16/06/2026 21:07:01 UTC
TCP
12345 · NETBUS
Sonde MongoDB
mongodb probe · via NETBUS:12345 · (sonde / probe)
Élevée
Moyen · 45
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
NETBUS
WAF
—
Recommandation
Surveiller
Tags
http_get_probe
mongodb_hello_probe
net_mongodb_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
12345
Chemin / cible
—
Service
NETBUS
Payload
GET / HTTP/1.1 Host: 62.3.50.33:12345 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs
Pourquoi cette classification : Type « mongodb_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 45
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0460
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:12345
User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:12345 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept-Encoding: gzip
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "32323020686f6e6579706f74206e657462757320726561647920706f72743d31323334350d0a",
"emulator_response_len": 38,
"bytes_in": 219,
"payload_entropy": 5.102374078311707,
"port_category": "registered",
"org": "Google LLC",
"service": "netbus",
"app_proto": "netbus",
"asn": 396982,
"country": "US",
"dst_port": 12345,
"risk_waf": 8,
"risk_classification": 55,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 40,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 8,
"classification": 55,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15
},
"risk_score": 45,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "8d2e0d87d6e05be27e8efa2b60fdd3cd36a47c59",
"event_fingerprint": "4c2ee5821d0a9175e0563b07a6400c1851170ce3",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0460"
],
"classification_reason": "Type \u00ab mongodb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 55,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15,
"risk_score": 45
},
"service_name": "netbus",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "d6a319b07e3e396346fdf2ec7c737945",
"path_pattern_hash": "64fbc3aee24db4a0fc1ea9e5fbb0e29c"
},
"target_context": {
"dst_port": 12345,
"service": "netbus",
"service_name": "netbus",
"risk_score": 45
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12345\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12345\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12345\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs",
"evidence": {
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12345\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12345\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs",
"classification_reason": "Type \u00ab mongodb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8ba2cd8cb46cecb9c725e4fb0f913e7be82555c4",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12345\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs",
"port": 12345,
"service": "netbus",
"service_label_fr": "NETBUS"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12345\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs",
"attack_vector": "mongodb probe \u00b7 via NETBUS:12345 \u00b7 (sonde \/ probe)",
"target_port_label": "12345 \u00b7 NETBUS",
"emulator_service": "netbus",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab mongodb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab mongodb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 45\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 55,
"behavior": 0,
"geo": 40,
"protocol": 40,
"novelty": 15,
"risk_score": 45
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 45,
"risk_label": "Moyen",
"service_name": "netbus",
"service_label_fr": "NETBUS",
"dst_port": 12345,
"protocol_emulated": true,
"tags_summary": [
"pat-0460"
],
"tags_summary_labels_fr": [
"pat-0460"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-netbus",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12345\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs",
"port": 12345,
"service": "netbus",
"service_label_fr": "NETBUS"
},
"attack_vector": "mongodb probe \u00b7 via NETBUS:12345 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:12345\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs",
"target_port_label": "12345 \u00b7 NETBUS",
"emulator_service": "netbus",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "netbus",
"service_banner": "honeypot-netbus",
"service_os": "linux",
"dst_port": "12345"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"http_get_probe",
"mongodb_hello_probe",
"net_mongodb_probe"
],
"asn_dc_heuristic": true
}
16/06/2026 18:52:18 UTC
TCP
4786
—
Sonde port
Sonde port · port 4786 · (sonde / probe)
Faible
Moyen · 44
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
4786
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Google LLC",
"service": null,
"app_proto": null,
"asn": 396982,
"country": "US",
"dst_port": 4786,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.9,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "3d45df1f580e569ca1db45a7263d7d0988968183",
"event_fingerprint": "024e464e7f9a3e0abfb0be38dde249fce666bbc4",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 4786,
"risk_score": 44
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "56243c0143a883b412dd99ca89befa41d66ae8c4",
"protocol_details": {
"port": 4786
},
"attack_vector": "Sonde port \u00b7 port 4786 \u00b7 (sonde \/ probe)",
"target_port_label": "4786",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 4786,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"port": 4786
},
"attack_vector": "Sonde port \u00b7 port 4786 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "4786",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "4786"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"asn_dc_heuristic": true
}
15/06/2026 21:13:08 UTC
TCP
7547 · HTTP
Scanner web
web scanner · via HTTP:7547 · (sonde / probe)
Élevée
Moyen · 47
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1595
TA0007
TA0001
Protocole
GET / UA Hello from Palo Alto Networks, find out more about our scans in…
Émulateur
HTTP
WAF
23
Recommandation
Surveiller
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
7547
Chemin / cible
/
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 47
Confiance : Confiance 100 % — 4 tag(s) WAF
Signaux
Scanner Palo Alto
Upstream
Waf Score
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA Palo Alto Networks
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
lfi-14
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.0
User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks
Requête brute (extrait)
GET / HTTP/1.0 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept: */*
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 185,
"payload_entropy": 4.938089755714326,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 7547,
"risk_waf": 57.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 4,
"risk_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 47,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "78d1da18394bc980657ea1daa7172841e0efa200",
"event_fingerprint": "920ca7087263930f6563f658c1941ca4e109e916",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 147,
"precision_signals": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0460"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA Palo Alto Networks"
],
"pattern_ids": [
"pat-0103",
"pat-0460"
],
"confidence_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 47
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ce3935d92be5f9290d282e51ab604b41",
"payload_hash": "408dddfd3211eda1263e9161f0d91c4d",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 7547,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks",
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1595"
],
"mitre": "T1595",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a2af83c5e7dfb8a6653f04751bf296d4d9711207",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026",
"port": 7547,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks",
"attack_vector": "web scanner \u00b7 via HTTP:7547 \u00b7 (sonde \/ probe)",
"target_port_label": "7547 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 47\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 47
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 7547,
"protocol_emulated": null,
"tags_summary": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Scanner Palo Alto",
"Upstream",
"Waf Score"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1595",
"mitre_technique": "T1595",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026",
"port": 7547,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:7547 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.0\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks",
"target_port_label": "7547 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 57 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "7547"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 84
}
14/06/2026 23:00:53 UTC
TCP
9983
—
Sonde RDP
rdp probe · port 9983 · (sonde / probe)
Faible
Moyen · 50
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Investiguer
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9983
Chemin / cible
—
Payload
���,'������Cookie: mstshash=vqEfFy ��������
Pourquoi cette classification : Type « rdp_probe » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Signaux
pat-0347
pat-0348
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP NTLM hash
RDP TPKT header
ET H.323 setup
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
���,'������Cookie: mstshash=vqEfFy
�����
Meta JSON brut
{
"bytes_in": 44,
"payload_entropy": 4.237285311573268,
"port_category": "registered",
"org": "Google LLC",
"service": null,
"app_proto": null,
"asn": 396982,
"country": "US",
"dst_port": 9983,
"risk_waf": 8,
"risk_classification": 52,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 0.2,
"risk_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 50,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "8b896ce6ed8f136adfe2d4045ef42b2231437745",
"event_fingerprint": "29c8a4aa30f2df85c54865ba5c600e46935b0743",
"classification_reason": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 116,
"precision_signals": [
"pat-0347",
"pat-0348"
],
"kb_rule_ids": [
"pat-0347",
"pat-0348"
],
"matched_patterns": [
"pat-0347",
"pat-0348",
"pat-0868",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP NTLM hash",
"RDP TPKT header",
"ET H.323 setup",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0347",
"pat-0348",
"pat-0868",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 50
},
"named_classification_skipped": false,
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c72e9b7aae9efd1dd11d18a0447f8445",
"path_pattern_hash": "5dd788b551ee7afb63321e74cfc538f6"
},
"target_context": {
"dst_port": 9983,
"risk_score": 50
},
"payload_preview": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=vqEfFy\r\n\u0001\u0000\b\u0000\u0001\u0000\u0000\u0000",
"request_sample": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=vqEfFy\r\n\u0001\u0000\b\u0000\u0001\u0000\u0000\u0000",
"payload_snippet": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=vqEfFy\r\n\u0001\u0000\b\u0000\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=vqEfFy\r\n\u0001\u0000\b\u0000\u0001\u0000\u0000\u0000",
"payload_snippet": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=vqEfFy\r\n\u0001\u0000\b\u0000\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "1d9cd186aba54e79471456d5a95b1c4ee0c947b8",
"protocol_details": {
"payload_preview": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=vqEfFy\r\n\u0001\u0000\b\u0000\u0001\u0000\u0000\u0000",
"port": 9983
},
"evidence_snippet": ",'\ufffdCookie: mstshash=vqEfFy",
"attack_vector": "rdp probe \u00b7 port 9983 \u00b7 (sonde \/ probe)",
"target_port_label": "9983",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 9983,
"protocol_emulated": null,
"tags_summary": [
"pat-0347",
"pat-0348"
],
"tags_summary_labels_fr": [
"pat-0347",
"pat-0348"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=vqEfFy\r\n\u0001\u0000\b\u0000\u0001\u0000\u0000\u0000",
"port": 9983
},
"attack_vector": "rdp probe \u00b7 port 9983 \u00b7 (sonde \/ probe)",
"evidence_snippet": ",'\ufffdCookie: mstshash=vqEfFy",
"target_port_label": "9983",
"emulator_service": null,
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "9983"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"asn_dc_heuristic": true
}
14/06/2026 23:00:53 UTC
TCP
9983
—
Sonde RDP
rdp probe · port 9983 · (sonde / probe)
Faible
Moyen · 50
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Investiguer
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9983
Chemin / cible
—
Payload
���,'������Cookie: mstshash=CkteTh ��������
Pourquoi cette classification : Type « rdp_probe » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Signaux
pat-0347
pat-0348
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP NTLM hash
RDP TPKT header
ET H.323 setup
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
���,'������Cookie: mstshash=CkteTh
�����
Meta JSON brut
{
"bytes_in": 44,
"payload_entropy": 3.9928560501604617,
"port_category": "registered",
"org": "Google LLC",
"service": null,
"app_proto": null,
"asn": 396982,
"country": "US",
"dst_port": 9983,
"risk_waf": 8,
"risk_classification": 52,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 0.2,
"risk_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 50,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "8b896ce6ed8f136adfe2d4045ef42b2231437745",
"event_fingerprint": "29c8a4aa30f2df85c54865ba5c600e46935b0743",
"classification_reason": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 116,
"precision_signals": [
"pat-0347",
"pat-0348"
],
"kb_rule_ids": [
"pat-0347",
"pat-0348"
],
"matched_patterns": [
"pat-0347",
"pat-0348",
"pat-0868",
"pat-0554"
],
"matched_pattern_names": [
"RDP NTLM hash",
"RDP TPKT header",
"ET H.323 setup",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0347",
"pat-0348",
"pat-0868",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 50
},
"named_classification_skipped": false,
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "3a0eb49b75ab0d34b2b09bb4226f0f9f",
"path_pattern_hash": "5dd788b551ee7afb63321e74cfc538f6"
},
"target_context": {
"dst_port": 9983,
"risk_score": 50
},
"payload_preview": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=CkteTh\r\n\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000",
"request_sample": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=CkteTh\r\n\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000",
"payload_snippet": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=CkteTh\r\n\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=CkteTh\r\n\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000",
"payload_snippet": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=CkteTh\r\n\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000",
"classification_reason": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ef4d15127bec7a8b84bd3ea41a724331564e2e6b",
"protocol_details": {
"payload_preview": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=CkteTh\r\n\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000",
"port": 9983
},
"evidence_snippet": ",'\ufffdCookie: mstshash=CkteTh",
"attack_vector": "rdp probe \u00b7 port 9983 \u00b7 (sonde \/ probe)",
"target_port_label": "9983",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 9983,
"protocol_emulated": null,
"tags_summary": [
"pat-0347",
"pat-0348"
],
"tags_summary_labels_fr": [
"pat-0347",
"pat-0348"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=CkteTh\r\n\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000",
"port": 9983
},
"attack_vector": "rdp probe \u00b7 port 9983 \u00b7 (sonde \/ probe)",
"evidence_snippet": ",'\ufffdCookie: mstshash=CkteTh",
"target_port_label": "9983",
"emulator_service": null,
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "9983"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"asn_dc_heuristic": true
}
14/06/2026 23:00:53 UTC
TCP
9983
—
Sonde port
Sonde port · port 9983 · (sonde / probe)
Faible
Moyen · 44
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9983
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Google LLC",
"service": null,
"app_proto": null,
"asn": 396982,
"country": "US",
"dst_port": 9983,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 0.2,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "8b896ce6ed8f136adfe2d4045ef42b2231437745",
"event_fingerprint": "29c8a4aa30f2df85c54865ba5c600e46935b0743",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 9983,
"risk_score": 44
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "cd25d3351c752cb4685489fc36f9e0c2d62f8a78",
"protocol_details": {
"port": 9983
},
"attack_vector": "Sonde port \u00b7 port 9983 \u00b7 (sonde \/ probe)",
"target_port_label": "9983",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 9983,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"port": 9983
},
"attack_vector": "Sonde port \u00b7 port 9983 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "9983",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "9983"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"asn_dc_heuristic": true
}
14/06/2026 23:00:52 UTC
TCP
9983
—
Sonde RDP
rdp probe · port 9983 · (sonde / probe)
Faible
Moyen · 50
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Investiguer
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9983
Chemin / cible
—
Payload
���'"������Cookie: mstshash=yFdxgHNRL
Pourquoi cette classification : Type « rdp_probe » (signaux protocolaires) · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 50
Confiance : Confiance 100 % — Motif catalogue confirmé
Signaux
pat-0347
pat-0348
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP NTLM hash
RDP TPKT header
ET H.323 setup
Minecraft varint handshake
User-Agent
—
Règles WAF
—
Payload (extrait)
���'"������Cookie: mstshash=yFdxgHNRL
Meta JSON brut
{
"bytes_in": 39,
"payload_entropy": 4.5570337071554095,
"port_category": "registered",
"org": "Google LLC",
"service": null,
"app_proto": null,
"asn": 396982,
"country": "US",
"dst_port": 9983,
"risk_waf": 8,
"risk_classification": 52,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 0.2,
"risk_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 15
},
"risk_score": 50,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "8b896ce6ed8f136adfe2d4045ef42b2231437745",
"event_fingerprint": "29c8a4aa30f2df85c54865ba5c600e46935b0743",
"classification_reason": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 116,
"precision_signals": [
"pat-0347",
"pat-0348"
],
"kb_rule_ids": [
"pat-0347",
"pat-0348"
],
"matched_patterns": [
"pat-0347",
"pat-0348",
"pat-0868",
"pat-0554"
],
"matched_pattern_names": [
"RDP NTLM hash",
"RDP TPKT header",
"ET H.323 setup",
"Minecraft varint handshake"
],
"pattern_ids": [
"pat-0347",
"pat-0348",
"pat-0868",
"pat-0554"
],
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 15,
"risk_score": 50
},
"named_classification_skipped": false,
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ae59d9973183b2bbfed0862778ea6797",
"path_pattern_hash": "5dd788b551ee7afb63321e74cfc538f6"
},
"target_context": {
"dst_port": 9983,
"risk_score": 50
},
"payload_preview": "\u0003\u0000\u0000'\"\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=yFdxgHNRL\r\n",
"request_sample": "\u0003\u0000\u0000'\"\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=yFdxgHNRL\r\n",
"payload_snippet": "\u0003\u0000\u0000'\"\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=yFdxgHNRL",
"evidence": {
"request_sample": "\u0003\u0000\u0000'\"\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=yFdxgHNRL\r\n",
"payload_snippet": "\u0003\u0000\u0000'\"\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=yFdxgHNRL",
"classification_reason": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "investigate",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "d413e4b5d4d3c2e1c979c424304aa56bdabd207b",
"protocol_details": {
"payload_preview": "\u0003\u0000\u0000'\"\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=yFdxgHNRL",
"port": 9983
},
"evidence_snippet": "'\"\ufffdCookie: mstshash=yFdxgHNRL",
"attack_vector": "rdp probe \u00b7 port 9983 \u00b7 (sonde \/ probe)",
"target_port_label": "9983",
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"classification_reason_label_fr": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 100 %",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 8,
"classification": 52,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 15,
"risk_score": 50
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 50,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 9983,
"protocol_emulated": null,
"tags_summary": [
"pat-0347",
"pat-0348"
],
"tags_summary_labels_fr": [
"pat-0347",
"pat-0348"
],
"recommended_action": "investigate",
"recommended_action_label": "Investiguer",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"payload_preview": "\u0003\u0000\u0000'\"\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=yFdxgHNRL",
"port": 9983
},
"attack_vector": "rdp probe \u00b7 port 9983 \u00b7 (sonde \/ probe)",
"evidence_snippet": "'\"\ufffdCookie: mstshash=yFdxgHNRL",
"target_port_label": "9983",
"emulator_service": null,
"confidence_reason": "Confiance 100 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "9983"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_investigate",
"asn_dc_heuristic": true
}
08/06/2026 05:38:38 UTC
TCP
10003 · TLS
Sonde port 10003/TCP
port 10003 tcp · via TLS:10003 · (sonde / probe)
Élevée
Moyen · 40
Détails
Voir
Étape
Sonde / probe
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 16ee84a07b55074c
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
10003
Chemin / cible
—
Preuve honeypot — Sonde port 10003/TCP
Connexion détectée sur le port 10003 (TCP) du capteur simulé.
Service
TLS
Payload
����i���e��U���random1random2random3random4�� �/� ���9�������0� �,�*������������������������������������������
Pourquoi cette classification : Type « port_10003_tcp » (signaux protocolaires) · confiance 49%
Confiance classification
67%
Corrélation +18
Risque capteur
Moyen
· 40
Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes
Signaux
pat-0348
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
ET H.323 setup
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
����i���e��U���random1random2random3random4����/�
���9�������0�
�,�*������������������������������������������
Meta JSON brut
{
"tls_ja3_hash": "16ee84a07b55074cb2751329bf1c8811",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 5,
"bytes_in": 110,
"payload_entropy": 4.269606220838881,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 10003,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 0
},
"risk_score": 40,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "0a6a774ef0f9fc632e24a91e72493d33a5d0e368",
"event_fingerprint": "074fbf548442ce1170d48f07f5da73e84633cdee",
"classification_reason": "Type \u00ab port_10003_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.67,
"classification_confidence": 0.67,
"precision_score": 58,
"precision_signals": [
"pat-0348"
],
"kb_rule_ids": [
"pat-0348"
],
"matched_patterns": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"ET H.323 setup",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0868",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 0,
"risk_score": 40,
"correlation_boost": 18
},
"named_classification_skipped": true,
"named_candidate": "rdp_probe",
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "16ee84a07b55074cb2751329bf1c8811",
"payload_hash": "4ad5dce8143f2bcf1242885cff6e93f8",
"path_pattern_hash": "0c4b6b5ccf6aba66eccfb8d7180aafc6",
"ja4": "011b865e5f91ae5e1836c88110724dcb",
"tls_version": "0x0303",
"tls_cipher_count": 6,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,47-10-19-57-4-255,13,,",
"tls_ja4_hash": "011b865e5f91ae5e1836c88110724dcb",
"tls_ja4": "t13d0106_3fdba35f04dc_d03502c43d74",
"tls_version": "0x0303",
"tls_cipher_count": 6,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 10003,
"service": "tls",
"service_name": "tls",
"risk_score": 40
},
"payload_snippet": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000*\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002",
"evidence": {
"request_sample": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000*\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002",
"payload_snippet": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000*\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002",
"classification_reason": "Type \u00ab port_10003_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7d8f79233e2c9e57c138e8dee3f5ce98d7d2c31a",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000*\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002",
"tls_ja3": "16ee84a07b55074cb2751329bf1c8811",
"tls_ja4": "011b865e5f91ae5e1836c88110724dcb",
"port": 10003,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "ieU\ufffd\ufffdrandom1random2random3random4\/\n9\ufffd0\r,*",
"attack_vector": "port 10003 tcp \u00b7 via TLS:10003 \u00b7 (sonde \/ probe)",
"target_port_label": "10003 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_10003_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab port_10003_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100",
"confidence_pct": 67,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 0,
"risk_score": 40,
"correlation_boost": 18
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 40,
"risk_label": "Moyen",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 10003,
"protocol_emulated": null,
"tags_summary": [
"pat-0348"
],
"tags_summary_labels_fr": [
"pat-0348"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_coordonn\u00e9",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +18",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0000\u0000i\u0001\u0000\u0000e\u0003\u0003U\u001c\ufffd\ufffdrandom1random2random3random4\u0000\u0000\f\u0000\/\u0000\n\u0000\u0013\u00009\u0000\u0004\u0000\ufffd\u0001\u0000\u00000\u0000\r\u0000,\u0000*\u0000\u0001\u0000\u0003\u0000\u0002\u0006\u0001\u0006\u0003\u0006\u0002\u0002\u0001\u0002\u0003\u0002\u0002\u0003\u0001\u0003\u0003\u0003\u0002\u0004\u0001\u0004\u0003\u0004\u0002\u0001\u0001\u0001\u0003\u0001\u0002\u0005\u0001\u0005\u0003\u0005\u0002",
"tls_ja3": "16ee84a07b55074cb2751329bf1c8811",
"tls_ja4": "011b865e5f91ae5e1836c88110724dcb",
"port": 10003,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "port 10003 tcp \u00b7 via TLS:10003 \u00b7 (sonde \/ probe)",
"evidence_snippet": "ieU\ufffd\ufffdrandom1random2random3random4\/\n9\ufffd0\r,*",
"target_port_label": "10003 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 67 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (147.185.132.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "10003"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"port:10003",
"tls"
],
"multi_protocol_window_s": 300,
"coordinated_scan": true,
"coordinated_subnet": "147.185.132.0\/24",
"coordinated_ip_count": 3,
"behavior_alerts": [
"coordinated_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 18,
"attack_chain_stage": "reconnaissance",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
08/06/2026 05:38:38 UTC
TCP
10003 · TLS
Sonde TLS
tls probe · via TLS:10003 · (sonde / probe)
Élevée
Faible · 35
Détails
Voir
Étape
Sonde / probe
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 004556e859f3c26c
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
10003
Chemin / cible
—
Service
TLS
Payload
�����������"v�sHU����K^L�8��p4�������$kuH�� �P������(������_B��Jfj���4�^i��>�������,�0��̨̩̪�+�/���$�(�k�#�'�g� ���9� ���3��
Pourquoi cette classification : Type « tls_probe » (signaux protocolaires) · confiance 50%
Confiance classification
68%
Corrélation +18
Risque capteur
Faible
· 35
Confiance : Confiance 50 % — Motif catalogue confirmé
Signaux
pat-0554
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������"v�sHU����K^L�8��p4�������$kuH��
�P������(������_B��Jfj���4�^i��>�������,�0��̨̩̪�+�/���$�(�k�#�'�g�
���9� ���3��
Requête brute (extrait)
�����������"v�sHU����K^L�8��p4�������$kuH�� �P������(������_B��Jfj���4�^i��>�������,�0��̨̩̪�+�/���$�(�k�#�'�g� ���9� ���3�����=�<�5�/�����u� ������� � � �����������#����������� �0�.����������� � � �������������������������������+� ����������-�����3�&
Meta JSON brut
{
"tls_ja3_hash": "004556e859f3c26c5d19746b3a957c74",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 8,
"bytes_in": 517,
"payload_entropy": 3.9153811991163727,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 10003,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 0,
"risk_boost": 6,
"risk_granularity": 4.4,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 0
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "0a6a774ef0f9fc632e24a91e72493d33a5d0e368",
"event_fingerprint": "d973d38fa6aff2514c86a0588b397f9c86accdba",
"classification_confidence": 0.68,
"confidence": 0.68,
"precision_signals": [
"pat-0554"
],
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 0,
"risk_score": 35,
"correlation_boost": 18
},
"service_name": "tls",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "004556e859f3c26c5d19746b3a957c74",
"payload_hash": "0ec71c0d08ee2669e8d777d462d69215",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 10003,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\"v\ufffdsHU\ufffd\u0001\u0016\u0017K^L\ufffd8\ufffd\u0002p4\ufffd\ufffd\ufffd\ufffd\u0000\ufffd\ufffd$kuH\ufffd\ufffd \r\ufffdP\ufffd\u0010\ufffd\u0014\u0014\ufffd(\u0014\ufffd\ufffd\ufffd\ufffd\ufffd_B\ufffd\ufffdJfj\ufffd\u0016\ufffd4\u0005^i\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\"v\ufffdsHU\ufffd\u0001\u0016\u0017K^L\ufffd8\ufffd\u0002p4\ufffd\ufffd\ufffd\ufffd\u0000\ufffd\ufffd$kuH\ufffd\ufffd \r\ufffdP\ufffd\u0010\ufffd\u0014\u0014\ufffd(\u0014\ufffd\ufffd\ufffd\ufffd\ufffd_B\ufffd\ufffdJfj\ufffd\u0016\ufffd4\u0005^i\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\ufffd\u0001\u0000\u0001u\u0000\u000b\u0000\u0004\u0003\u0000\u0001\u0002\u0000\n\u0000\f\u0000\n\u0000\u001d\u0000\u0017\u0000\u001e\u0000\u0019\u0000\u0018\u0000#\u0000\u0000\u0000\u0016\u0000\u0000\u0000\u0017\u0000\u0000\u0000\r\u00000\u0000.\u0004\u0003\u0005\u0003\u0006\u0003\b\u0007\b\b\b\t\b\n\b\u000b\b\u0004\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0003\u0003\u0002\u0003\u0003\u0001\u0002\u0001\u0003\u0002\u0002\u0002\u0004\u0002\u0005\u0002\u0006\u0002\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u0000-\u0000\u0002\u0001\u0001\u00003\u0000&\u0000",
"payload_snippet": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\"v\ufffdsHU\ufffd\u0001\u0016\u0017K^L\ufffd8\ufffd\u0002p4\ufffd\ufffd\ufffd\ufffd\u0000\ufffd\ufffd$kuH\ufffd\ufffd \r\ufffdP\ufffd\u0010\ufffd\u0014\u0014\ufffd(\u0014\ufffd\ufffd\ufffd\ufffd\ufffd_B\ufffd\ufffdJfj\ufffd\u0016\ufffd4\u0005^i\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "eafc5bd6a924e84a7dd128dccf212bb9a282021d",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\"v\ufffdsHU\ufffd\u0001\u0016\u0017K^L\ufffd8\ufffd\u0002p4\ufffd\ufffd\ufffd\ufffd\u0000\ufffd\ufffd$kuH\ufffd\ufffd \r\ufffdP\ufffd\u0010\ufffd\u0014\u0014\ufffd(\u0014\ufffd\ufffd\ufffd\ufffd\ufffd_B\ufffd\ufffdJfj\ufffd\u0016\ufffd4\u0005^i\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"tls_ja3": "004556e859f3c26c5d19746b3a957c74",
"port": 10003,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\"v\ufffdsHU\ufffdK^L\ufffd8\ufffdp4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd$kuH\ufffd\ufffd \r\ufffdP\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd\ufffd\ufffd_B\ufffd\ufffdJfj\ufffd\ufffd4^i\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd",
"attack_vector": "tls probe \u00b7 via TLS:10003 \u00b7 (sonde \/ probe)",
"target_port_label": "10003 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab tls_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 68,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 0,
"risk_score": 35,
"correlation_boost": 18
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 10003,
"protocol_emulated": null,
"tags_summary": [
"pat-0554"
],
"tags_summary_labels_fr": [
"pat-0554"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"scan_coordonn\u00e9",
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9",
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +18",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0002\u0000\u0001\u0000\u0001\ufffd\u0003\u0003\"v\ufffdsHU\ufffd\u0001\u0016\u0017K^L\ufffd8\ufffd\u0002p4\ufffd\ufffd\ufffd\ufffd\u0000\ufffd\ufffd$kuH\ufffd\ufffd \r\ufffdP\ufffd\u0010\ufffd\u0014\u0014\ufffd(\u0014\ufffd\ufffd\ufffd\ufffd\ufffd_B\ufffd\ufffdJfj\ufffd\u0016\ufffd4\u0005^i\ufffd\u0000>\u0013\u0002\u0013\u0003\u0013\u0001\ufffd,\ufffd0\u0000\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\u0000\ufffd\ufffd$\ufffd(\u0000k\ufffd#\ufffd'\u0000g\ufffd\n\ufffd\u0014\u00009\ufffd\t\ufffd\u0013\u00003\u0000\ufffd",
"tls_ja3": "004556e859f3c26c5d19746b3a957c74",
"port": 10003,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "tls probe \u00b7 via TLS:10003 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\"v\ufffdsHU\ufffdK^L\ufffd8\ufffdp4\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd$kuH\ufffd\ufffd \r\ufffdP\ufffd\ufffd\ufffd(\ufffd\ufffd\ufffd\ufffd\ufffd_B\ufffd\ufffdJfj\ufffd\ufffd4^i\ufffd>\ufffd,\ufffd0\ufffd\u0329\u0328\u032a\ufffd+\ufffd\/\ufffd\ufffd$\ufffd(k\ufffd#\ufffd'g\ufffd\n\ufffd9\ufffd\t\ufffd3\ufffd",
"target_port_label": "10003 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 68 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +18",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (147.185.132.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "10003"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"port:10003",
"tls"
],
"multi_protocol_window_s": 300,
"coordinated_scan": true,
"coordinated_subnet": "147.185.132.0\/24",
"coordinated_ip_count": 3,
"behavior_alerts": [
"coordinated_scan",
"multi_protocol_correlation"
],
"correlation_confidence_boost": 18,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
08/06/2026 05:38:35 UTC
TCP
10003
—
Sonde port
Sonde port · port 10003 · (sonde / probe)
Faible
Moyen · 44
Détails
Voir
Étape
Sonde / probe
Chaîne
Reconnaissance
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Scan coordonné
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
10003
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
60%
Corrélation +10
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Google LLC",
"service": null,
"app_proto": null,
"asn": 396982,
"country": "US",
"dst_port": 10003,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "92074b4e47654948e668896fccf6edff9e809b36",
"event_fingerprint": "1d94ffc85f855b1f1999e88637582fcda716480b",
"classification_confidence": 0.6,
"confidence": 0.6,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 44,
"correlation_boost": 10
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 10003,
"risk_score": 44
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ffaff039b7f4b78acb74c85ca032ea513eac5348",
"protocol_details": {
"port": 10003
},
"attack_vector": "Sonde port \u00b7 port 10003 \u00b7 (sonde \/ probe)",
"target_port_label": "10003",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 60,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0,
"risk_score": 44,
"correlation_boost": 10
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "reconnaissance",
"attack_chain_stage_label_fr": "Reconnaissance",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 10003,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": [
"scan_coordonn\u00e9"
],
"correlation_flags_labels_fr": [
"Scan coordonn\u00e9"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +10",
"protocol_details": {
"port": 10003
},
"attack_vector": "Sonde port \u00b7 port 10003 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "10003",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 60 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10",
"campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (147.185.132.0\/24, \u22653 pairs)",
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "reconnaissance",
"label_fr": "Reconnaissance",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "10003"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"coordinated_scan": true,
"coordinated_subnet": "147.185.132.0\/24",
"coordinated_ip_count": 3,
"behavior_alerts": [
"coordinated_scan"
],
"correlation_confidence_boost": 10,
"attack_chain_stage": "reconnaissance",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"asn_dc_heuristic": true
}
05/06/2026 06:13:17 UTC
TCP
9192
Sonde PostgreSQL
Élevée
Faible · 27
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9192
Chemin / cible
—
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������mvԅ���N�P�9�$�Q���f,�ڵU�������h�����/�+�0�,�����'�#��� �(�$���
�������g�k�3�9���������<�=�/�5�����
��������������
Requête brute (extrait)
�����������mvԅ���N�P�9�$�Q���f,�ڵU�������h�����/�+�0�,�����'�#��� �(�$��� �������g�k�3�9���������<�=�/�5����� ���������������2���������8�@�f�j�������5���������� ����������� ����� � � ��������������������
Meta JSON brut
{
"tls_ja3_hash": "795bc7ce13f60d61e9ac03611dd36d90",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 29,
"bytes_in": 207,
"payload_entropy": 4.906710824452264,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 9192,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 27,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "3da948374285c6e22248f96dd3fb422bb0c9f5ba",
"event_fingerprint": "6f9f8ce3400e6c94907421f282b9e2debe3ea24c",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "795bc7ce13f60d61e9ac03611dd36d90",
"payload_hash": "7c65e3b7de8728b6fcfbd297f7c31743",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 9192,
"service": "tls"
},
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003mv\u0505\ufffd\u0003\ufffdN\ufffdP\ufffd9\u0011$\ufffdQ\ufffd\ufffd\u0003f,\ufffd\u06b5U\ufffd\u0018\u0012\ufffd\ufffd\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017",
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003mv\u0505\ufffd\u0003\ufffdN\ufffdP\ufffd9\u0011$\ufffdQ\ufffd\ufffd\u0003f,\ufffd\u06b5U\ufffd\u0018\u0012\ufffd\ufffd\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017\u00002\ufffd\b\u0000\u0012\u0000\u0013\u0000\u0015\u00008\u0000@\u0000f\u0000j\u0000\ufffd\u0000\ufffd\u0001\u0000\u00005\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\f\u0000\n\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0002\u0002\ufffd\u0001\u0000\u0001\u0000\u0000\u000f\u0000\u0001\u0001",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003mv\u0505\ufffd\u0003\ufffdN\ufffdP\ufffd9\u0011$\ufffdQ\ufffd\ufffd\u0003f,\ufffd\u06b5U\ufffd\u0018\u0012\ufffd\ufffd\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003mv\u0505\ufffd\u0003\ufffdN\ufffdP\ufffd9\u0011$\ufffdQ\ufffd\ufffd\u0003f,\ufffd\u06b5U\ufffd\u0018\u0012\ufffd\ufffd\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017\u00002\ufffd\b\u0000\u0012\u0000\u0013\u0000\u0015\u00008\u0000@\u0000f\u0000j\u0000\ufffd\u0000\ufffd\u0001\u0000\u00005\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\f\u0000\n\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0002\u0002\ufffd\u0001\u0000\u0001\u0000\u0000\u000f\u0000\u0001\u0001",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003mv\u0505\ufffd\u0003\ufffdN\ufffdP\ufffd9\u0011$\ufffdQ\ufffd\ufffd\u0003f,\ufffd\u06b5U\ufffd\u0018\u0012\ufffd\ufffd\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0ab7ed837f638865283d16333a8efb32577ca0b7",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
05/06/2026 06:13:16 UTC
TCP
9192
Sonde PostgreSQL
Élevée
Faible · 27
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
9192
Chemin / cible
—
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������l��zq���ﱖ��Y��*�/V/��"/�f`��� c����
�K
�ؓ�M���b|��wk���F^l�&�+�/�,�0̨̩� ���
�������/�5���
���������{�����
Requête brute (extrait)
������������l��zq���ﱖ��Y��*�/V/��"/�f`��� c���� �K �ؓ�M� �b|��wk���F^l�&�+�/�,�0̨̩� ��� �������/�5��� ���������{���������� � ����������� ����� ��������������������������������������+� ����������3�&�$��� ��v����fJ��|Pyɐ��������T��S�
Meta JSON brut
{
"tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 243,
"payload_entropy": 5.873469003986275,
"port_category": "registered",
"org": "Google LLC",
"service": "tls",
"app_proto": "tls",
"asn": 396982,
"country": "US",
"dst_port": 9192,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.6,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 40,
"protocol": 43,
"novelty": 15
},
"risk_score": 27,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "3da948374285c6e22248f96dd3fb422bb0c9f5ba",
"event_fingerprint": "53bd544a8901b4613479a0662c13ea1f5eca1d47",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "19e29534fd49dd27d09234e639c4057e",
"payload_hash": "cbbe81b5dd51fc5713cfa99fa5d95f0f",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 9192,
"service": "tls"
},
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdl\ufffd\ufffdzq\ufffd\ufffd\ufffd\ufc56\ufffd\ufffdY\ufffd\ufffd*\ufffd\/V\/\u000f\ufffd\"\/\u0005f`\u0006\ufffd\u000e c\ufffd\ufffd\ufffd\ufffd\n\u0012K\n\ufffd\u0613\ufffdM\ufffd\u000b\ufffdb|\ufffd\u05c9\u001bwk\ufffd\u0019\ufffdF^l\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdl\ufffd\ufffdzq\ufffd\ufffd\ufffd\ufc56\ufffd\ufffdY\ufffd\ufffd*\ufffd\/V\/\u000f\ufffd\"\/\u0005f`\u0006\ufffd\u000e c\ufffd\ufffd\ufffd\ufffd\n\u0012K\n\ufffd\u0613\ufffdM\ufffd\u000b\ufffdb|\ufffd\u05c9\u001bwk\ufffd\u0019\ufffdF^l\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdv\ufffd\ufffd\ufffd\u0019fJ\ufffd\ufffd|Py\u0250\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdT\ufffd\ufffdS\u000e",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdl\ufffd\ufffdzq\ufffd\ufffd\ufffd\ufc56\ufffd\ufffdY\ufffd\ufffd*\ufffd\/V\/\u000f\ufffd\"\/\u0005f`\u0006\ufffd\u000e c\ufffd\ufffd\ufffd\ufffd\n\u0012K\n\ufffd\u0613\ufffdM\ufffd\u000b\ufffdb|\ufffd\u05c9\u001bwk\ufffd\u0019\ufffdF^l\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdl\ufffd\ufffdzq\ufffd\ufffd\ufffd\ufc56\ufffd\ufffdY\ufffd\ufffd*\ufffd\/V\/\u000f\ufffd\"\/\u0005f`\u0006\ufffd\u000e c\ufffd\ufffd\ufffd\ufffd\n\u0012K\n\ufffd\u0613\ufffdM\ufffd\u000b\ufffdb|\ufffd\u05c9\u001bwk\ufffd\u0019\ufffdF^l\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdv\ufffd\ufffd\ufffd\u0019fJ\ufffd\ufffd|Py\u0250\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdT\ufffd\ufffdS\u000e",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdl\ufffd\ufffdzq\ufffd\ufffd\ufffd\ufc56\ufffd\ufffdY\ufffd\ufffd*\ufffd\/V\/\u000f\ufffd\"\/\u0005f`\u0006\ufffd\u000e c\ufffd\ufffd\ufffd\ufffd\n\u0012K\n\ufffd\u0613\ufffdM\ufffd\u000b\ufffdb|\ufffd\u05c9\u001bwk\ufffd\u0019\ufffdF^l\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "2f29bfad699bf00d942353b7e2c43623a9e94e16",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
],
"asn_dc_heuristic": true
}
31/05/2026 23:38:36 UTC
TCP
2525
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
2525
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "9c8cda002beb91a6fbb979b1c93c2b90a5ff11ab",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.1098214559288335,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "3c6930513e183db3f6533c23e296cf4382a0a6f8",
"event_fingerprint": "738ceab49c657886a0e7bb682e8e3b28272375b7",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
31/05/2026 00:14:35 UTC
TCP
2084
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
2084
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "dacc008a0e33f7dcd1c8c603c158b2c031a644d0",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.113284242636005,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "38dd57f4668245b70c28e32aa9b7fc69998bb18b",
"event_fingerprint": "eda7ff3d320558dac4c7808065fb3340cfa1186e",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
27/05/2026 16:40:26 UTC
TCP
22
Sonde SSH
Élevée
Élevé · 74
Détails
Étape
—
WAF
—
Recommandation
—
Tags
ssh_banner
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
27/05/2026 11:27:20 UTC
TCP
5000
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
5000
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 2,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "9f21d7fee49eca78518fb8e7cbfdabb35e2a18a0",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 199,
"payload_entropy": 4.8957344101987585,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "e927454442ddd325628d454262dc6db48953c3bf",
"event_fingerprint": "3024d9920f2996e17c5a46971074636df84fe371",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
25/05/2026 23:10:05 UTC
TCP
8999
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
8999
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "9c8cda002beb91a6fbb979b1c93c2b90a5ff11ab",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.1098214559288335,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "bbf3b613d44c4c4e1a1f3f42eb11afbb80fdc09e",
"event_fingerprint": "cd36f0a981b38dc3d5c21df38c816ba0fc846a11",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
25/05/2026 19:12:15 UTC
TCP
5001
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
5001
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "b4e79994dbf62b32ccd12ea551b214d959713549",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.085761306856188,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "7833ac3eca7aa67613b4057f468f3423a0209667",
"event_fingerprint": "1af92f803ca271a9db5351d78bbe52beb51a01d4",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
24/05/2026 20:35:04 UTC
TCP
3306
mysql attack
Élevée
Élevé · 72
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
24/05/2026 03:19:39 UTC
TCP
20256
—
Sonde port
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
23/05/2026 06:26:36 UTC
TCP
10003
—
Sonde port
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
23/05/2026 06:26:36 UTC
TCP
10003
Sonde TLS
Moyenne
Faible · 31
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
23/05/2026 06:26:36 UTC
TCP
10003
Sonde HTTP
Élevée
Moyen · 61
Détails
Voir
Étape
—
WAF
6
Recommandation
—
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
10003
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
950734:sap-sapcontrol-path
scanner-ua
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": "5f2d2b1d7c2771378dd891c2a07bb95655415e14",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 80,
"payload_entropy": 4.8003934147262175,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 1,
"risk_score": 61,
"campaign_key": "c056b38ccf5588fcbf70227ec884033aac0fd34e",
"event_fingerprint": "c1396e0591eed4a991c53a967aa7bf77e22e9503",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
]
}
23/05/2026 06:26:35 UTC
TCP
10003
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
23/05/2026 06:26:35 UTC
TCP
10003
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
23/05/2026 06:26:32 UTC
TCP
10003
—
Sonde port
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
18/05/2026 23:32:55 UTC
TCP
2160
—
Sonde port
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
18/05/2026 04:10:03 UTC
TCP
9080
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
9080
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "619292ecb05b33d53073614c09ef5a4ed42429f0",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.1098214559288335,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "a8b54b1bbf89b11776349f1df6b2f5cade47900e",
"event_fingerprint": "943bdb7bdf0eb750a2e1cf68cdf2bca9e7167beb",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}