 via MSSQL:1433 \u00b7 (sonde \/ probe)", "evidence_snippet": ")\ufffd\tw", "target_port_label": "1433 \u00b7 MSSQL", "emulator_service": "mssql", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "mssql", "service_banner": "honeypot-mssql", "service_os": "linux", "dst_port": "1433" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "mssql_emulated", "mssql_payload", "mssql_probe", "mssql_tds", "net_mssql_tds" ], "asn_dc_heuristic": true }
17/06/2026 01:10:57 UTC	TCP	6002 · X11 2	x11-2	x11-2 x11-2 · via X11 2:6002 · (sonde / probe)	Faible	Faible · 1
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur X11-2 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6002 Chemin / cible — Service X11 2 Pourquoi cette classification : Type « x11-2 » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 1 Confiance : Confiance faible (0 %) — classification prudente Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f74207831315f3220726561647920706f72743d363030320d0a", "emulator_response_len": 36, "port_inferred_service": true, "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Google LLC", "service": "x11-2", "app_proto": "x11-2", "asn": 396982, "country": "US", "dst_port": 6002, "risk_waf": 8, "risk_classification": 0, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 22, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0 }, "risk_score": 1, "tag_count": 0, "anomaly_count": 0, "campaign_key": "e7d282a0ec19c46689c9e64b2d1946d47190a742", "event_fingerprint": "48f3321cd2ff669cc459d0416d74b754cdcc79de", "classification_reason": "Type \u00ab x11-2 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 1 }, "named_classification_skipped": false, "service_name": "x11-2", "risk_confidence_factor": 0, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "db0b049a283e8c56ee1d83545ddd27af" }, "target_context": { "dst_port": 6002, "service": "x11-2", "service_name": "x11-2", "risk_score": 1 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "45f6944fde49748263403f07ca378198f90710cc", "protocol_details": { "port": 6002, "service": "x11-2", "service_label_fr": "X11 2" }, "attack_vector": "x11-2 \u00b7 via X11 2:6002 \u00b7 (sonde \/ probe)", "target_port_label": "6002 \u00b7 X11 2", "emulator_service": "x11-2", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "site_display": { "classification": null, "classification_reason": "Type \u00ab x11-2 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab x11-2 \u00bb (signaux protocolaires) \u00b7 confiance 0%", "executive_one_liner_fr": "Activit\u00e9 suspecte", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 0, "behavior": 0, "geo": 40, "protocol": 22, "novelty": 0, "risk_score": 1 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 1, "risk_label": "Faible", "service_name": "x11-2", "service_label_fr": "X11 2", "dst_port": 6002, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-x11-2", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 6002, "service": "x11-2", "service_label_fr": "X11 2" }, "attack_vector": "x11-2 \u00b7 via X11 2:6002 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "6002 \u00b7 X11 2", "emulator_service": "x11-2", "confidence_reason": "Confiance faible (0 %) \u2014 classification prudente", "confidence_factors_fr": null, "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "x11_2", "service_banner": "honeypot-x11-2", "service_os": "linux", "dst_port": "6002" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
08/06/2026 03:14:26 UTC	TCP	8082 · HTTP ALT 8082	http-alt-8082	Sonde PostgreSQL postgres probe · via HTTP ALT 8082:8082 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur HTTP-ALT-8082 WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8082 Chemin / cible — Service HTTP ALT 8082 Payload ��R��:,� E�8h}5�Ǯ��"�n�^�I�>� ,��8=6�'�c[hX��rg��ŉ&�+�/�,�0̨̩� �� /5� { Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��R��:,�E�8h}5�Ǯ��"�n�^�I�>� ,��8=6�'�c[hX��rg��ŉ&�+�/�,�0̨̩� �� /5� { Requête brute (extrait) ��R��:,� E�8h}5�Ǯ��"�n�^�I�>� ,��8=6�'�c[hX��rg��ŉ&�+�/�,�0̨̩� �� /5� { �+ 3&$ ��h��EC7��/��`�P��\|��B��4 Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 243, "payload_entropy": 5.84528490099296, "port_category": "registered", "org": "Google LLC", "service": "http-alt-8082", "app_proto": "http-alt-8082", "asn": 396982, "country": "US", "dst_port": 8082, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "3888d1be70f33732522d873896cc453ceef75286", "event_fingerprint": "0e49cbf0cd38e11c005312d70c60a0ee389bb82f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "http-alt-8082", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "efa2516685ccb69556c4525e693598fb", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "19e29534fd49dd27d09234e639c4057e", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8082, "service": "http-alt-8082", "service_name": "http-alt-8082", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003R\ufffd\ufffd\u0019\ufffd:,\ufffd\fE\ufffd8h}5\ufffd\u01ee\ufffd\ufffd\ufffd\"\ufffdn\ufffd\u0004^\ufffdI\ufffd>\ufffd ,\ufffd\ufffd\ufffd\ufffd\ufffd8=6\ufffd'\b\ufffdc[h\u0002X\u0001\u001a\ufffd\ufffd\u001d\u001brg\ufffd\ufffd\ufffd\ufffd\u0149\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003R\ufffd\ufffd\u0019\ufffd:,\ufffd\fE\ufffd8h}5\ufffd\u01ee\ufffd\ufffd\ufffd\"\ufffdn\ufffd\u0004^\ufffdI\ufffd>\ufffd ,\ufffd\ufffd\ufffd\ufffd\ufffd8=6\ufffd'\b\ufffdc[h\u0002X\u0001\u001a\ufffd\ufffd\u001d\u001brg\ufffd\ufffd\ufffd\ufffd\u0149\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\u000eh\ufffd\ufffdEC7\ufffd\ufffd\/\ufffd\ufffd\ufffd`\ufffdP\u0011\ufffd\ufffd\u001b\ufffd\|\ufffd\ufffdB\ufffd\ufffd\ufffd4", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003R\ufffd\ufffd\u0019\ufffd:,\ufffd\fE\ufffd8h}5\ufffd\u01ee\ufffd\ufffd\ufffd\"\ufffdn\ufffd\u0004^\ufffdI\ufffd>\ufffd ,\ufffd\ufffd\ufffd\ufffd\ufffd8=6\ufffd'\b\ufffdc[h\u0002X\u0001\u001a\ufffd\ufffd\u001d\u001brg\ufffd\ufffd\ufffd\ufffd\u0149\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f129faea745332a4748e5e1d31834c1a2d1b1269", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003R\ufffd\ufffd\u0019\ufffd:,\ufffd\fE\ufffd8h}5\ufffd\u01ee\ufffd\ufffd\ufffd\"\ufffdn\ufffd\u0004^\ufffdI\ufffd>\ufffd ,\ufffd\ufffd\ufffd\ufffd\ufffd8=6\ufffd'\b\ufffdc[h\u0002X\u0001\u001a\ufffd\ufffd\u001d\u001brg\ufffd\ufffd\ufffd\ufffd\u0149\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8082, "service": "http-alt-8082", "service_label_fr": "HTTP ALT 8082" }, "evidence_snippet": "\ufffd\ufffdR\ufffd\ufffd\ufffd:,\ufffdE\ufffd8h}5\ufffd\u01ee\ufffd\ufffd\ufffd\"\ufffdn\ufffd^\ufffdI\ufffd>\ufffd ,\ufffd\ufffd\ufffd\ufffd\ufffd8=6\ufffd'\ufffdc[hX\ufffd\ufffdrg\ufffd\ufffd\ufffd\ufffd\u0149&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{", "attack_vector": "postgres probe \u00b7 via HTTP ALT 8082:8082 \u00b7 (sonde \/ probe)", "target_port_label": "8082 \u00b7 HTTP ALT 8082", "emulator_service": "http-alt-8082", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http-alt-8082", "service_label_fr": "HTTP ALT 8082", "dst_port": 8082, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8082", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003R\ufffd\ufffd\u0019\ufffd:,\ufffd\fE\ufffd8h}5\ufffd\u01ee\ufffd\ufffd\ufffd\"\ufffdn\ufffd\u0004^\ufffdI\ufffd>\ufffd ,\ufffd\ufffd\ufffd\ufffd\ufffd8=6\ufffd'\b\ufffdc[h\u0002X\u0001\u001a\ufffd\ufffd\u001d\u001brg\ufffd\ufffd\ufffd\ufffd\u0149\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8082, "service": "http-alt-8082", "service_label_fr": "HTTP ALT 8082" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 8082:8082 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdR\ufffd\ufffd\ufffd:,\ufffdE\ufffd8h}5\ufffd\u01ee\ufffd\ufffd\ufffd\"\ufffdn\ufffd^\ufffdI\ufffd>\ufffd ,\ufffd\ufffd\ufffd\ufffd\ufffd8=6\ufffd'\ufffdc[hX\ufffd\ufffdrg\ufffd\ufffd\ufffd\ufffd\u0149&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{", "target_port_label": "8082 \u00b7 HTTP ALT 8082", "emulator_service": "http-alt-8082", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8082", "service_banner": "honeypot-http-alt-8082", "service_os": "linux", "dst_port": "8082" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ], "asn_dc_heuristic": true }
08/06/2026 03:14:26 UTC	TCP	8082 · HTTP ALT 8082	http-alt-8082	Sonde PostgreSQL postgres probe · via HTTP ALT 8082:8082 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 795bc7ce13f60d61 Émulateur HTTP-ALT-8082 WAF — Recommandation Surveiller Tags tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8082 Chemin / cible — Service HTTP ALT 8082 Payload ��8��C�;��½S/��#��?h��/�+�0�,��'�#�� (�$�� gk39��<=/5� Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��8��C�;��½S/��#��?h��/�+�0�,��'�#�� (�$�� gk39��<=/5� Requête brute (extrait) ��8��C�;��½S/��#��?h��/�+�0�,��'�#�� (�$�� gk39��<=/5� 2�8@fj��5 � Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 207, "payload_entropy": 4.911447297840408, "port_category": "registered", "org": "Google LLC", "service": "http-alt-8082", "app_proto": "http-alt-8082", "asn": 396982, "country": "US", "dst_port": 8082, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 30, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.9, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "3888d1be70f33732522d873896cc453ceef75286", "event_fingerprint": "0e49cbf0cd38e11c005312d70c60a0ee389bb82f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "http-alt-8082", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e867d04393e0636c85338d197f25935b", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja3": "795bc7ce13f60d61e9ac03611dd36d90", "ja4": "bcc542a5296d13201e694c8f5aa448d9", "tls_version": "0x0303", "tls_cipher_count": 52, "ja3_client_category": "nmap_scanner" }, "tls_ja3_hash": "795bc7ce13f60d61e9ac03611dd36d90", "tls_ja3": "771,52244-52243-49199-49195-49200-49196-49169-49159-49191-49187-49171-49161-49192-49188-49172-49162-52245-158-159-103-107-51-57-156-157-5-4-60-61-47-53-49170-22-10-3-8-6-20-17-25-23-50-49160-18-19-21-56-64-102-106-162-163,5-10-11-13-65281-15,23-24-25,0", "tls_ja4_hash": "bcc542a5296d13201e694c8f5aa448d9", "tls_ja4": "t13d0152_4fb103f5e16c_40d2e578a3e2", "tls_version": "0x0303", "tls_cipher_count": 52, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8082, "service": "http-alt-8082", "service_name": "http-alt-8082", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd8\ufffd\ufffd\ufffdC\u0017\ufffd;\ufffd\ufffd\ufffd\ufffd\ufffd\u00bdS\/\u0007\ufffd\ufffd\u0007#\ufffd\b\ufffd\ufffd\ufffd\u0012?\u0011\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd8\ufffd\ufffd\ufffdC\u0017\ufffd;\ufffd\ufffd\ufffd\ufffd\ufffd\u00bdS\/\u0007\ufffd\ufffd\u0007#\ufffd\b\ufffd\ufffd\ufffd\u0012?\u0011\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017\u00002\ufffd\b\u0000\u0012\u0000\u0013\u0000\u0015\u00008\u0000@\u0000f\u0000j\u0000\ufffd\u0000\ufffd\u0001\u0000\u00005\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\f\u0000\n\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0002\u0002\ufffd\u0001\u0000\u0001\u0000\u0000\u000f\u0000\u0001\u0001", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd8\ufffd\ufffd\ufffdC\u0017\ufffd;\ufffd\ufffd\ufffd\ufffd\ufffd\u00bdS\/\u0007\ufffd\ufffd\u0007#\ufffd\b\ufffd\ufffd\ufffd\u0012?\u0011\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b35b888cd40b18e0b0f12a4007b1e021438855fe", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd8\ufffd\ufffd\ufffdC\u0017\ufffd;\ufffd\ufffd\ufffd\ufffd\ufffd\u00bdS\/\u0007\ufffd\ufffd\u0007#\ufffd\b\ufffd\ufffd\ufffd\u0012?\u0011\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017", "tls_ja3": "795bc7ce13f60d61e9ac03611dd36d90", "tls_ja4": "bcc542a5296d13201e694c8f5aa448d9", "port": 8082, "service": "http-alt-8082", "service_label_fr": "HTTP ALT 8082" }, "evidence_snippet": "\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffdC\ufffd;\ufffd\ufffd\ufffd\ufffd\ufffd\u00bdS\/\ufffd\ufffd#\ufffd\ufffd\ufffd\ufffd?h\ufffd\ufffd\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\ufffd\ufffd'\ufffd#\ufffd\ufffd\t\ufffd(\ufffd$\ufffd\ufffd\n\ufffd\ufffd\ufffdgk39\ufffd\ufffd<=\/5\ufffd", "attack_vector": "postgres probe \u00b7 via HTTP ALT 8082:8082 \u00b7 (sonde \/ probe)", "target_port_label": "8082 \u00b7 HTTP ALT 8082", "emulator_service": "http-alt-8082", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 30, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "http-alt-8082", "service_label_fr": "HTTP ALT 8082", "dst_port": 8082, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http-alt-8082", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd8\ufffd\ufffd\ufffdC\u0017\ufffd;\ufffd\ufffd\ufffd\ufffd\ufffd\u00bdS\/\u0007\ufffd\ufffd\u0007#\ufffd\b\ufffd\ufffd\ufffd\u0012?\u0011\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017", "tls_ja3": "795bc7ce13f60d61e9ac03611dd36d90", "tls_ja4": "bcc542a5296d13201e694c8f5aa448d9", "port": 8082, "service": "http-alt-8082", "service_label_fr": "HTTP ALT 8082" }, "attack_vector": "postgres probe \u00b7 via HTTP ALT 8082:8082 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffdC\ufffd;\ufffd\ufffd\ufffd\ufffd\ufffd\u00bdS\/\ufffd\ufffd#\ufffd\ufffd\ufffd\ufffd?h\ufffd\ufffd\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\ufffd\ufffd'\ufffd#\ufffd\ufffd\t\ufffd(\ufffd$\ufffd\ufffd\n\ufffd\ufffd\ufffdgk39\ufffd\ufffd<=\/5\ufffd", "target_port_label": "8082 \u00b7 HTTP ALT 8082", "emulator_service": "http-alt-8082", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http_alt_8082", "service_banner": "honeypot-http-alt-8082", "service_os": "linux", "dst_port": "8082" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_clienthello" ], "asn_dc_heuristic": true }
07/06/2026 23:33:19 UTC	TCP	7080 · HTTP	http	Scanner web web scanner · via HTTP:7080 · (sonde / probe)	Élevée	Moyen · 47
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET / UA Hello from Palo Alto Networks, find out more about our scans in… Émulateur HTTP WAF 23 Recommandation Surveiller Tags 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7080 Chemin / cible / Service HTTP Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100% Confiance classification 100% Risque capteur Moyen · 47 Confiance : Confiance 100 % — 4 tag(s) WAF Signaux Scanner Palo Alto Upstream Waf Score Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) LFI Double-dot bypass UA Palo Alto Networks Ligne de requête `GET / HTTP/1.1` User-Agent Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Règles WAF lfi-14 ssrf-3 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7080 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs- Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:7080 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept-Encoding: gzip Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d", "http_host_hash": "852b9c4bdde0bcc50d7c077f21e87ce561307ce7", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 218, "payload_entropy": 5.1098214559288335, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "dst_port": 7080, "risk_waf": 57.5, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 35, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 57.5, "classification": 42, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25 }, "risk_score": 47, "tag_count": 5, "anomaly_count": 0, "campaign_key": "eede4de3dcd3ed2e79e561be2ef97266ea154ad8", "event_fingerprint": "63fd5a46f8364428c016b18d623974f27b145739", "classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 147, "precision_signals": [ "INT-scanner-palo-alto", "INT-upstream", "INT-waf-score" ], "kb_rule_ids": [ "INT-scanner-palo-alto", "INT-upstream", "INT-waf-score" ], "matched_patterns": [ "pat-0103", "pat-0460" ], "matched_pattern_names": [ "LFI Double-dot bypass", "UA Palo Alto Networks" ], "pattern_ids": [ "pat-0103", "pat-0460" ], "confidence_breakdown": { "waf": 57.5, "classification": 42, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 100, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ce3935d92be5f9290d282e51ab604b41", "payload_hash": "11e82ae21258323497c339d7c7f38ecf", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 7080, "service": "http", "service_name": "http", "risk_score": 47 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7080\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-", "method": "GET", "path": "\/", "user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity", "waf_tags": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7080\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7080\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-", "evidence": { "method": "GET", "path": "\/", "user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity", "waf_tags": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "lfi-14", "ssrf-3", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7080\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7080\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-", "classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "disclosed_scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "81f45201a344ac1f8b248f718b9e601ff137d2e6", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026", "port": 7080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7080\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-", "attack_vector": "web scanner \u00b7 via HTTP:7080 \u00b7 (sonde \/ probe)", "target_port_label": "7080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%", "classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 47\/100", "confidence_pct": 100, "confidence_breakdown": { "waf": 57.5, "classification": 42, "behavior": 0, "geo": 40, "protocol": 35, "novelty": 25, "risk_score": 47 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 47, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7080, "protocol_emulated": null, "tags_summary": [ "INT-scanner-palo-alto", "INT-upstream", "INT-waf-score" ], "tags_summary_labels_fr": [ "Scanner Palo Alto", "Upstream", "Waf Score" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026", "port": 7080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "web scanner \u00b7 via HTTP:7080 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:7080\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-", "target_port_label": "7080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF", "confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 57 \u00b7 4 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path", "http_ua_disclosed_scanner" ], "asn_dc_heuristic": true }
05/06/2026 09:25:41 UTC	TCP	6697	tls	Sonde PostgreSQL	Élevée	Faible · 25
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6697 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��L�J��u��ݡ�@MP%a�(v ��]g�1"N4u/6�CG�F��G��U\I&�+�/�,�0̨̩� �� /5� Requête brute (extrait) ��L�J��u��ݡ�@MP%a�(v ��]g�1"N4u/6�CG�F��G��U\I&�+�/�,�0̨̩� �� /5� �+ 3&$ +Ղ��i�$� �7H��7�wo��r�0, Meta JSON brut { "tls_ja3_hash": "d6828e30ab66774a91a96ae93be4ae4c", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 247, "payload_entropy": 5.788384035753306, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 6697, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 25, "tag_count": 3, "anomaly_count": 0, "campaign_key": "31afd0f8a4052e17b3422c2458fa9303fdadd4d2", "event_fingerprint": "5077e4fa16c7bc2d38e9d76521c374318663e809", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "d6828e30ab66774a91a96ae93be4ae4c", "payload_hash": "771f4f3e94b24d9f819a031c27414ffc", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 6697, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdL\ufffdJ\ufffd\ufffd\ufffd\ufffdu\ufffd\ufffd\u0761\u0001\ufffd\u0017@MP%a\ufffd\u001e(\u0006v \ufffd\ufffd\ufffd\ufffd]g\ufffd1\"N4u\/6\ufffdCG\ufffdF\ufffd\u0017\ufffdG\u0013\u0018\ufffd\ufffd\ufffd\ufffdU\\I\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdL\ufffdJ\ufffd\ufffd\ufffd\ufffdu\ufffd\ufffd\u0761\u0001\ufffd\u0017@MP%a\ufffd\u001e(\u0006v \ufffd\ufffd\ufffd\ufffd]g\ufffd1\"N4u\/6\ufffdCG\ufffdF\ufffd\u0017\ufffdG\u0013\u0018\ufffd\ufffd\ufffd\ufffdU\\I\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 +\u0542\ufffd\ufffdi\ufffd$\u0004\ufffd\u000b\ufffd7H\ufffd\u0003\ufffd7\ufffdw\u000fo\ufffd\ufffd\ufffd\ufffdr\ufffd0,", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdL\ufffdJ\ufffd\ufffd\ufffd\ufffdu\ufffd\ufffd\u0761\u0001\ufffd\u0017@MP%a\ufffd\u001e(\u0006v \ufffd\ufffd\ufffd\ufffd]g\ufffd1\"N4u\/6\ufffdCG\ufffdF\ufffd\u0017\ufffdG\u0013\u0018\ufffd\ufffd\ufffd\ufffdU\\I\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdL\ufffdJ\ufffd\ufffd\ufffd\ufffdu\ufffd\ufffd\u0761\u0001\ufffd\u0017@MP%a\ufffd\u001e(\u0006v \ufffd\ufffd\ufffd\ufffd]g\ufffd1\"N4u\/6\ufffdCG\ufffdF\ufffd\u0017\ufffdG\u0013\u0018\ufffd\ufffd\ufffd\ufffdU\\I\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 +\u0542\ufffd\ufffdi\ufffd$\u0004\ufffd\u000b\ufffd7H\ufffd\u0003\ufffd7\ufffdw\u000fo\ufffd\ufffd\ufffd\ufffdr\ufffd0,", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdL\ufffdJ\ufffd\ufffd\ufffd\ufffdu\ufffd\ufffd\u0761\u0001\ufffd\u0017@MP%a\ufffd\u001e(\u0006v \ufffd\ufffd\ufffd\ufffd]g\ufffd1\"N4u\/6\ufffdCG\ufffdF\ufffd\u0017\ufffdG\u0013\u0018\ufffd\ufffd\ufffd\ufffdU\\I\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "050ad1c04114aabb2d42b6260f5a48641f59aaee", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
05/06/2026 09:25:41 UTC	TCP	6697	tls	Sonde TLS	Élevée	Faible · 25
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6697 Chemin / cible — Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �:�s.x��2n鈂��ʣP�� jk� `��e~ptH��%c.߇�u&�ʦ`t�\|]�>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3� Requête brute (extrait) �:�s.x��2n鈂��ʣP�� jk� `��e~ptH ��%c.߇�u&�ʦ`t�\|]�>�,�0�̨̩̪�+�/��$�(k�#�'g� �9� �3��=<5/�u # 0. + -3& Meta JSON brut { "tls_ja3_hash": "004556e859f3c26c5d19746b3a957c74", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 8, "bytes_in": 517, "payload_entropy": 3.9497173908333463, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 6697, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 0, "risk_boost": 6, "risk_granularity": 1.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 0 }, "risk_score": 25, "tag_count": 3, "anomaly_count": 0, "campaign_key": "31afd0f8a4052e17b3422c2458fa9303fdadd4d2", "event_fingerprint": "927f237905488f932dab4a1da4c18b475dcacccc", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "004556e859f3c26c5d19746b3a957c74", "payload_hash": "3c829b6f306bb21e7aa8eb0041b32e99", "path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c" }, "target_context": { "dst_port": 6697, "service": "tls" }, "payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003:\ufffds.x\ufffd\ufffd2n\u9202\u000e\ufffd\ufffd\u02a3\u0013P\ufffd\ufffd\u0019\ufffd\ufffd\r\ufffdjk\u0013\u0015\ufffd `\ufffd\ufffde~ptH\f\ufffd\ufffd\ufffd\ufffd\u0004\ufffd%c.\u07c7\ufffdu&\ufffd\u02a6`t\ufffd\|]\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003:\ufffds.x\ufffd\ufffd2n\u9202\u000e\ufffd\ufffd\u02a3\u0013P\ufffd\ufffd\u0019\ufffd\ufffd\r\ufffdjk\u0013\u0015\ufffd `\ufffd\ufffde~ptH\f\ufffd\ufffd\ufffd\ufffd\u0004\ufffd%c.\u07c7\ufffdu&\ufffd\u02a6`t\ufffd\|]\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\f\u0000\n\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u00000\u0000.\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0002\u0003\u0003\u0001\u0002\u0001\u0003\u0002\u0002\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u0000-\u0000\u0002\u0001\u0001\u00003\u0000&\u0000", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003:\ufffds.x\ufffd\ufffd2n\u9202\u000e\ufffd\ufffd\u02a3\u0013P\ufffd\ufffd\u0019\ufffd\ufffd\r\ufffdjk\u0013\u0015\ufffd `\ufffd\ufffde~ptH\f\ufffd\ufffd\ufffd\ufffd\u0004\ufffd%c.\u07c7\ufffdu&\ufffd\u02a6`t\ufffd\|]\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "evidence": { "request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003:\ufffds.x\ufffd\ufffd2n\u9202\u000e\ufffd\ufffd\u02a3\u0013P\ufffd\ufffd\u0019\ufffd\ufffd\r\ufffdjk\u0013\u0015\ufffd `\ufffd\ufffde~ptH\f\ufffd\ufffd\ufffd\ufffd\u0004\ufffd%c.\u07c7\ufffdu&\ufffd\u02a6`t\ufffd\|]\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\f\u0000\n\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u00000\u0000.\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0002\u0003\u0003\u0001\u0002\u0001\u0003\u0002\u0002\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u0000-\u0000\u0002\u0001\u0001\u00003\u0000&\u0000", "payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003:\ufffds.x\ufffd\ufffd2n\u9202\u000e\ufffd\ufffd\u02a3\u0013P\ufffd\ufffd\u0019\ufffd\ufffd\r\ufffdjk\u0013\u0015\ufffd `\ufffd\ufffde~ptH\f\ufffd\ufffd\ufffd\ufffd\u0004\ufffd%c.\u07c7\ufffdu&\ufffd\u02a6`t\ufffd\|]\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd", "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "37bad0acc5747bde86c83d33b329d2d7fde35be7", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
05/06/2026 09:25:37 UTC	TCP	6697	—	Sonde port	Faible	Faible · 20
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 6697 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "Google LLC", "service": null, "app_proto": null, "asn": 396982, "country": "US", "dst_port": 6697, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.2, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 40, "protocol": 0, "novelty": 0 }, "risk_score": 20, "tag_count": 0, "anomaly_count": 0, "campaign_key": "064cf383ef89c168717962085e0da202b5b48a85", "event_fingerprint": "d7b3726212dedea578bf93bc86f0651214f0e0d8", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-single-port" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 6697 }, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "97f0a85d0b0c19857d7cda4003f24a59899017cc", "ban_policy": "advisory_monitor", "asn_dc_heuristic": true }
04/06/2026 01:02:26 UTC	TCP	5986	—	Sonde port	Faible	Faible · 16
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
01/06/2026 17:10:06 UTC	TCP	1433	mssql	mssql attack	Élevée	Élevé · 72
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
30/05/2026 04:24:56 UTC	TCP	9080	http	web attack	Élevée	Critique · 100
Étape — WAF 23 Recommandation — Tags 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9080 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Règles WAF 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d", "http_host_hash": "619292ecb05b33d53073614c09ef5a4ed42429f0", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 218, "payload_entropy": 5.1098214559288335, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "tag_count": 4, "anomaly_count": 0, "risk_score": 100, "campaign_key": "a8b54b1bbf89b11776349f1df6b2f5cade47900e", "event_fingerprint": "943bdb7bdf0eb750a2e1cf68cdf2bca9e7167beb", "tags_list": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
30/05/2026 01:24:11 UTC	TCP	8080	tls	Sonde TLS	Élevée	Moyen · 57
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
30/05/2026 01:24:10 UTC	TCP	8080	tls	Sonde TLS	Élevée	Moyen · 57
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
29/05/2026 19:58:46 UTC	TCP	4002	—	Sonde port	Faible	Faible · 0
Étape — WAF — Recommandation — Tags — Cible HTTP — TLS SNI — Capteur paris-1
28/05/2026 01:13:07 UTC	TCP	8094	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
28/05/2026 01:13:07 UTC	TCP	8094	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
25/05/2026 22:19:21 UTC	TCP	3929	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
25/05/2026 22:19:20 UTC	TCP	3929	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
24/05/2026 06:26:00 UTC	TCP	554	http	http	Faible	Faible · 14
Étape — WAF 0 Recommandation — Tags http_no_ua Cible HTTP OPTIONS * TLS SNI — Capteur paris-1
Preuve / Evidence Méthode OPTIONS Port 554 Chemin / cible * Ligne de requête `OPTIONS / HTTP/1.1` User-Agent — Règles WAF — Meta JSON brut { "http_header_count": 1, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": null, "http_ua_hash": null, "http_host_hash": null, "http_target_hash": "df58248c414f342c81e056b40bee12d17a08bf61", "http_referer_hash": null, "http_method": "OPTIONS", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 31, "payload_entropy": 4.082597923010943, "port_category": "well_known", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "tag_count": 1, "anomaly_count": 0, "risk_score": 14, "campaign_key": "dd14a67a7e7547d6f673d73806243de4b6dda2c5", "event_fingerprint": "7d55a1bf22da231ba44e425cb1fdedaef44e969c", "tags_list": [ "http_no_ua" ] }
20/05/2026 02:58:41 UTC	TCP	5061	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

147.185.132.138

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence