16/06/2026 03:08:07 UTC
TCP
444 · HTTP
Scanner web
web scanner · via HTTP:444 · (sonde / probe)
Élevée
Moyen · 47
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1595
TA0007
TA0001
Protocole
GET / UA Hello from Palo Alto Networks, find out more about our scans in…
Émulateur
HTTP
WAF
23
Recommandation
Surveiller
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
444
Chemin / cible
/
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Risque capteur
Moyen
· 47
Confiance : Confiance 100 % — 4 tag(s) WAF
Signaux
Scanner Palo Alto
Upstream
Waf Score
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA Palo Alto Networks
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
lfi-14
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:444
User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-c
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:444 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "96bd0f703b966543acff1c39b6284d0525249c56",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 217,
"payload_entropy": 5.090937843463449,
"port_category": "well_known",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 444,
"risk_waf": 57.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 47,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "c54a88ad91ac517fe582ec69768f7bc5e8869feb",
"event_fingerprint": "f0ea505da9cd3ea22a3bdb5e73f8dc37e1be39da",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 147,
"precision_signals": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0460"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA Palo Alto Networks"
],
"pattern_ids": [
"pat-0103",
"pat-0460"
],
"confidence_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 47
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ce3935d92be5f9290d282e51ab604b41",
"payload_hash": "036b9c5431876105bfdd8f420ef53cfc",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 444,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:444\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-c",
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:444\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:444\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-c",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:444\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:444\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-c",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1595"
],
"mitre": "T1595",
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "948fa1afe12faa6699111981c671c55241008c96",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026",
"port": 444,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:444\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-c",
"attack_vector": "web scanner \u00b7 via HTTP:444 \u00b7 (sonde \/ probe)",
"target_port_label": "444 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"classification_reason_label_fr": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 47\/100",
"confidence_pct": 100,
"confidence_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 47
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 47,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 444,
"protocol_emulated": null,
"tags_summary": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"tags_summary_labels_fr": [
"Scanner Palo Alto",
"Upstream",
"Waf Score"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1595",
"mitre_technique": "T1595",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpa\u2026",
"port": 444,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "web scanner \u00b7 via HTTP:444 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:444\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-c",
"target_port_label": "444 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 100 % \u2014 4 tag(s) WAF",
"confidence_factors_fr": "Confiance 100 % \u2014 Score WAF 57 \u00b7 4 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "444"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner"
],
"asn_dc_heuristic": true,
"behavior_alert_count": 1,
"behavior_priority": 72
}
15/06/2026 05:17:39 UTC
TCP
3306 · MYSQL
Sonde MySQL
mysql probe · via MYSQL:3306 · (sonde / probe)
Élevée
Moyen · 48
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
T1110
TA0007
TA0001
Protocole
Émulateur
MYSQL
WAF
—
Recommandation
Surveiller
Tags
mysql_emulated
mysql_handshake
net_mysql_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
3306
Chemin / cible
—
Pourquoi cette classification : Poignée de main MySQL · confiance 95%
Confiance classification
95%
Risque capteur
Moyen
· 48
Confiance : Confiance 95 % — 3 signal(aux) capteur
Protocole émulé
1 Signaux
Db Mysql Auth
Upstream
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "380000000a382e302e33322d4d7953514c0004030201112233445566778899aabbccddeeff006d7973716c5f6e61746976655f70617373776f726400",
"emulator_response_len": 60,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "Google LLC",
"service": "mysql",
"app_proto": "mysql",
"asn": 396982,
"country": "US",
"dst_port": 3306,
"risk_waf": 8,
"risk_classification": 54,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 48,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "bef1cad8d681313ebc2fad5890e78941ae733f15",
"event_fingerprint": "7e64d2ea7efbfd080eb620b69c685e7503a67a61",
"classification_reason": "Poign\u00e9e de main MySQL \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 87,
"precision_signals": [
"INT-DB-mysql-auth",
"INT-upstream"
],
"kb_rule_ids": [
"INT-DB-mysql-auth",
"INT-upstream"
],
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"named_classification_skipped": false,
"service_name": "mysql",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "f92b97805e8111d6d69ad0f096b65c87"
},
"target_context": {
"dst_port": 3306,
"service": "mysql",
"service_name": "mysql",
"risk_score": 48
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1110"
],
"mitre": "T1110",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "51c4f619223cf8f2e8fe95a8f161b5010a39cc38",
"protocol_details": {
"mysql_auth_fr": "Handshake MySQL (auth)",
"port": 3306,
"service": "mysql",
"service_label_fr": "MYSQL"
},
"attack_vector": "mysql probe \u00b7 via MYSQL:3306 \u00b7 (sonde \/ probe)",
"target_port_label": "3306 \u00b7 MYSQL",
"emulator_service": "mysql",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Poign\u00e9e de main MySQL \u00b7 confiance 95%",
"classification_reason_label_fr": "Poign\u00e9e de main MySQL \u00b7 confiance 95%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 48\/100",
"confidence_pct": 95,
"confidence_breakdown": {
"waf": 8,
"classification": 54,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 48
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 48,
"risk_label": "Moyen",
"service_name": "mysql",
"service_label_fr": "MYSQL",
"dst_port": 3306,
"protocol_emulated": true,
"tags_summary": [
"INT-DB-mysql-auth",
"INT-upstream"
],
"tags_summary_labels_fr": [
"Db Mysql Auth",
"Upstream"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "T1110",
"mitre_technique": "T1110",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "8.0.32-MySQL",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"mysql_auth_fr": "Handshake MySQL (auth)",
"port": 3306,
"service": "mysql",
"service_label_fr": "MYSQL"
},
"attack_vector": "mysql probe \u00b7 via MYSQL:3306 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "3306 \u00b7 MYSQL",
"emulator_service": "mysql",
"confidence_reason": "Confiance 95 % \u2014 3 signal(aux) capteur",
"confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "mysql",
"service_banner": "8.0.32-MySQL",
"service_os": "linux",
"dst_port": "3306"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"mysql_emulated",
"mysql_handshake",
"net_mysql_probe"
],
"asn_dc_heuristic": true
}
15/06/2026 02:51:47 UTC
TCP
139 · SMB
Sonde SMB
smb probe · via SMB:139 · (sonde / probe)
Élevée
Faible · 21
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SMB
WAF
—
Recommandation
Surveiller
Tags
net_smb_probe
smb_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
139
Chemin / cible
—
Pourquoi cette classification : Type « smb_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 21
Confiance : Confiance 0 % — 2 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "smb",
"app_proto": "smb",
"asn": 396982,
"country": "US",
"dst_port": 139,
"risk_waf": 8,
"risk_classification": 56,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 21,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "3953f1b3149bc01b700c2aadb2669056e2e94dea",
"event_fingerprint": "ac6f19094f4476f2d5f4af354de6040603cc1eb7",
"classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 21
},
"named_classification_skipped": false,
"service_name": "smb",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "b6c073dc229e6284b4cae7886c46d504"
},
"target_context": {
"dst_port": 139,
"service": "smb",
"service_name": "smb",
"risk_score": 21
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "56afc68ddb732aedcb4c436a0ff973c6b1ae80fb",
"protocol_details": {
"port": 139,
"service": "smb",
"service_label_fr": "SMB"
},
"attack_vector": "smb probe \u00b7 via SMB:139 \u00b7 (sonde \/ probe)",
"target_port_label": "139 \u00b7 SMB",
"emulator_service": "smb",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 21
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 21,
"risk_label": "Faible",
"service_name": "smb",
"service_label_fr": "SMB",
"dst_port": 139,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-smb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 139,
"service": "smb",
"service_label_fr": "SMB"
},
"attack_vector": "smb probe \u00b7 via SMB:139 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "139 \u00b7 SMB",
"emulator_service": "smb",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "smb",
"service_banner": "honeypot-smb",
"service_os": "linux",
"dst_port": "139"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_smb_probe",
"smb_emulated"
],
"asn_dc_heuristic": true
}
15/06/2026 02:51:46 UTC
TCP
139 · SMB
Sonde SMB
smb probe · via SMB:139 · (sonde / probe)
Élevée
Faible · 32
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SMB
WAF
—
Recommandation
Surveiller
Tags
net_smb_probe
smb_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
139
Chemin / cible
—
Service
SMB
Payload
���1�SMBr�����Eh���������������}��������NT LM 0.12���
Pourquoi cette classification : Type « smb_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 32
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0771
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
1�SMBr�����Eh���������������}��������NT LM 0.12��
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "00000048",
"emulator_response_len": 4,
"bytes_in": 53,
"payload_entropy": 3.037242382532767,
"port_category": "well_known",
"org": "Google LLC",
"service": "smb",
"app_proto": "smb",
"asn": 396982,
"country": "US",
"dst_port": 139,
"risk_waf": 8,
"risk_classification": 56,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 32,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "3953f1b3149bc01b700c2aadb2669056e2e94dea",
"event_fingerprint": "ac6f19094f4476f2d5f4af354de6040603cc1eb7",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0771"
],
"classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 32
},
"service_name": "smb",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f6e3339c8f446c4744156a63cec7085a",
"path_pattern_hash": "b6c073dc229e6284b4cae7886c46d504"
},
"target_context": {
"dst_port": 139,
"service": "smb",
"service_name": "smb",
"risk_score": 32
},
"payload_preview": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"request_sample": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"payload_snippet": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"evidence": {
"request_sample": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"payload_snippet": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "16861df5cf87319acc744a826f7ee0845639dbec",
"protocol_details": {
"payload_preview": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"port": 139,
"service": "smb",
"service_label_fr": "SMB"
},
"evidence_snippet": "1\ufffdSMBrEh\ufffd}NT LM 0.12",
"attack_vector": "smb probe \u00b7 via SMB:139 \u00b7 (sonde \/ probe)",
"target_port_label": "139 \u00b7 SMB",
"emulator_service": "smb",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 32
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 32,
"risk_label": "Faible",
"service_name": "smb",
"service_label_fr": "SMB",
"dst_port": 139,
"protocol_emulated": true,
"tags_summary": [
"pat-0771"
],
"tags_summary_labels_fr": [
"pat-0771"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-smb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"port": 139,
"service": "smb",
"service_label_fr": "SMB"
},
"attack_vector": "smb probe \u00b7 via SMB:139 \u00b7 (sonde \/ probe)",
"evidence_snippet": "1\ufffdSMBrEh\ufffd}NT LM 0.12",
"target_port_label": "139 \u00b7 SMB",
"emulator_service": "smb",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "smb",
"service_banner": "honeypot-smb",
"service_os": "linux",
"dst_port": "139"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_smb_probe",
"smb_emulated"
],
"asn_dc_heuristic": true
}
15/06/2026 02:51:46 UTC
TCP
139 · SMB
Sonde port 139/TCP
port 139 tcp · via SMB:139 · (sonde / probe)
Élevée
Moyen · 42
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SMB
WAF
—
Recommandation
Surveiller
Tags
net_smb_probe
smb_emulated
smb_negotiate
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
139
Chemin / cible
—
Preuve honeypot — Sonde port 139/TCP
Connexion détectée sur le port 139 (TCP) du capteur simulé.
Service
SMB
Payload
�����SMB@�������������������������������������������1234567890123456$�����������1234567890123456h�����������������������������,�
Pourquoi cette classification : Type « port_139_tcp » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Moyen
· 42
Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1 Signaux
pat-0348
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
Sybase TDS login
ET H.323 setup
NFS RPC mount
Mumble ping
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��SMB@�������������������������������������������1234567890123456$�����������1234567890123456h�����������������������������,
Requête brute (extrait)
��SMB@�������������������������������������������1234567890123456$�����������1234567890123456h�����������������������������,������������� ��������������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "00000048",
"emulator_response_len": 4,
"bytes_in": 176,
"payload_entropy": 2.3495313504805617,
"port_category": "well_known",
"org": "Google LLC",
"service": "smb",
"app_proto": "smb",
"asn": 396982,
"country": "US",
"dst_port": 139,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "568c1e362fa22aa3b71f895c46b0f5eaf32d68a3",
"event_fingerprint": "ac6f19094f4476f2d5f4af354de6040603cc1eb7",
"classification_reason": "Type \u00ab port_139_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0348"
],
"kb_rule_ids": [
"pat-0348"
],
"matched_patterns": [
"pat-0348",
"pat-0607",
"pat-0868",
"pat-0532",
"pat-0768",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"Sybase TDS login",
"ET H.323 setup",
"NFS RPC mount",
"Mumble ping",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0607",
"pat-0868",
"pat-0532",
"pat-0768",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 42
},
"named_classification_skipped": true,
"named_candidate": "rdp_probe",
"service_name": "smb",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ac70ccc77bd07ff099f4a7bad8ac3311",
"path_pattern_hash": "c28c33b24c7c0c9eb2f5d7bb82e1cfc1"
},
"target_context": {
"dst_port": 139,
"service": "smb",
"service_name": "smb",
"risk_score": 42
},
"payload_snippet": "\u0000\u0000\u0000\ufffd\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456h\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0011\u0003\u0000\u0000\u0002\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0002\u0000\u0001\u0000\u0000\u0000\u0001\u0000,\u0000",
"evidence": {
"request_sample": "\u0000\u0000\u0000\ufffd\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456h\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0011\u0003\u0000\u0000\u0002\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0002\u0000\u0001\u0000\u0000\u0000\u0001\u0000,\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0002\u0000\u0001\u0000\u0001\u0000 \u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0000\u0000\u0000\ufffd\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456h\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0011\u0003\u0000\u0000\u0002\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0002\u0000\u0001\u0000\u0000\u0000\u0001\u0000,\u0000",
"classification_reason": "Type \u00ab port_139_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "16f5da24cb87c03447997c9426ccdcc8a93d6a02",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000\ufffd\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456h\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0011\u0003\u0000\u0000\u0002\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0002\u0000\u0001\u0000\u0000\u0000\u0001\u0000,\u0000",
"port": 139,
"service": "smb",
"service_label_fr": "SMB"
},
"evidence_snippet": "\ufffd\ufffdSMB@1234567890123456$1234567890123456h,",
"attack_vector": "port 139 tcp \u00b7 via SMB:139 \u00b7 (sonde \/ probe)",
"target_port_label": "139 \u00b7 SMB",
"emulator_service": "smb",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_139_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab port_139_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 42
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "smb",
"service_label_fr": "SMB",
"dst_port": 139,
"protocol_emulated": true,
"tags_summary": [
"pat-0348"
],
"tags_summary_labels_fr": [
"pat-0348"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-smb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000\ufffd\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456h\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0011\u0003\u0000\u0000\u0002\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0002\u0000\u0001\u0000\u0000\u0000\u0001\u0000,\u0000",
"port": 139,
"service": "smb",
"service_label_fr": "SMB"
},
"attack_vector": "port 139 tcp \u00b7 via SMB:139 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdSMB@1234567890123456$1234567890123456h,",
"target_port_label": "139 \u00b7 SMB",
"emulator_service": "smb",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "smb",
"service_banner": "honeypot-smb",
"service_os": "linux",
"dst_port": "139"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_smb_probe",
"smb_emulated",
"smb_negotiate"
],
"asn_dc_heuristic": true
}
13/06/2026 20:44:32 UTC
TCP
139 · SMB
Sonde port 139/TCP
port 139 tcp · via SMB:139 · (sonde / probe)
Élevée
Moyen · 42
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SMB
WAF
—
Recommandation
Surveiller
Tags
net_smb_probe
smb_emulated
smb_negotiate
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
139
Chemin / cible
—
Preuve honeypot — Sonde port 139/TCP
Connexion détectée sur le port 139 (TCP) du capteur simulé.
Service
SMB
Payload
�����SMB@�������������������������������������������1234567890123456$�����������1234567890123456h�����������������������������,�
Pourquoi cette classification : Type « port_139_tcp » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Confiance modérée — signal unique
Risque capteur
Moyen
· 42
Confiance : Confiance 49 % — Motif catalogue confirmé · Classification nommée non retenue — preuves insuffisantes
Protocole émulé
1 Signaux
pat-0348
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
RDP TPKT header
Sybase TDS login
ET H.323 setup
NFS RPC mount
Mumble ping
STUN binding
Minecraft varint handshake
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
��SMB@�������������������������������������������1234567890123456$�����������1234567890123456h�����������������������������,
Requête brute (extrait)
��SMB@�������������������������������������������1234567890123456$�����������1234567890123456h�����������������������������,������������� ��������������������
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "00000048",
"emulator_response_len": 4,
"bytes_in": 176,
"payload_entropy": 2.3495313504805617,
"port_category": "well_known",
"org": "Google LLC",
"service": "smb",
"app_proto": "smb",
"asn": 396982,
"country": "US",
"dst_port": 139,
"risk_waf": 8,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 42,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "568c1e362fa22aa3b71f895c46b0f5eaf32d68a3",
"event_fingerprint": "ac6f19094f4476f2d5f4af354de6040603cc1eb7",
"classification_reason": "Type \u00ab port_139_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0348"
],
"kb_rule_ids": [
"pat-0348"
],
"matched_patterns": [
"pat-0348",
"pat-0607",
"pat-0868",
"pat-0532",
"pat-0768",
"pat-0771",
"pat-0554",
"pat-0536"
],
"matched_pattern_names": [
"RDP TPKT header",
"Sybase TDS login",
"ET H.323 setup",
"NFS RPC mount",
"Mumble ping",
"STUN binding",
"Minecraft varint handshake",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0348",
"pat-0607",
"pat-0868",
"pat-0532",
"pat-0768",
"pat-0771",
"pat-0554",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 42
},
"named_classification_skipped": true,
"named_candidate": "rdp_probe",
"service_name": "smb",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "ac70ccc77bd07ff099f4a7bad8ac3311",
"path_pattern_hash": "c28c33b24c7c0c9eb2f5d7bb82e1cfc1"
},
"target_context": {
"dst_port": 139,
"service": "smb",
"service_name": "smb",
"risk_score": 42
},
"payload_snippet": "\u0000\u0000\u0000\ufffd\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456h\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0011\u0003\u0000\u0000\u0002\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0002\u0000\u0001\u0000\u0000\u0000\u0001\u0000,\u0000",
"evidence": {
"request_sample": "\u0000\u0000\u0000\ufffd\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456h\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0011\u0003\u0000\u0000\u0002\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0002\u0000\u0001\u0000\u0000\u0000\u0001\u0000,\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0002\u0000\u0001\u0000\u0001\u0000 \u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"payload_snippet": "\u0000\u0000\u0000\ufffd\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456h\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0011\u0003\u0000\u0000\u0002\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0002\u0000\u0001\u0000\u0000\u0000\u0001\u0000,\u0000",
"classification_reason": "Type \u00ab port_139_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "16f5da24cb87c03447997c9426ccdcc8a93d6a02",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000\ufffd\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456h\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0011\u0003\u0000\u0000\u0002\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0002\u0000\u0001\u0000\u0000\u0000\u0001\u0000,\u0000",
"port": 139,
"service": "smb",
"service_label_fr": "SMB"
},
"evidence_snippet": "\ufffd\ufffdSMB@1234567890123456$1234567890123456h,",
"attack_vector": "port 139 tcp \u00b7 via SMB:139 \u00b7 (sonde \/ probe)",
"target_port_label": "139 \u00b7 SMB",
"emulator_service": "smb",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_139_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab port_139_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100",
"confidence_pct": 49,
"confidence_breakdown": {
"waf": 8,
"classification": 38,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 42
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "smb",
"service_label_fr": "SMB",
"dst_port": 139,
"protocol_emulated": true,
"tags_summary": [
"pat-0348"
],
"tags_summary_labels_fr": [
"pat-0348"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-smb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0000\u0000\u0000\ufffd\ufffdSMB@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456$\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00001234567890123456h\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0011\u0003\u0000\u0000\u0002\u0000\u0006\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0002\u0000\u0001\u0000\u0000\u0000\u0001\u0000,\u0000",
"port": 139,
"service": "smb",
"service_label_fr": "SMB"
},
"attack_vector": "port 139 tcp \u00b7 via SMB:139 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdSMB@1234567890123456$1234567890123456h,",
"target_port_label": "139 \u00b7 SMB",
"emulator_service": "smb",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes",
"confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "smb",
"service_banner": "honeypot-smb",
"service_os": "linux",
"dst_port": "139"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_smb_probe",
"smb_emulated",
"smb_negotiate"
],
"asn_dc_heuristic": true
}
13/06/2026 20:44:32 UTC
TCP
139 · SMB
Sonde SMB
smb probe · via SMB:139 · (sonde / probe)
Élevée
Faible · 21
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SMB
WAF
—
Recommandation
Surveiller
Tags
net_smb_probe
smb_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
139
Chemin / cible
—
Pourquoi cette classification : Type « smb_probe » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Risque capteur
Faible
· 21
Confiance : Confiance 0 % — 2 signal(aux) capteur
Protocole émulé
1
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "Google LLC",
"service": "smb",
"app_proto": "smb",
"asn": 396982,
"country": "US",
"dst_port": 139,
"risk_waf": 8,
"risk_classification": 56,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 21,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "3953f1b3149bc01b700c2aadb2669056e2e94dea",
"event_fingerprint": "ac6f19094f4476f2d5f4af354de6040603cc1eb7",
"classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 21
},
"named_classification_skipped": false,
"service_name": "smb",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "b6c073dc229e6284b4cae7886c46d504"
},
"target_context": {
"dst_port": 139,
"service": "smb",
"service_name": "smb",
"risk_score": 21
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "56afc68ddb732aedcb4c436a0ff973c6b1ae80fb",
"protocol_details": {
"port": 139,
"service": "smb",
"service_label_fr": "SMB"
},
"attack_vector": "smb probe \u00b7 via SMB:139 \u00b7 (sonde \/ probe)",
"target_port_label": "139 \u00b7 SMB",
"emulator_service": "smb",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"classification_reason_label_fr": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"executive_one_liner_fr": "Activit\u00e9 suspecte",
"confidence_pct": 0,
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 21
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 21,
"risk_label": "Faible",
"service_name": "smb",
"service_label_fr": "SMB",
"dst_port": 139,
"protocol_emulated": true,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-smb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": null,
"protocol_details": {
"port": 139,
"service": "smb",
"service_label_fr": "SMB"
},
"attack_vector": "smb probe \u00b7 via SMB:139 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "139 \u00b7 SMB",
"emulator_service": "smb",
"confidence_reason": "Confiance 0 % \u2014 2 signal(aux) capteur",
"confidence_factors_fr": null,
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "smb",
"service_banner": "honeypot-smb",
"service_os": "linux",
"dst_port": "139"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_smb_probe",
"smb_emulated"
],
"asn_dc_heuristic": true
}
13/06/2026 20:44:31 UTC
TCP
139 · SMB
Sonde SMB
smb probe · via SMB:139 · (sonde / probe)
Élevée
Faible · 32
Détails
Voir
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
Émulateur
SMB
WAF
—
Recommandation
Surveiller
Tags
net_smb_probe
smb_emulated
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
139
Chemin / cible
—
Service
SMB
Payload
���1�SMBr�����Eh���������������}��������NT LM 0.12���
Pourquoi cette classification : Type « smb_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Faible
· 32
Confiance : Confiance 50 % — Motif catalogue confirmé
Protocole émulé
1 Signaux
pat-0771
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
1�SMBr�����Eh���������������}��������NT LM 0.12��
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "00000048",
"emulator_response_len": 4,
"bytes_in": 53,
"payload_entropy": 3.037242382532767,
"port_category": "well_known",
"org": "Google LLC",
"service": "smb",
"app_proto": "smb",
"asn": 396982,
"country": "US",
"dst_port": 139,
"risk_waf": 8,
"risk_classification": 56,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 36,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0
},
"risk_score": 32,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "3953f1b3149bc01b700c2aadb2669056e2e94dea",
"event_fingerprint": "ac6f19094f4476f2d5f4af354de6040603cc1eb7",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"pat-0771"
],
"classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 32
},
"service_name": "smb",
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f6e3339c8f446c4744156a63cec7085a",
"path_pattern_hash": "b6c073dc229e6284b4cae7886c46d504"
},
"target_context": {
"dst_port": 139,
"service": "smb",
"service_name": "smb",
"risk_score": 32
},
"payload_preview": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"request_sample": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"payload_snippet": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"evidence": {
"request_sample": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"payload_snippet": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "16861df5cf87319acc744a826f7ee0845639dbec",
"protocol_details": {
"payload_preview": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"port": 139,
"service": "smb",
"service_label_fr": "SMB"
},
"evidence_snippet": "1\ufffdSMBrEh\ufffd}NT LM 0.12",
"attack_vector": "smb probe \u00b7 via SMB:139 \u00b7 (sonde \/ probe)",
"target_port_label": "139 \u00b7 SMB",
"emulator_service": "smb",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 32\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 56,
"behavior": 0,
"geo": 40,
"protocol": 36,
"novelty": 0,
"risk_score": 32
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 32,
"risk_label": "Faible",
"service_name": "smb",
"service_label_fr": "SMB",
"dst_port": 139,
"protocol_emulated": true,
"tags_summary": [
"pat-0771"
],
"tags_summary_labels_fr": [
"pat-0771"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-smb",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"payload_preview": "\u0000\u0000\u00001\ufffdSMBr\u0000\u0000\u0000\u0000\u0018Eh\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd}\u0000\u0000\u0001\u0000\u0000\u000e\u0000\u0002NT LM 0.12\u0000\u0002\u0000",
"port": 139,
"service": "smb",
"service_label_fr": "SMB"
},
"attack_vector": "smb probe \u00b7 via SMB:139 \u00b7 (sonde \/ probe)",
"evidence_snippet": "1\ufffdSMBrEh\ufffd}NT LM 0.12",
"target_port_label": "139 \u00b7 SMB",
"emulator_service": "smb",
"confidence_reason": "Confiance 50 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "smb",
"service_banner": "honeypot-smb",
"service_os": "linux",
"dst_port": "139"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"net_smb_probe",
"smb_emulated"
],
"asn_dc_heuristic": true
}
07/06/2026 06:11:10 UTC
TCP
2086 · HTTP
Scanner web
Élevée
Moyen · 47
Détails
Voir
Étape
Sonde / probe
MITRE
T1595
TA0007
TA0001
WAF
23
Recommandation
Surveiller
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
2086
Chemin / cible
/
Pourquoi cette classification : User-Agent scanner commercial déclaré · confiance 100%
Confiance classification
100%
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
UA Palo Alto Networks
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
lfi-14
ssrf-3
nosqli-3
sap-sapcontrol-path
Payload (extrait)
GET / HTTP/1.1
Host: 62.3.50.33:2086
User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-
Requête brute (extrait)
GET / HTTP/1.1 Host: 62.3.50.33:2086 User-Agent: Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Accept-Encoding: gzip
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "c70dc60c37e6bc871d82f3db16c89445a04f5577",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.104109930709399,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"dst_port": 2086,
"risk_waf": 57.5,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 35,
"risk_novelty": 25,
"risk_boost": 0,
"risk_granularity": 3.2,
"risk_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25
},
"risk_score": 47,
"tag_count": 5,
"anomaly_count": 0,
"campaign_key": "bcd5b754ba0d8edc686a1270aa358d6bb3b3fa57",
"event_fingerprint": "3dd09f19ec382055d8f8dc49a820da6e20ee148d",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%",
"confidence": 1,
"classification_confidence": 1,
"precision_score": 147,
"precision_signals": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"kb_rule_ids": [
"INT-scanner-palo-alto",
"INT-upstream",
"INT-waf-score"
],
"matched_patterns": [
"pat-0103",
"pat-0460"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"UA Palo Alto Networks"
],
"pattern_ids": [
"pat-0103",
"pat-0460"
],
"confidence_breakdown": {
"waf": 57.5,
"classification": 42,
"behavior": 0,
"geo": 40,
"protocol": 35,
"novelty": 25,
"risk_score": 47
},
"named_classification_skipped": false,
"service_name": "http",
"risk_confidence_factor": 100,
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "ce3935d92be5f9290d282e51ab604b41",
"payload_hash": "8d73ef971a6c7c14928c5bc6e481ea5a",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 2086,
"service": "http",
"service_name": "http",
"risk_score": 47
},
"payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2086\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2086\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2086\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity",
"waf_tags": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
],
"waf_rule_names": [
"lfi-14",
"ssrf-3",
"nosqli-3",
"sap-sapcontrol-path"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2086\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-cortex.paloaltonetworks.com\/r\/1\/Cortex-Xpanse\/Scanning-activity\r\nAccept-Encoding: gzip\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2086\r\nUser-Agent: Hello from Palo Alto Networks, find out more about our scans in https:\/\/docs-",
"classification_reason": "User-Agent scanner commercial d\u00e9clar\u00e9 \u00b7 confiance 100%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre_techniques": [
"T1595"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "8e6ee71bc38d28be538a120645051f6e52ee4db4",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "2086"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "probe",
"ban_policy": "advisory_monitor",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path",
"http_ua_disclosed_scanner"
],
"asn_dc_heuristic": true
}
04/06/2026 16:48:58 UTC
TCP
3389
Sonde RDP
Élevée
Faible · 17
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
rdp_cookie
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
3389
Chemin / cible
—
Confiance classification
68%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
���,'������Cookie: mstshash=WlhLyz
�����
Meta JSON brut
{
"bytes_in": 44,
"payload_entropy": 4.174674231978644,
"port_category": "registered",
"org": "Google LLC",
"service": "rdp",
"app_proto": "rdp",
"asn": 396982,
"country": "US",
"dst_port": 3389,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 17,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "6c983b4f58b54350982036948b6601b93c2563f4",
"event_fingerprint": "707be242ce71f14fac23ca7fdd82d854dc2752d8",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "777025987bbe5f8aab2918dadf8b1448",
"path_pattern_hash": "5dd788b551ee7afb63321e74cfc538f6"
},
"target_context": {
"dst_port": 3389,
"service": "rdp"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.68,
"classification_confidence": 0.68,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=WlhLyz\r\n\u0001\u0000\b\u0000\u0001\u0000\u0000\u0000",
"event_signature": "6c17dfcfb269e798d7c276baa56dfc0dbd5cb36d",
"ban_policy": "advisory_monitor",
"tags_list": [
"rdp_cookie"
],
"asn_dc_heuristic": true
}
04/06/2026 16:48:58 UTC
TCP
3389
Sonde RDP
Élevée
Faible · 17
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
rdp_cookie
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
3389
Chemin / cible
—
Confiance classification
68%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
���,'������Cookie: mstshash=oBWtUI
�����
Meta JSON brut
{
"bytes_in": 44,
"payload_entropy": 4.129219686524098,
"port_category": "registered",
"org": "Google LLC",
"service": "rdp",
"app_proto": "rdp",
"asn": 396982,
"country": "US",
"dst_port": 3389,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 17,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "6c983b4f58b54350982036948b6601b93c2563f4",
"event_fingerprint": "707be242ce71f14fac23ca7fdd82d854dc2752d8",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "847c4fc039a06b98cf32dcb60e28c5ba",
"path_pattern_hash": "5dd788b551ee7afb63321e74cfc538f6"
},
"target_context": {
"dst_port": 3389,
"service": "rdp"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.68,
"classification_confidence": 0.68,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0003\u0000\u0000,'\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=oBWtUI\r\n\u0001\u0000\b\u0000\u0003\u0000\u0000\u0000",
"event_signature": "655002100c8bb2b7f7c0441d65ac2862761a47dc",
"ban_policy": "advisory_monitor",
"tags_list": [
"rdp_cookie"
],
"asn_dc_heuristic": true
}
04/06/2026 16:48:58 UTC
TCP
3389
rdp attack
Élevée
Faible · 23
Détails
Étape
Tentative d'exploit
MITRE
TA0001
TA0002
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
04/06/2026 16:48:57 UTC
TCP
3389
Sonde RDP
Élevée
Faible · 17
Détails
Voir
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
rdp_cookie
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
Méthode
—
Port
3389
Chemin / cible
—
Confiance classification
68%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
���'"������Cookie: mstshash=meTJFEvAu
Meta JSON brut
{
"bytes_in": 39,
"payload_entropy": 4.454469604591307,
"port_category": "registered",
"org": "Google LLC",
"service": "rdp",
"app_proto": "rdp",
"asn": 396982,
"country": "US",
"dst_port": 3389,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 40,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 40,
"protocol": 0,
"novelty": 0
},
"risk_score": 17,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "6c983b4f58b54350982036948b6601b93c2563f4",
"event_fingerprint": "707be242ce71f14fac23ca7fdd82d854dc2752d8",
"city": null,
"is_datacenter": true,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 396982,
"org": "Google LLC",
"is_datacenter": true,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "5f33edb1b020c9171048c40026618938",
"path_pattern_hash": "5dd788b551ee7afb63321e74cfc538f6"
},
"target_context": {
"dst_port": 3389,
"service": "rdp"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.68,
"classification_confidence": 0.68,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0003\u0000\u0000'\"\ufffd\u0000\u0000\u0000\u0000\u0000Cookie: mstshash=meTJFEvAu\r\n",
"event_signature": "d816689a0978c54089c001c944c84caebc0595e1",
"ban_policy": "advisory_monitor",
"tags_list": [
"rdp_cookie"
],
"asn_dc_heuristic": true
}
01/06/2026 03:24:50 UTC
TCP
23556
—
Sonde port
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
01/06/2026 03:24:50 UTC
TCP
23556
Sonde TLS
Moyenne
Faible · 31
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
01/06/2026 03:24:50 UTC
TCP
23556
Sonde HTTP
Élevée
Moyen · 61
Détails
Voir
Étape
—
WAF
6
Recommandation
—
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
http_ua_suspicious
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
23556
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.68.0
Règles WAF
950734:sap-sapcontrol-path
scanner-ua
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117",
"http_host_hash": "8fbc4b262ba5febb8a95074e79a905b8e64738e9",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 80,
"payload_entropy": 4.8360778268796345,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 1,
"risk_score": 61,
"campaign_key": "bfa2bb938faf360e912c0bba383faeb1a859bf8d",
"event_fingerprint": "6fce8917ff66c811e742be4d0a0a7b357f82b282",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"http_ua_suspicious",
"scanner-ua"
]
}
01/06/2026 03:24:49 UTC
TCP
23556
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
01/06/2026 03:24:49 UTC
TCP
23556
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
01/06/2026 03:24:46 UTC
TCP
23556
—
Sonde port
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
30/05/2026 01:00:18 UTC
TCP
9002
—
Sonde port
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
28/05/2026 20:41:00 UTC
TCP
4567
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
4567
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "df97b45def6dc156977d159351072162731afe4c",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.113284242636005,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "752b3675da2dcac59bc8e3e9dbe47eead9365496",
"event_fingerprint": "b84f62ad0cd812d992d6f683d7ced9115b22763b",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
28/05/2026 19:59:34 UTC
TCP
5903
—
Sonde port
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
28/05/2026 03:37:14 UTC
TCP
4786
—
Sonde port
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
26/05/2026 23:13:53 UTC
TCP
2085
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
2085
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "d202884bf63da2cb3762fbb22c32dfe9c0bf880b",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.104109930709399,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "4b38cce169639438c43758a4be8186adc8fee394",
"event_fingerprint": "2bc966f5534bc703301acd7c73f94119bdc33660",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
25/05/2026 21:22:55 UTC
TCP
25789
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
25/05/2026 21:22:55 UTC
TCP
25789
Sonde TLS
Moyenne
Faible · 33
Détails
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
23/05/2026 02:10:08 UTC
TCP
2525
web attack
Élevée
Critique · 100
Détails
Voir
Étape
—
WAF
23
Recommandation
—
Tags
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
Méthode
GET
Port
2525
Chemin / cible
/
Ligne de requête
GET / HTTP/1.1
User-Agent
Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity
Règles WAF
950318:lfi-14
950406:ssrf-3
950470:nosqli-3
950734:sap-sapcontrol-path
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d",
"http_host_hash": "3ff2557b071b4539f2a69d1b52092828dea822de",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 218,
"payload_entropy": 5.08801004536845,
"port_category": "registered",
"org": "Google LLC",
"service": "http",
"app_proto": "http",
"asn": 396982,
"country": "US",
"tag_count": 4,
"anomaly_count": 0,
"risk_score": 100,
"campaign_key": "3c6930513e183db3f6533c23e296cf4382a0a6f8",
"event_fingerprint": "738ceab49c657886a0e7bb682e8e3b28272375b7",
"tags_list": [
"950318:lfi-14",
"950406:ssrf-3",
"950470:nosqli-3",
"950734:sap-sapcontrol-path"
]
}
21/05/2026 00:04:42 UTC
TCP
6002
—
Sonde port
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
17/05/2026 19:12:34 UTC
TCP
5907
—
Sonde port
Faible
Faible · 0
Détails
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1