Détails IP 147.185.132.9

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « postgres_probe » (signaux protocolaires) · confiance 49%

Confiance 49 % — Score WAF 8

Comparaison ASN / FAI

ASN 396982 · 147.185.132.0/22 · ARIN — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 12 événements sur la période pour cette IP.

205.210.31.37 stun probe 17/06/2026 20:00 UTC
205.210.31.98 Sonde port 21/TCP 17/06/2026 19:59 UTC
147.185.132.255 Sonde PostgreSQL 17/06/2026 19:56 UTC
205.210.31.92 Sonde PostgreSQL 17/06/2026 19:55 UTC
198.235.24.201 Sonde PostgreSQL 17/06/2026 19:55 UTC
147.185.132.108 Sonde PostgreSQL 17/06/2026 19:49 UTC
198.235.24.204 Sonde MySQL 17/06/2026 19:49 UTC
198.235.24.106 Sonde RDP 17/06/2026 19:48 UTC

IPs apparentées

Même FAI Google LLC — corrélation indicative.

205.210.31.37 stun probe
205.210.31.98 Sonde port 21/TCP
147.185.132.255 Sonde PostgreSQL
205.210.31.92 Sonde PostgreSQL
198.235.24.201 Sonde PostgreSQL

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

TLS TCP 8 HTTP TCP 3 HTTPS TCP 1

TLS

8

HTTP

3

HTTPS

1

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

De

À

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Chronologie des événements

12 événement(s) — page 1/1

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
17/06/2026 18:36:25 UTC	TCP	2080 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:2080 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 795bc7ce13f60d61 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2080 Chemin / cible — Service TLS Payload ��Ŝiw�Ȣ��D�k��хfp�L��hJǩh��/�+�0�,��'�#�� (�$�� gk39��<=/5� Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��Ŝiw�Ȣ��D�k��хfp�L��hJǩh��/�+�0�,��'�#�� (�$�� gk39��<=/5� Requête brute (extrait) ��Ŝiw�Ȣ��D�k��хfp�L��hJǩh��/�+�0�,��'�#�� (�$�� gk39��<=/5� 2�8@fj��5 � Meta JSON brut { "tls_ja3_hash": "795bc7ce13f60d61e9ac03611dd36d90", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 29, "bytes_in": 207, "payload_entropy": 4.932049532171282, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 2080, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1.5, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "780e1c5e1fa0753af856c4b8514cf55ba5bd6a96", "event_fingerprint": "d674b60c6f5e03ec4b102717696049e1531d076b", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "795bc7ce13f60d61e9ac03611dd36d90", "payload_hash": "e38d08f201ce8e9ce4ece73dfe085a8c", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "bcc542a5296d13201e694c8f5aa448d9", "tls_version": "0x0303", "tls_cipher_count": 52, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,52244-52243-49199-49195-49200-49196-49169-49159-49191-49187-49171-49161-49192-49188-49172-49162-52245-158-159-103-107-51-57-156-157-5-4-60-61-47-53-49170-22-10-3-8-6-20-17-25-23-50-49160-18-19-21-56-64-102-106-162-163,5-10-11-13-65281-15,23-24-25,0", "tls_ja4_hash": "bcc542a5296d13201e694c8f5aa448d9", "tls_ja4": "t13d0152_4fb103f5e16c_40d2e578a3e2", "tls_version": "0x0303", "tls_cipher_count": 52, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2080, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u015ciw\ufffd\u009b\u0222\ufffd\ufffdD\ufffdk\ufffd\ufffd\ufffd\u0445fp\ufffdL\ufffd\ufffdhJ\u01e9\u000f\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u015ciw\ufffd\u009b\u0222\ufffd\ufffdD\ufffdk\ufffd\ufffd\ufffd\u0445fp\ufffdL\ufffd\ufffdhJ\u01e9\u000f\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017\u00002\ufffd\b\u0000\u0012\u0000\u0013\u0000\u0015\u00008\u0000@\u0000f\u0000j\u0000\ufffd\u0000\ufffd\u0001\u0000\u00005\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\f\u0000\n\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0002\u0002\ufffd\u0001\u0000\u0001\u0000\u0000\u000f\u0000\u0001\u0001", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u015ciw\ufffd\u009b\u0222\ufffd\ufffdD\ufffdk\ufffd\ufffd\ufffd\u0445fp\ufffdL\ufffd\ufffdhJ\u01e9\u000f\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "033fe13a2926a3c2b2b3f7b2931edb5d11b9acc1", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u015ciw\ufffd\u009b\u0222\ufffd\ufffdD\ufffdk\ufffd\ufffd\ufffd\u0445fp\ufffdL\ufffd\ufffdhJ\u01e9\u000f\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017", "tls_ja3": "795bc7ce13f60d61e9ac03611dd36d90", "tls_ja4": "bcc542a5296d13201e694c8f5aa448d9", "port": 2080, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\u015ciw\ufffd\u009b\u0222\ufffd\ufffdD\ufffdk\ufffd\ufffd\ufffd\u0445fp\ufffdL\ufffd\ufffdhJ\u01e9h\ufffd\ufffd\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\ufffd\ufffd'\ufffd#\ufffd\ufffd\t\ufffd(\ufffd$\ufffd\ufffd\n\ufffd\ufffd\ufffdgk39\ufffd\ufffd<=\/5\ufffd", "attack_vector": "postgres probe \u00b7 via TLS:2080 \u00b7 (sonde \/ probe)", "target_port_label": "2080 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2080, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u015ciw\ufffd\u009b\u0222\ufffd\ufffdD\ufffdk\ufffd\ufffd\ufffd\u0445fp\ufffdL\ufffd\ufffdhJ\u01e9\u000f\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017", "tls_ja3": "795bc7ce13f60d61e9ac03611dd36d90", "tls_ja4": "bcc542a5296d13201e694c8f5aa448d9", "port": 2080, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:2080 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\u015ciw\ufffd\u009b\u0222\ufffd\ufffdD\ufffdk\ufffd\ufffd\ufffd\u0445fp\ufffdL\ufffd\ufffdhJ\u01e9h\ufffd\ufffd\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\ufffd\ufffd'\ufffd#\ufffd\ufffd\t\ufffd(\ufffd$\ufffd\ufffd\n\ufffd\ufffd\ufffdgk39\ufffd\ufffd<=\/5\ufffd", "target_port_label": "2080 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
17/06/2026 18:36:24 UTC	TCP	2080 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:2080 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 2080 Chemin / cible — Service TLS Payload ��j��i'k_$��Cы�Ǐ�� Z�fy� Z%s�rC��VbD<�\|�]�� $�sQD�?�&�+�/�,�0̨̩� �� /5� { Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��j��i'k_$��Cы�Ǐ�� Z�fy� Z%s�rC��VbD<�\|�]�� $�sQD�?�&�+�/�,�0̨̩� �� /5� { Requête brute (extrait) ��j��i'k_$��Cы�Ǐ�� Z�fy� Z%s�rC��VbD<�\|�]�� $�sQD�?�&�+�/�,�0̨̩� �� /5� { �+ 3&$ ̾�I��r��@^�0�s� U6 �, Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 243, "payload_entropy": 5.774500849325423, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 2080, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1.5, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "780e1c5e1fa0753af856c4b8514cf55ba5bd6a96", "event_fingerprint": "869f6e184566e1c3079c0bed2210308bdf163b7b", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "763b397aa21e12caa58f6be8bb3ee831", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 2080, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffdi\u0014'k_$\ufffd\ufffdC\u044b\ufffd\u01cf\ufffd\ufffd\ufffd\n\u000eZ\ufffdfy\ufffd \u0001Z%s\ufffdrC\ufffd\ufffd\ufffdVbD<\ufffd\|\ufffd]\ufffd\ufffd\u0014\ufffd\n$\ufffdsQD\ufffd?\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffdi\u0014'k_$\ufffd\ufffdC\u044b\ufffd\u01cf\ufffd\ufffd\ufffd\n\u000eZ\ufffdfy\ufffd \u0001Z%s\ufffdrC\ufffd\ufffd\ufffdVbD<\ufffd\|\ufffd]\ufffd\ufffd\u0014\ufffd\n$\ufffdsQD\ufffd?\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \u033e\ufffdI\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffd\ufffd@^\u0002\ufffd\u000f0\ufffds\u0014\ufffd\u000b\u0002\u0012U6\u0006\t\ufffd,", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffdi\u0014'k_$\ufffd\ufffdC\u044b\ufffd\u01cf\ufffd\ufffd\ufffd\n\u000eZ\ufffdfy\ufffd \u0001Z%s\ufffdrC\ufffd\ufffd\ufffdVbD<\ufffd\|\ufffd]\ufffd\ufffd\u0014\ufffd\n$\ufffdsQD\ufffd?\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c6e6fe0523617f731428b5217061d854b1eb92e7", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffdi\u0014'k_$\ufffd\ufffdC\u044b\ufffd\u01cf\ufffd\ufffd\ufffd\n\u000eZ\ufffdfy\ufffd \u0001Z%s\ufffdrC\ufffd\ufffd\ufffdVbD<\ufffd\|\ufffd]\ufffd\ufffd\u0014\ufffd\n$\ufffdsQD\ufffd?\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2080, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffdi'k_$\ufffd\ufffdC\u044b\ufffd\u01cf\ufffd\ufffd\ufffd\nZ\ufffdfy\ufffd Z%s\ufffdrC\ufffd\ufffd\ufffdVbD<\ufffd\|\ufffd]\ufffd\ufffd\ufffd\n$\ufffdsQD\ufffd?\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{", "attack_vector": "postgres probe \u00b7 via TLS:2080 \u00b7 (sonde \/ probe)", "target_port_label": "2080 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 2080, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0001\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffdi\u0014'k_$\ufffd\ufffdC\u044b\ufffd\u01cf\ufffd\ufffd\ufffd\n\u000eZ\ufffdfy\ufffd \u0001Z%s\ufffdrC\ufffd\ufffd\ufffdVbD<\ufffd\|\ufffd]\ufffd\ufffd\u0014\ufffd\n$\ufffdsQD\ufffd?\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 2080, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:2080 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdj\ufffd\ufffd\ufffd\ufffd\ufffdi'k_$\ufffd\ufffdC\u044b\ufffd\u01cf\ufffd\ufffd\ufffd\nZ\ufffdfy\ufffd Z%s\ufffdrC\ufffd\ufffd\ufffdVbD<\ufffd\|\ufffd]\ufffd\ufffd\ufffd\n$\ufffdsQD\ufffd?\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{", "target_port_label": "2080 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "2080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
15/06/2026 02:34:08 UTC	TCP	8443 · HTTPS	https	stun probe stun probe · via HTTPS:8443 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Reconnaissance Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Scan coordonné MITRE TA0007 TA0007 TA0001 Protocole Émulateur HTTPS WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Service HTTPS Payload okRH�#�:N�ⴂ/� T��y�h��="�� ,��n�Y�bhl�(=':��oȢד��幐(� �9k5=�� #��'3g2/< �� Pourquoi cette classification : Type « stun_probe » (signaux protocolaires) · confiance 44% Confiance classification 54% Corrélation +10 Risque capteur Faible · 35 Confiance : Confiance 44 % — Motif catalogue confirmé Protocole émulé 1 Signaux pat-0771 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) STUN binding Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) okRH�#�:N�ⴂ/� T��y�h��="�� ,��n�Y�bhl�(=':��oȢד��幐(� �9k5=�� #��'3g2/< �� Requête brute (extrait) okRH�#�:N�ⴂ/� T��y�h��="�� ,��n�Y�bhl�(=':��oȢד��幐(� �9k5=�� #��'3g2/< ��syndication.twimg.com� #��g`B��<�XO�iD��=]�L� ��B�� LDt}��`~G�h?2�(qݍ��(ى/� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 372, "payload_entropy": 6.827478645460878, "port_category": "registered", "org": "Google LLC", "service": "https", "app_proto": "https", "asn": 396982, "country": "US", "dst_port": 8443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "841a7de3c3cbd932ffe2df923d0bb6a948309046", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab stun_probe \u00bb (signaux protocolaires) \u00b7 confiance 44%", "confidence": 0.54, "classification_confidence": 0.54, "precision_score": 52, "precision_signals": [ "pat-0771" ], "kb_rule_ids": [ "pat-0771" ], "matched_patterns": [ "pat-0771", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "STUN binding", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0771", "pat-0554", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35, "correlation_boost": 10 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 44, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "payload_hash": "8b81809bfd53087ba03b6f3907cd619b", "path_pattern_hash": "2209b46920c1113b64f1b7d3129712ba" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018", "evidence": { "request_sample": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018\u0000\u0000\u0015syndication.twimg.com\ufffd\u0001\u0000\u0001\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000#\u0000\ufffd\ufffd\u0001\u0019g`\u001e\u0004B\ufffd\ufffd\ufffd<\ufffdXO\ufffdiD\ufffd\u001d\ufffd\u0001\ufffd\ufffd\ufffd=]\ufffd\u0016L\ufffd \ufffd\ufffdB\ufffd\ufffd\ufffd\n\u0013\ufffd\ufffdLDt}\ufffd\ufffd\ufffd\ufffd\u0016`~G\u0007\u0015\ufffdh?2\ufffd(q\u074d\ufffd\ufffd\u0003\ufffd(\u0649\/\u000f\u0007\ufffd", "payload_snippet": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018", "classification_reason": "Type \u00ab stun_probe \u00bb (signaux protocolaires) \u00b7 confiance 44%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "83650ccaaa26f35efb0dc79604ef2aa006fba7c7", "protocol_details": { "payload_preview": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "evidence_snippet": "okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\"\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\n\ufffd9k5=\ufffd\ufffd\t\ufffd#\ufffd\ufffd\ufffd'3g2\/<\n\ufffd\ufffd", "attack_vector": "stun probe \u00b7 via HTTPS:8443 \u00b7 (sonde \/ probe)", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 44 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab stun_probe \u00bb (signaux protocolaires) \u00b7 confiance 44%", "classification_reason_label_fr": "Type \u00ab stun_probe \u00bb (signaux protocolaires) \u00b7 confiance 44%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 54, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 33, "novelty": 15, "risk_score": 35, "correlation_boost": 10 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "reconnaissance", "attack_chain_stage_label_fr": "Reconnaissance", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": [ "pat-0771" ], "tags_summary_labels_fr": [ "pat-0771" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": [ "scan_coordonn\u00e9" ], "correlation_flags_labels_fr": [ "Scan coordonn\u00e9" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +10", "protocol_details": { "payload_preview": "\u0016\u0003\u0002\u0001o\u0001\u0000\u0001k\u0003\u0002RH\ufffd\u001a#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\u0013\ufffd\ufffd\u001c=\"\ufffd\u001a\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50\u0000(\ufffd\n\ufffd\u0014\u00009\u0000k\u00005\u0000=\ufffd\u0007\ufffd\t\ufffd#\ufffd\u0011\ufffd\u0013\ufffd'\u00003\u0000g\u00002\u0000\u0005\u0000\u0004\u0000\/\u0000<\u0000\n\u0001\u0000\u0000\ufffd\ufffd\u0000\u0000\u001a\u0000\u0018", "port": 8443, "service": "https", "service_label_fr": "HTTPS" }, "attack_vector": "stun probe \u00b7 via HTTPS:8443 \u00b7 (sonde \/ probe)", "evidence_snippet": "okRH\ufffd#\ufffd:N\ufffd\u2d02\/\ufffd\tT\ufffd\ufffd\ufffdy\ufffdh\ufffd\ufffd\ufffd=\"\ufffd\ufffd \ufffd\ufffd,\ufffd\ufffdn\ufffdY\ufffdbhl\ufffd(=':\ufffd\ufffd\ufffdo\u0222\u05d3\ufffd\ufffd\ufffd\u5e50(\ufffd\n\ufffd9k5=\ufffd\ufffd\t\ufffd#\ufffd\ufffd\ufffd'3g2\/<\n\ufffd\ufffd", "target_port_label": "8443 \u00b7 HTTPS", "emulator_service": "https", "confidence_reason": "Confiance 44 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 54 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +10", "campaign_hint_fr": "Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (147.185.132.0\/24, \u22653 pairs)", "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "reconnaissance", "label_fr": "Reconnaissance", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "coordinated_scan": true, "coordinated_subnet": "147.185.132.0\/24", "coordinated_ip_count": 3, "behavior_alerts": [ "coordinated_scan" ], "correlation_confidence_boost": 10, "attack_chain_stage": "reconnaissance", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello" ], "asn_dc_heuristic": true }
08/06/2026 01:25:37 UTC	TCP	8887 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:8887 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 795bc7ce13f60d61 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8887 Chemin / cible — Service TLS Payload ��R��F� u�4��~� $A ��! ��3��#�m�h��/�+�0�,��'�#�� (�$�� gk39��<=/5� Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��R��F� u�4��~�$A��! ��3��#�m�h��/�+�0�,��'�#�� (�$�� gk39��<=/5� Requête brute (extrait) ��R��F� u�4��~� $A ��! ��3��#�m�h��/�+�0�,��'�#�� (�$�� gk39��<=/5� 2�8@fj��5 � Meta JSON brut { "tls_ja3_hash": "795bc7ce13f60d61e9ac03611dd36d90", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 29, "bytes_in": 207, "payload_entropy": 4.92603449594985, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 8887, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "81285a6f5978629b18063c26a5975d4c60dd3f9e", "event_fingerprint": "96d8dcc2205381a159f7ef49b4e9ad17a572eafc", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "795bc7ce13f60d61e9ac03611dd36d90", "payload_hash": "44a9f3dabdf1fc128436a4bd244e9eec", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "bcc542a5296d13201e694c8f5aa448d9", "tls_version": "0x0303", "tls_cipher_count": 52, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,52244-52243-49199-49195-49200-49196-49169-49159-49191-49187-49171-49161-49192-49188-49172-49162-52245-158-159-103-107-51-57-156-157-5-4-60-61-47-53-49170-22-10-3-8-6-20-17-25-23-50-49160-18-19-21-56-64-102-106-162-163,5-10-11-13-65281-15,23-24-25,0", "tls_ja4_hash": "bcc542a5296d13201e694c8f5aa448d9", "tls_ja4": "t13d0152_4fb103f5e16c_40d2e578a3e2", "tls_version": "0x0303", "tls_cipher_count": 52, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8887, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003R\ufffd\ufffd\ufffd\ufffdF\ufffd\ru\ufffd4\ufffd\ufffd~\ufffd\f$A\u000b\ufffd\ufffd!\t\ufffd\ufffd3\ufffd\ufffd#\ufffdm\ufffd\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003R\ufffd\ufffd\ufffd\ufffdF\ufffd\ru\ufffd4\ufffd\ufffd~\ufffd\f$A\u000b\ufffd\ufffd!\t\ufffd\ufffd3\ufffd\ufffd#\ufffdm\ufffd\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017\u00002\ufffd\b\u0000\u0012\u0000\u0013\u0000\u0015\u00008\u0000@\u0000f\u0000j\u0000\ufffd\u0000\ufffd\u0001\u0000\u00005\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\f\u0000\n\u0004\u0001\u0004\u0003\u0002\u0001\u0002\u0003\u0002\u0002\ufffd\u0001\u0000\u0001\u0000\u0000\u000f\u0000\u0001\u0001", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003R\ufffd\ufffd\ufffd\ufffdF\ufffd\ru\ufffd4\ufffd\ufffd~\ufffd\f$A\u000b\ufffd\ufffd!\t\ufffd\ufffd3\ufffd\ufffd#\ufffdm\ufffd\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "56157c4ce53301583ab4617da2b3682e7a9b2bfe", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003R\ufffd\ufffd\ufffd\ufffdF\ufffd\ru\ufffd4\ufffd\ufffd~\ufffd\f$A\u000b\ufffd\ufffd!\t\ufffd\ufffd3\ufffd\ufffd#\ufffdm\ufffd\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017", "tls_ja3": "795bc7ce13f60d61e9ac03611dd36d90", "tls_ja4": "bcc542a5296d13201e694c8f5aa448d9", "port": 8887, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffdR\ufffd\ufffd\ufffd\ufffdF\ufffd\ru\ufffd4\ufffd\ufffd~\ufffd$A\ufffd\ufffd!\t\ufffd\ufffd3\ufffd\ufffd#\ufffdm\ufffdh\ufffd\ufffd\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\ufffd\ufffd'\ufffd#\ufffd\ufffd\t\ufffd(\ufffd$\ufffd\ufffd\n\ufffd\ufffd\ufffdgk39\ufffd\ufffd<=\/5\ufffd", "attack_vector": "postgres probe \u00b7 via TLS:8887 \u00b7 (sonde \/ probe)", "target_port_label": "8887 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8887, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003R\ufffd\ufffd\ufffd\ufffdF\ufffd\ru\ufffd4\ufffd\ufffd~\ufffd\f$A\u000b\ufffd\ufffd!\t\ufffd\ufffd3\ufffd\ufffd#\ufffdm\ufffd\u0000\u0000h\ufffd\u0014\ufffd\u0013\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\u0011\ufffd\u0007\ufffd'\ufffd#\ufffd\u0013\ufffd\t\ufffd(\ufffd$\ufffd\u0014\ufffd\n\ufffd\u0015\u0000\ufffd\u0000\ufffd\u0000g\u0000k\u00003\u00009\u0000\ufffd\u0000\ufffd\u0000\u0005\u0000\u0004\u0000<\u0000=\u0000\/\u00005\ufffd\u0012\u0000\u0016\u0000\n\u0000\u0003\u0000\b\u0000\u0006\u0000\u0014\u0000\u0011\u0000\u0019\u0000\u0017", "tls_ja3": "795bc7ce13f60d61e9ac03611dd36d90", "tls_ja4": "bcc542a5296d13201e694c8f5aa448d9", "port": 8887, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:8887 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdR\ufffd\ufffd\ufffd\ufffdF\ufffd\ru\ufffd4\ufffd\ufffd~\ufffd$A\ufffd\ufffd!\t\ufffd\ufffd3\ufffd\ufffd#\ufffdm\ufffdh\ufffd\ufffd\ufffd\/\ufffd+\ufffd0\ufffd,\ufffd\ufffd\ufffd'\ufffd#\ufffd\ufffd\t\ufffd(\ufffd$\ufffd\ufffd\n\ufffd\ufffd\ufffdgk39\ufffd\ufffd<=\/5\ufffd", "target_port_label": "8887 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8887" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true }
08/06/2026 01:25:36 UTC	TCP	8887 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:8887 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole JA3 19e29534fd49dd27 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8887 Chemin / cible — Service TLS Payload ��la �H�Q��#H��%�$e��hz� �}N��\|<�A�Gv��D#�}��:�D&�+�/�,�0̨̩� �� /5� { Pourquoi cette classification :* Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��la �H�Q��#H��%�$e��hz� �}N��\|<�A�Gv��D#�}��:�D&�+�/�,�0̨̩� �� /5� { Requête brute (extrait) ��la �H�Q��#H��%�$e��hz� �}N��\|<�A�Gv��D#�}��:�D&�+�/�,�0̨̩� �� /5� { �+ 3&$ �=��ѩ�@ �jW�V:4<�a��2��( Meta JSON brut { "tls_ja3_hash": "19e29534fd49dd27d09234e639c4057e", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 243, "payload_entropy": 5.7978948147821585, "port_category": "registered", "org": "Google LLC", "service": "tls", "app_proto": "tls", "asn": 396982, "country": "US", "dst_port": 8887, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 40, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "81285a6f5978629b18063c26a5975d4c60dd3f9e", "event_fingerprint": "f9d404e0083b9bc82217e5f747946e5e54920d9f", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": true, "is_tor_hint": false, "geo": { "country": "US", "asn": 396982, "org": "Google LLC", "is_datacenter": true, "is_tor_hint": false }, "fingerprint": { "ja3": "19e29534fd49dd27d09234e639c4057e", "payload_hash": "c84daa6e4dcea42601739bcb50cde1f8", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "7b5e3a15097abc10f88e98257ea51010", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,5-10-11-13-65281-18-43-51,29-23-24-25,0", "tls_ja4_hash": "7b5e3a15097abc10f88e98257ea51010", "tls_ja4": "t13d0119_86cb3216d275_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 8887, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdla \ufffdH\ufffdQ\ufffd\ufffd\ufffd\ufffd#H\ufffd\ufffd%\ufffd$\u000fe\ufffd\ufffd\u0007\ufffd\ufffdhz\ufffd\u0010 \ufffd}N\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\ufffd\|<\ufffdA\ufffdGv\ufffd\ufffd\ufffd\u001bD\u0002#\ufffd}\ufffd\ufffd\u0006:\ufffdD\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdla \ufffdH\ufffdQ\ufffd\ufffd\ufffd\ufffd#H\ufffd\ufffd%\ufffd$\u000fe\ufffd\ufffd\u0007\ufffd\ufffdhz\ufffd\u0010 \ufffd}N\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\ufffd\|<\ufffdA\ufffdGv\ufffd\ufffd\ufffd\u001bD\u0002#\ufffd}\ufffd\ufffd\u0006:\ufffdD\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\ufffd\u0001\u0000\u0001\u0000\u0000\u0012\u0000\u0000\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd=\ufffd\ufffd\u0013\u0469\ufffd@\u000b\ufffd\u0004j\u0012W\ufffdV:4<\ufffda\u001d\ufffd\ufffd2\u001f\ufffd\ufffd(", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdla \ufffdH\ufffdQ\ufffd\ufffd\ufffd\ufffd#H\ufffd\ufffd%\ufffd$\u000fe\ufffd\ufffd\u0007\ufffd\ufffdhz\ufffd\u0010 \ufffd}N\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\ufffd\|<\ufffdA\ufffdGv\ufffd\ufffd\ufffd\u001bD\u0002#\ufffd}\ufffd\ufffd\u0006:\ufffdD\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "24f2411bf1a4b9255790dc4b84715d0955ccf20d", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdla \ufffdH\ufffdQ\ufffd\ufffd\ufffd\ufffd#H\ufffd\ufffd%\ufffd$\u000fe\ufffd\ufffd\u0007\ufffd\ufffdhz\ufffd\u0010 \ufffd}N\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\ufffd\|<\ufffdA\ufffdGv\ufffd\ufffd\ufffd\u001bD\u0002#\ufffd}\ufffd\ufffd\u0006:\ufffdD\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8887, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffdla \ufffdH\ufffdQ\ufffd\ufffd\ufffd\ufffd#H\ufffd\ufffd%\ufffd$e\ufffd\ufffd\ufffd\ufffdhz\ufffd \ufffd}N\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\|<\ufffdA\ufffdGv\ufffd\ufffd\ufffdD#\ufffd}\ufffd\ufffd:\ufffdD&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{", "attack_vector": "postgres probe \u00b7 via TLS:8887 \u00b7 (sonde \/ probe)", "target_port_label": "8887 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 40, "protocol": 43, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 8887, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdla \ufffdH\ufffdQ\ufffd\ufffd\ufffd\ufffd#H\ufffd\ufffd%\ufffd$\u000fe\ufffd\ufffd\u0007\ufffd\ufffdhz\ufffd\u0010 \ufffd}N\ufffd\ufffd\ufffd\ufffd\ufffd\u000f\ufffd\|<\ufffdA\ufffdGv\ufffd\ufffd\ufffd\u001bD\u0002#\ufffd}\ufffd\ufffd\u0006:\ufffdD\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000", "tls_ja3": "19e29534fd49dd27d09234e639c4057e", "tls_ja4": "7b5e3a15097abc10f88e98257ea51010", "port": 8887, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:8887 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffdla \ufffdH\ufffdQ\ufffd\ufffd\ufffd\ufffd#H\ufffd\ufffd*%\ufffd$e\ufffd\ufffd\ufffd\ufffdhz\ufffd \ufffd}N\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\|<\ufffdA\ufffdGv\ufffd\ufffd\ufffdD#\ufffd}\ufffd\ufffd:\ufffdD&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n{", "target_port_label": "8887 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 49 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "8887" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ], "asn_dc_heuristic": true, "behavior_alert_count": 1, "behavior_priority": 72 }
27/05/2026 00:38:33 UTC	TCP	9200	http	web attack	Élevée	Critique · 100
Étape — WAF 23 Recommandation — Tags 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 9200 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Règles WAF 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 185, "payload_entropy": 4.938089755714326, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "tag_count": 4, "anomaly_count": 0, "risk_score": 100, "campaign_key": "4ff83866941387eed3b2a79c587b9123ca3ea9d5", "event_fingerprint": "a16cd42079d4cac0861c9c02cd9e970ed19d19c3", "tags_list": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
21/05/2026 22:31:59 UTC	TCP	1234	http	web attack	Élevée	Critique · 100
Étape — WAF 23 Recommandation — Tags 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1234 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Règles WAF 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d", "http_host_hash": "48a097f7ea72f8e15cb756cda66be0f90c57cdc7", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 218, "payload_entropy": 5.0926868802705325, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "tag_count": 4, "anomaly_count": 0, "risk_score": 100, "campaign_key": "50bff20b612bdb07d163e56d7466f6485f212b30", "event_fingerprint": "6fe2cad5073dfc51decdbe9cd9dd0dda0d29234d", "tags_list": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
21/05/2026 02:22:33 UTC	TCP	6363	http	web attack	Élevée	Critique · 100
Étape — WAF 23 Recommandation — Tags 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6363 Chemin / cible / Ligne de requête `GET / HTTP/1.1` User-Agent Hello from Palo Alto Networks, find out more about our scans in https://docs-cortex.paloaltonetworks.com/r/1/Cortex-Xpanse/Scanning-activity Règles WAF 950318:lfi-14 950406:ssrf-3 950470:nosqli-3 950734:sap-sapcontrol-path Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "689bfbab10519e1ecf247982c128c7460ee59d4d", "http_host_hash": "0918c21bb05d1be3c258b6d1b83e4dae58feb6f5", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": false, "bytes_in": 218, "payload_entropy": 5.0783776349551015, "port_category": "registered", "org": "Google LLC", "service": "http", "app_proto": "http", "asn": 396982, "country": "US", "tag_count": 4, "anomaly_count": 0, "risk_score": 100, "campaign_key": "25127b7a1c7ef358a676819776bbe4fd59a7ef64", "event_fingerprint": "f024f6f3e99fb593adb4afbe035c5d9eb5eb75b9", "tags_list": [ "950318:lfi-14", "950406:ssrf-3", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
19/05/2026 00:35:39 UTC	TCP	2096	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
19/05/2026 00:35:38 UTC	TCP	2096	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
18/05/2026 20:57:28 UTC	TCP	2087	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1
18/05/2026 20:57:27 UTC	TCP	2087	tls	Sonde TLS	Moyenne	Faible · 33
Étape — WAF — Recommandation — Tags tls_ja3 tls_no_sni Cible HTTP — TLS SNI — Capteur paris-1

Réputation

Sécurité avancée

Offensive / Recon

Sécurité

DNS

Réseau

E-mail

IP

Utilitaires

147.185.132.9

Profil de menace

Pourquoi listée

Comparaison ASN / FAI

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence