Détails IP 151.243.11.35

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 750 TLS TCP 39 HTTPS TCP 7 SAP ICM TCP 7 GAME UNREAL TCP 3 KERBEROS TCP 2

HTTP

750

TLS

HTTPS

SAP ICM

GAME UNREAL

KERBEROS

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous

Période

Protocole

Port (dst)

Service

Classification

Réinitialiser

Chronologie des événements

808 événement(s) — page 1/17

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
07/06/2026 18:10:28 UTC	TCP	8083 · HTTP	http	Sonde port 8083/TCP port 8083 tcp · via HTTP:8083 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA curl/7.68.0 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8083 Chemin / cible / Preuve honeypot — Sonde port 8083/TCP Connexion détectée sur le port 8083 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8083_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8083, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 6, "anomaly_count": 1, "campaign_key": "865f10df46a58aa51f18e87a7e20752382edd35c", "event_fingerprint": "5ae896afc025344dead8f70651f37e38c582ab4f", "classification_reason": "Type \u00ab port_8083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8083, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f05565b4918615825d9b2375a25d342150d2f4e3", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 8083, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "attack_vector": "port 8083 tcp \u00b7 via HTTP:8083 \u00b7 (sonde \/ probe)", "target_port_label": "8083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 38\/100 (Faible) \u2014 MITRE TA0007 \u2014 confiance 55 % \u2014 via HTTP", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8083, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 8083, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8083 tcp \u00b7 via HTTP:8083 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "target_port_label": "8083 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
07/06/2026 17:43:16 UTC	TCP	8081 · HTTP	http	Sonde port 8081/TCP port 8081 tcp · via HTTP:8081 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA curl/7.68.0 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8081 Chemin / cible / Preuve honeypot — Sonde port 8081/TCP Connexion détectée sur le port 8081 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8081_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8081, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 6, "anomaly_count": 1, "campaign_key": "be4657ce52d3c7c246c62c1791104ff2773199e6", "event_fingerprint": "232c358527f57073b8ce3ac2952e07107acffec0", "classification_reason": "Type \u00ab port_8081_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8081_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4a98e1d8b413887775d3caffaeea3ac0a23678c3", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "attack_vector": "port 8081 tcp \u00b7 via HTTP:8081 \u00b7 (sonde \/ probe)", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8081_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8081_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8081, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 8081, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8081 tcp \u00b7 via HTTP:8081 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "target_port_label": "8081 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 55 % \u2014 Score WAF 32 \u00b7 2 tag(s) WAF" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
07/06/2026 17:14:48 UTC	TCP	8085 · HTTP	http	Sonde port 8085/TCP port 8085 tcp · via HTTP:8085 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA curl/7.68.0 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8085 Chemin / cible / Preuve honeypot — Sonde port 8085/TCP Connexion détectée sur le port 8085 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8085_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8085, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 6, "anomaly_count": 1, "campaign_key": "de578c983cf6ca85fdb286751bcffe843d981741", "event_fingerprint": "b83aea09999e0a97772ac80be9abdd6aac8e5919", "classification_reason": "Type \u00ab port_8085_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8085, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8085_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "26620ceda2ea2f2c5dd47d6c144341271dd263f7", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 8085, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "attack_vector": "port 8085 tcp \u00b7 via HTTP:8085 \u00b7 (sonde \/ probe)", "target_port_label": "8085 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8085_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8085_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8085, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 8085, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8085 tcp \u00b7 via HTTP:8085 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "target_port_label": "8085 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8085" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
07/06/2026 16:28:55 UTC	TCP	81 · HTTP	http	Sonde port 81/TCP port 81 tcp · via HTTP:81 · (sonde / probe)	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA curl/7.68.0 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible / Preuve honeypot — Sonde port 81/TCP Connexion détectée sur le port 81 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_81_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "well_known", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 81, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 6, "anomaly_count": 1, "campaign_key": "390e632f9c71147cf0806bc5a5704e8ff4323e7d", "event_fingerprint": "93b99149c88203d13851e75b2e5467efcd0111cb", "classification_reason": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "67ba24782406fc84a3caefad199c00b5d1f1e1de", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "attack_vector": "port 81 tcp \u00b7 via HTTP:81 \u00b7 (sonde \/ probe)", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 81, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 81, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 81 tcp \u00b7 via HTTP:81 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "target_port_label": "81 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
07/06/2026 15:51:59 UTC	TCP	7777 · GAME UNREAL	game-unreal	Sonde jeu Unreal game-unreal · via GAME UNREAL:7777 · (sonde / probe)	Moyenne	Faible · 24
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole Émulateur GAME-UNREAL WAF — Recommandation Surveiller Tags http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7777 Chemin / cible — Service GAME UNREAL Pourquoi cette classification : Type « game-unreal » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 24 Confiance : Confiance 0 % — 1 signal(aux) capteur Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742067616d655f756e7265616c20726561647920706f72743d373737370d0a", "emulator_response_len": 42, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "game-unreal", "app_proto": "game-unreal", "asn": 209630, "country": "AE", "dst_port": 7777, "risk_waf": 8, "risk_classification": 16, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 32, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 32, "novelty": 15 }, "risk_score": 24, "tag_count": 1, "anomaly_count": 0, "campaign_key": "3e7ec7f3991985c9eedf55a9c367a039789da62e", "event_fingerprint": "a35789f75452d6a73be983d5f266e3a77d710b7e", "classification_reason": "Type \u00ab game-unreal \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 32, "novelty": 15, "risk_score": 24 }, "named_classification_skipped": false, "service_name": "game-unreal", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "10384eda5161b41f764c9b11f5a8ba8f" }, "target_context": { "dst_port": 7777, "service": "game-unreal", "service_name": "game-unreal", "risk_score": 24 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab game-unreal \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "573eb95ef8f84cc7da981b47951c693b05a7e3e6", "protocol_details": { "port": 7777, "service": "game-unreal", "service_label_fr": "GAME UNREAL" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "attack_vector": "game-unreal \u00b7 via GAME UNREAL:7777 \u00b7 (sonde \/ probe)", "target_port_label": "7777 \u00b7 GAME UNREAL", "emulator_service": "game-unreal", "confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur", "site_display": { "classification": null, "classification_reason": "Type \u00ab game-unreal \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab game-unreal \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 32, "novelty": 15, "risk_score": 24 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 24, "risk_label": "Faible", "service_name": "game-unreal", "service_label_fr": "GAME UNREAL", "dst_port": 7777, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-game-unreal", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "port": 7777, "service": "game-unreal", "service_label_fr": "GAME UNREAL" }, "attack_vector": "game-unreal \u00b7 via GAME UNREAL:7777 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "target_port_label": "7777 \u00b7 GAME UNREAL", "emulator_service": "game-unreal", "confidence_reason": "Confiance 0 % \u2014 1 signal(aux) capteur" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "game_unreal", "service_banner": "honeypot-game-unreal", "service_os": "linux", "dst_port": "7777" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe" ] }
07/06/2026 15:25:12 UTC	TCP	8080 · HTTP	http	Sonde port 8080/TCP port 8080 tcp · via HTTP:8080 · (sonde / probe)	Élevée	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole GET / UA curl/7.68.0 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible / Preuve honeypot — Sonde port 8080/TCP Connexion détectée sur le port 8080 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_8080_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Moyen · 40 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8080, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 40, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6b72789ba559a30d0f30c2aa10343244d74f282e", "event_fingerprint": "122f6b472dc92a9979a36b83bcc8218f9cb29583", "classification_reason": "Type \u00ab port_8080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 40 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d1d6bb1f268f30f688653bc01ef8be37a15921fe", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "attack_vector": "port 8080 tcp \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8080, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.68.0", "port": 8080, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 8080 tcp \u00b7 via HTTP:8080 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "target_port_label": "8080 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
07/06/2026 14:31:19 UTC	TCP	8443 · HTTPS	https	Sonde PostgreSQL	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Confiance modérée — signal unique Risque capteur Faible · 35 Protocole émulé 1 Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��?V� �K��>�� BU��B�� ]��!>߱�o �&q9��3A`N��\�"��+�/�,�0̨̩� �� E� Requête brute (extrait) ��?V� �K��>�� BU��B�� ]��!>߱�o �&q9��3A`N��\�"��+�/�,�0̨̩� �� E � � + 3��\��7�UL��<�f{�-f� �ay��)�\|�op/%�.�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 1457, "payload_entropy": 7.763586063246881, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "https", "app_proto": "https", "asn": 209630, "country": "AE", "dst_port": 8443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "841a7de3c3cbd932ffe2df923d0bb6a948309046", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d30983ace83739d9a22983c3791e4f59", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd?V\ufffd \ufffdK\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffd\u000eBU\ufffd\ufffd\ufffd\ufffd\u0007\ufffdB\ufffd\ufffd\ufffd \u000b\ufffd]\ufffd\ufffd!>\u07f1\ufffdo\n\ufffd&q\b9\ufffd\ufffd3A`N\ufffd\ufffd\u0012\ufffd\\\ufffd\"\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd?V\ufffd \ufffdK\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffd\u000eBU\ufffd\ufffd\ufffd\ufffd\u0007\ufffdB\ufffd\ufffd\ufffd \u000b\ufffd]\ufffd\ufffd!>\u07f1\ufffdo\n\ufffd&q\b9\ufffd\ufffd3A`N\ufffd\ufffd\u0012\ufffd\\\ufffd\"\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffd\ufffd\ufffd\u0019\u0000\ufffd\ufffd\\\u001b\ufffd\ufffd7\ufffdUL\ufffd\ufffd<\ufffdf{\ufffd-f\ufffd\f\ufffday\u001d\u0006\u0005\ufffd\ufffd)\ufffd\|\ufffdop\/%\ufffd.\ufffd\ufffd\u0017\u0002\ufffd\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd?V\ufffd \ufffdK\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffd\u000eBU\ufffd\ufffd\ufffd\ufffd\u0007\ufffdB\ufffd\ufffd\ufffd \u000b\ufffd]\ufffd\ufffd!>\u07f1\ufffdo\n\ufffd&q\b9\ufffd\ufffd3A`N\ufffd\ufffd\u0012\ufffd\\\ufffd\"\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd?V\ufffd \ufffdK\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffd\u000eBU\ufffd\ufffd\ufffd\ufffd\u0007\ufffdB\ufffd\ufffd\ufffd \u000b\ufffd]\ufffd\ufffd!>\u07f1\ufffdo\n\ufffd&q\b9\ufffd\ufffd3A`N\ufffd\ufffd\u0012\ufffd\\\ufffd\"\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffd\ufffd\ufffd\u0019\u0000\ufffd\ufffd\\\u001b\ufffd\ufffd7\ufffdUL\ufffd\ufffd<\ufffdf{\ufffd-f\ufffd\f\ufffday\u001d\u0006\u0005\ufffd\ufffd)\ufffd\|\ufffdop\/%\ufffd.\ufffd\ufffd\u0017\u0002\ufffd\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd\ufffd?V\ufffd \ufffdK\ufffd\ufffd>\ufffd\ufffd\ufffd\ufffd\r\ufffd\ufffd\u000eBU\ufffd\ufffd\ufffd\ufffd\u0007\ufffdB\ufffd\ufffd\ufffd \u000b\ufffd]\ufffd\ufffd!>\u07f1\ufffdo\n\ufffd&q\b9\ufffd\ufffd3A`N\ufffd\ufffd\u0012\ufffd\\\ufffd\"\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e29e1c28981a5759d343bcab7a489b2dfcdb9d91", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence_pct": 49, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 35 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "https", "service_label_fr": "HTTPS", "dst_port": 8443, "protocol_emulated": true, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-https", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello" ] }
07/06/2026 14:16:34 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde SAP ICM HTTP	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 WAF — Recommandation Surveiller Tags http_get_probe net_sap_web_probe sap_icm_emulated sap_icm_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Pourquoi cette classification : Type « sap_web_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "sap-icm", "app_proto": "sap-icm", "asn": 209630, "country": "AE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 48, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 15 }, "risk_score": 34, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5dd8b425ee22c6c2bdbfb7ac7e7032daa914f354", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 15, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "2dea5f3383fd8694e14eaf8b920fd9fc" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 34 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf38f3f5ee1135c0e18cfda336cd76669075723a", "site_display": { "classification": null, "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 15, "risk_score": 34 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ] }
07/06/2026 13:09:51 UTC	TCP	1111 · HTTP	http	Sonde port 1111/TCP	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1111 Chemin / cible / Preuve honeypot — Sonde port 1111/TCP Connexion détectée sur le port 1111 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_1111_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 1111, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 38, "tag_count": 5, "anomaly_count": 1, "campaign_key": "ea297c22c9b3f1f14cc6f6ddb3fc6aa88d165ae1", "event_fingerprint": "a2620a823d751bad85b7b2ead0c891288e81bc46", "classification_reason": "Type \u00ab port_1111_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 1111, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_1111_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1f371fef750cd67fb6865cd34b79c3f662ca2440", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_1111_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_1111_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1111, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1111" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "scanner-ua" ] }
07/06/2026 12:37:10 UTC	TCP	8083 · HTTP	http	Sonde port 8083/TCP	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8083 Chemin / cible / Preuve honeypot — Sonde port 8083/TCP Connexion détectée sur le port 8083 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_8083_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8083, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 6, "anomaly_count": 1, "campaign_key": "865f10df46a58aa51f18e87a7e20752382edd35c", "event_fingerprint": "5ae896afc025344dead8f70651f37e38c582ab4f", "classification_reason": "Type \u00ab port_8083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8083, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f05565b4918615825d9b2375a25d342150d2f4e3", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8083, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
07/06/2026 12:14:57 UTC	TCP	5000 · HTTP	http	Sonde port 5000/TCP	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible / Preuve honeypot — Sonde port 5000/TCP Connexion détectée sur le port 5000 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_5000_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 5000, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 6, "anomaly_count": 1, "campaign_key": "2c9e6de3d0ef08c3b213ac439c060c62edec0f6a", "event_fingerprint": "2bc1c2cda4344dbe8adb234d705fd0cba69a3120", "classification_reason": "Type \u00ab port_5000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_5000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e400f78bb2caac2d3661d1b9cc9bf648c1668f5", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_5000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_5000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 5000, "protocol_emulated": true, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
07/06/2026 11:22:54 UTC	TCP	7777 · GAME UNREAL	game-unreal	Sonde jeu Unreal	Moyenne	Faible · 24
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 WAF — Recommandation Surveiller Tags http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7777 Chemin / cible — Pourquoi cette classification : Type « game-unreal » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 24 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742067616d655f756e7265616c20726561647920706f72743d373737370d0a", "emulator_response_len": 42, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "game-unreal", "app_proto": "game-unreal", "asn": 209630, "country": "AE", "dst_port": 7777, "risk_waf": 8, "risk_classification": 16, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 32, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 32, "novelty": 15 }, "risk_score": 24, "tag_count": 1, "anomaly_count": 0, "campaign_key": "3e7ec7f3991985c9eedf55a9c367a039789da62e", "event_fingerprint": "a35789f75452d6a73be983d5f266e3a77d710b7e", "classification_reason": "Type \u00ab game-unreal \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 32, "novelty": 15, "risk_score": 24 }, "named_classification_skipped": false, "service_name": "game-unreal", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "10384eda5161b41f764c9b11f5a8ba8f" }, "target_context": { "dst_port": 7777, "service": "game-unreal", "service_name": "game-unreal", "risk_score": 24 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab game-unreal \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "573eb95ef8f84cc7da981b47951c693b05a7e3e6", "site_display": { "classification": null, "classification_reason": "Type \u00ab game-unreal \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab game-unreal \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 32, "novelty": 15, "risk_score": 24 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 24, "risk_label": "Faible", "service_name": "game-unreal", "service_label_fr": "GAME UNREAL", "dst_port": 7777, "protocol_emulated": true, "tags_summary": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-game-unreal", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "game_unreal", "service_banner": "honeypot-game-unreal", "service_os": "linux", "dst_port": "7777" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe" ] }
07/06/2026 11:07:58 UTC	TCP	8888 · HTTP	http	Scanner web	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible / Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 42 Protocole émulé 1 Signaux pat-0599 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8888, "risk_waf": 32, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 32, "classification": 42, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 42, "tag_count": 6, "anomaly_count": 1, "campaign_key": "e0db4986cd303a2bdf1668e4cfb3f7289d4e64d7", "event_fingerprint": "02d83459edfce64ea9c4204521900a0d5452ec35", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0599" ], "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 50%", "confidence_breakdown": { "waf": 32, "classification": 42, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 42 }, "service_name": "http", "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8888, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "disclosed_scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3674159bd90f0f04bf9f56ff051f27b6f08c8ac3", "site_display": { "classification": null, "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 50%", "classification_reason_label_fr": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 50%", "confidence_pct": 50, "confidence_breakdown": { "waf": 32, "classification": 42, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 42 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8888, "protocol_emulated": true, "tags_summary": [ "pat-0599" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8888" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
07/06/2026 10:27:57 UTC	TCP	8801 · HTTP	http	Sonde port 8801/TCP	Élevée	Faible · 38
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8801 Chemin / cible / Preuve honeypot — Sonde port 8801/TCP Connexion détectée sur le port 8801 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_8801_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8801, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 38, "tag_count": 5, "anomaly_count": 1, "campaign_key": "12a59529462aaef8b9a32b31441476aba2edd604", "event_fingerprint": "ed58fc0ca64b05d9728517d553a89cfb9855518b", "classification_reason": "Type \u00ab port_8801_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8801, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8801_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f219f5b4d90242a3241775963e6819ff7177cd68", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_8801_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_8801_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence_pct": 55, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 38 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 8801, "protocol_emulated": null, "tags_summary": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8801" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "scanner-ua" ] }
07/06/2026 10:05:44 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde SAP ICM HTTP	Élevée	Faible · 34
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 WAF — Recommandation Surveiller Tags http_get_probe net_sap_web_probe sap_icm_emulated sap_icm_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Pourquoi cette classification : Type « sap_web_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Risque capteur Faible · 34 Protocole émulé 1 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "sap-icm", "app_proto": "sap-icm", "asn": 209630, "country": "AE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 48, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 15 }, "risk_score": 34, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5dd8b425ee22c6c2bdbfb7ac7e7032daa914f354", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 15, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "2dea5f3383fd8694e14eaf8b920fd9fc" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 34 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf38f3f5ee1135c0e18cfda336cd76669075723a", "site_display": { "classification": null, "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "classification_reason_label_fr": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence_pct": 0, "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 15, "risk_score": 34 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 34, "risk_label": "Faible", "service_name": "sap-icm", "service_label_fr": "SAP ICM", "dst_port": 8000, "protocol_emulated": true, "tags_summary": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-sap-icm", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ] }
07/06/2026 09:29:17 UTC	TCP	8899 · HTTP	http	Sonde port 8899/TCP	Élevée	Faible · 38
Étape Sonde / probe MITRE TA0007 TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8899 Chemin / cible / Preuve honeypot — Sonde port 8899/TCP Connexion détectée sur le port 8899 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_8899_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Risque capteur Faible · 38 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8899, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 38, "tag_count": 5, "anomaly_count": 1, "campaign_key": "7ebdcbbac76e056f78f6e438c0be13aaecc1801c", "event_fingerprint": "793795ecabb0e7b3bd3556d3c5479dad3f8b107e", "classification_reason": "Type \u00ab port_8899_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8899, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8899_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "019e7128e36d280e74ce411e9f581c40551e9f71", "site_display": { "classification": "port_8899_tcp", "classification_reason": "Type \u00ab port_8899_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence_pct": 55, "confidence_breakdown": { "classification": 0.55, "kb_score": 0, "rule_count": 0, "payload_proof": false, "pattern_proof": false, "named_classification_skipped": true }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "risk_score": 38, "risk_label": "Faible", "service_name": "http", "dst_port": 8899, "protocol_emulated": null, "tags_summary": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "sensor_role": "threat_intelligence" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8899" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "scanner-ua" ] }
07/06/2026 09:07:14 UTC	TCP	8181 · HTTP	http	Sonde port 8181/TCP	Élevée	Faible · 38
Étape Sonde / probe MITRE TA0007 TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8181 Chemin / cible / Preuve honeypot — Sonde port 8181/TCP Connexion détectée sur le port 8181 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_8181_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8181, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 38, "tag_count": 5, "anomaly_count": 1, "campaign_key": "f0b43653fcbd76eee02bf3d5a7df293964891864", "event_fingerprint": "7dc05c84705bb631a906361f6f851bd772b4c42a", "classification_reason": "Type \u00ab port_8181_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8181, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8181_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a22e82457d27902ed70ab8bc1feda1139c957933", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8181" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "scanner-ua" ] }
07/06/2026 08:30:36 UTC	TCP	88 · KERBEROS	kerberos	kerberos	Moyenne	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0007 TA0001 WAF — Recommandation Surveiller Tags http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 88 Chemin / cible — Pourquoi cette classification : Type « kerberos » (signaux protocolaires) · confiance 0% Confiance classification 0% Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "6e82000c0a104142434445464748494a", "emulator_response_len": 16, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "well_known", "org": "LLC Vash Kredit Bank", "service": "kerberos", "app_proto": "kerberos", "asn": 209630, "country": "AE", "dst_port": 88, "risk_waf": 8, "risk_classification": 16, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 32, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 32, "novelty": 15 }, "risk_score": 24, "tag_count": 1, "anomaly_count": 0, "campaign_key": "8e9cb969ceab740c93efec9e791ca73d858fd046", "event_fingerprint": "31e4a798ccff9624b861a6d5c96061ad06a8a14c", "classification_reason": "Type \u00ab kerberos \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 32, "novelty": 15, "risk_score": 24 }, "named_classification_skipped": false, "service_name": "kerberos", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "d6f845779b5f0a377f3854eb15f1b5b6" }, "target_context": { "dst_port": 88, "service": "kerberos", "service_name": "kerberos", "risk_score": 24 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab kerberos \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7c727866aecc7234e2975d9009b209aa393f0f34", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "kerberos", "service_banner": "honeypot-kerberos", "service_os": "linux", "dst_port": "88" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe" ] }
07/06/2026 07:51:34 UTC	TCP	8800 · HTTP	http	Sonde port 8800/TCP	Élevée	Faible · 38
Étape Sonde / probe MITRE TA0007 TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8800 Chemin / cible / Preuve honeypot — Sonde port 8800/TCP Connexion détectée sur le port 8800 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_8800_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8800, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 38, "tag_count": 5, "anomaly_count": 1, "campaign_key": "3f12b58264a4a8f3046396d6378a65e61f6df2f4", "event_fingerprint": "e6640c6d3870992e0b8e6aebbdfbb668a25fb3ee", "classification_reason": "Type \u00ab port_8800_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8800, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8800_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4b055caecc15abaad5271de8e8a1648775e1030d", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8800" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "scanner-ua" ] }
07/06/2026 07:39:51 UTC	TCP	8085 · HTTP	http	Sonde port 8085/TCP	Élevée	Faible · 38
Étape Sonde / probe MITRE TA0007 TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8085 Chemin / cible / Preuve honeypot — Sonde port 8085/TCP Connexion détectée sur le port 8085 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_8085_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8085, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 6, "anomaly_count": 1, "campaign_key": "de578c983cf6ca85fdb286751bcffe843d981741", "event_fingerprint": "b83aea09999e0a97772ac80be9abdd6aac8e5919", "classification_reason": "Type \u00ab port_8085_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8085, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8085_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "26620ceda2ea2f2c5dd47d6c144341271dd263f7", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8085" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
07/06/2026 07:13:32 UTC	TCP	8090 · HTTP	http	Sonde port 8090/TCP	Élevée	Faible · 38
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8090 Chemin / cible / Preuve honeypot — Sonde port 8090/TCP Connexion détectée sur le port 8090 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_8090_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8090, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 6.9, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 6, "anomaly_count": 1, "campaign_key": "8260f75b8d725411979b253a9fd305d6c8984f54", "event_fingerprint": "9028a01c41411dd97fdbb8cc9621b5ff48076aae", "classification_reason": "Type \u00ab port_8090_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8090, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8090_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f6466fb11360891324d7d52b0b0014bca849b623", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
07/06/2026 05:56:24 UTC	TCP	8080 · HTTP	http	Sonde port 8080/TCP	Élevée	Moyen · 40
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible / Preuve honeypot — Sonde port 8080/TCP Connexion détectée sur le port 8080 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_8080_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8080, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 40, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6b72789ba559a30d0f30c2aa10343244d74f282e", "event_fingerprint": "122f6b472dc92a9979a36b83bcc8218f9cb29583", "classification_reason": "Type \u00ab port_8080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 40 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d1d6bb1f268f30f688653bc01ef8be37a15921fe", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
07/06/2026 05:26:46 UTC	TCP	8081 · HTTP	http	Sonde port 8081/TCP	Élevée	Faible · 38
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8081 Chemin / cible / Preuve honeypot — Sonde port 8081/TCP Connexion détectée sur le port 8081 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_8081_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8081, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 6, "anomaly_count": 1, "campaign_key": "be4657ce52d3c7c246c62c1791104ff2773199e6", "event_fingerprint": "232c358527f57073b8ce3ac2952e07107acffec0", "classification_reason": "Type \u00ab port_8081_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8081_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4a98e1d8b413887775d3caffaeea3ac0a23678c3", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
07/06/2026 05:10:36 UTC	TCP	8443 · HTTPS	https	Sonde PostgreSQL	Élevée	Faible · 35
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��!�ݞ�=�s�Q�>��锈��`�� ;]��0��;�h��UU։��+�/�,�0̨̩� �� E� Requête brute (extrait) ��!�ݞ�=�s�Q�>��锈��`�� ;]��0��;�h��UU։��+�/�,�0̨̩� �� E � � + 3��L�Pa"Qj�;9i�;��&�֢H#�O(+F��Xht�{�'I�g�Ņ1�& Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 1457, "payload_entropy": 7.7562770985031015, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "https", "app_proto": "https", "asn": 209630, "country": "AE", "dst_port": 8443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "841a7de3c3cbd932ffe2df923d0bb6a948309046", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "https", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "95a8eb3a2c09f56b420cb254473773cb", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 8443, "service": "https", "service_name": "https", "risk_score": 35 }, "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd!\ufffd\u075e\ufffd\u0011=\ufffds\ufffdQ\ufffd>\ufffd\ufffd\u9508\ufffd\ufffd\ufffd\ufffd\ufffd`\ufffd\ufffd\u001d\u0012 \u0015\ufffd\ufffd\ufffd\u001d\ufffd\ufffd\u0005\ufffd\u0017;]\ufffd\ufffd\ufffd0\ufffd\ufffd\ufffd\ufffd;\ufffdh\ufffd\ufffd\ufffdUU\u0589\ufffd\u0013\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd!\ufffd\u075e\ufffd\u0011=\ufffds\ufffdQ\ufffd>\ufffd\ufffd\u9508\ufffd\ufffd\ufffd\ufffd\ufffd`\ufffd\ufffd\u001d\u0012 \u0015\ufffd\ufffd\ufffd\u001d\ufffd\ufffd\u0005\ufffd\u0017;]\ufffd\ufffd\ufffd0\ufffd\ufffd\ufffd\ufffd;\ufffdh\ufffd\ufffd\ufffdUU\u0589\ufffd\u0013\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffdL\ufffdPa\u001c\"Qj\ufffd;9i\ufffd;\ufffd\ufffd&\ufffd\u05a2H\u0012\u001d#\ufffdO\u0011(\u0004+F\ufffd\ufffdXht\ufffd{\ufffd\u0014'I\ufffdg\ufffd\u01451\ufffd&", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd!\ufffd\u075e\ufffd\u0011=\ufffds\ufffdQ\ufffd>\ufffd\ufffd\u9508\ufffd\ufffd\ufffd\ufffd\ufffd`\ufffd\ufffd\u001d\u0012 \u0015\ufffd\ufffd\ufffd\u001d\ufffd\ufffd\u0005\ufffd\u0017;]\ufffd\ufffd\ufffd0\ufffd\ufffd\ufffd\ufffd;\ufffdh\ufffd\ufffd\ufffdUU\u0589\ufffd\u0013\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd!\ufffd\u075e\ufffd\u0011=\ufffds\ufffdQ\ufffd>\ufffd\ufffd\u9508\ufffd\ufffd\ufffd\ufffd\ufffd`\ufffd\ufffd\u001d\u0012 \u0015\ufffd\ufffd\ufffd\u001d\ufffd\ufffd\u0005\ufffd\u0017;]\ufffd\ufffd\ufffd0\ufffd\ufffd\ufffd\ufffd;\ufffdh\ufffd\ufffd\ufffdUU\u0589\ufffd\u0013\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\ufffdL\ufffdPa\u001c\"Qj\ufffd;9i\ufffd;\ufffd\ufffd&\ufffd\u05a2H\u0012\u001d#\ufffdO\u0011(\u0004+F\ufffd\ufffdXht\ufffd{\ufffd\u0014'I\ufffdg\ufffd\u01451\ufffd&", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffd!\ufffd\u075e\ufffd\u0011=\ufffds\ufffdQ\ufffd>\ufffd\ufffd\u9508\ufffd\ufffd\ufffd\ufffd\ufffd`\ufffd\ufffd\u001d\u0012 \u0015\ufffd\ufffd\ufffd\u001d\ufffd\ufffd\u0005\ufffd\u0017;]\ufffd\ufffd\ufffd0\ufffd\ufffd\ufffd\ufffd;\ufffdh\ufffd\ufffd\ufffdUU\u0589\ufffd\u0013\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "febed52e00a69ba34c98c5c75f29d782aa428c3f", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "https", "service_banner": "honeypot-https", "service_os": "linux", "dst_port": "8443" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello" ] }
07/06/2026 04:37:00 UTC	TCP	81 · HTTP	http	Sonde port 81/TCP	Élevée	Faible · 38
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible / Preuve honeypot — Sonde port 81/TCP Connexion détectée sur le port 81 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_81_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "well_known", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 81, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 6, "anomaly_count": 1, "campaign_key": "390e632f9c71147cf0806bc5a5704e8ff4323e7d", "event_fingerprint": "93b99149c88203d13851e75b2e5467efcd0111cb", "classification_reason": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "67ba24782406fc84a3caefad199c00b5d1f1e1de", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
07/06/2026 04:04:01 UTC	TCP	81 · HTTP	http	Sonde port 81/TCP	Élevée	Faible · 38
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible / Preuve honeypot — Sonde port 81/TCP Connexion détectée sur le port 81 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_81_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "well_known", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 81, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 6, "anomaly_count": 1, "campaign_key": "390e632f9c71147cf0806bc5a5704e8ff4323e7d", "event_fingerprint": "93b99149c88203d13851e75b2e5467efcd0111cb", "classification_reason": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 81, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_81_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "67ba24782406fc84a3caefad199c00b5d1f1e1de", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "81" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
07/06/2026 03:24:53 UTC	TCP	8080 · HTTP	http	Sonde port 8080/TCP	Élevée	Moyen · 40
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8080 Chemin / cible / Preuve honeypot — Sonde port 8080/TCP Connexion détectée sur le port 8080 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_8080_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a206e67696e782f312e32342e300d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 81, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8080, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.3, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 40, "tag_count": 6, "anomaly_count": 1, "campaign_key": "6b72789ba559a30d0f30c2aa10343244d74f282e", "event_fingerprint": "122f6b472dc92a9979a36b83bcc8218f9cb29583", "classification_reason": "Type \u00ab port_8080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 40 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8080, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8080_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d1d6bb1f268f30f688653bc01ef8be37a15921fe", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8080" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ], "behavior_alert_count": 1, "behavior_priority": 72 }
07/06/2026 02:47:09 UTC	TCP	8090 · HTTP	http	Sonde port 8090/TCP	Élevée	Faible · 38
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8090 Chemin / cible / Preuve honeypot — Sonde port 8090/TCP Connexion détectée sur le port 8090 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_8090_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8090, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 6.9, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 6, "anomaly_count": 1, "campaign_key": "8260f75b8d725411979b253a9fd305d6c8984f54", "event_fingerprint": "9028a01c41411dd97fdbb8cc9621b5ff48076aae", "classification_reason": "Type \u00ab port_8090_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8090, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8090_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f6466fb11360891324d7d52b0b0014bca849b623", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8090" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
07/06/2026 01:36:02 UTC	TCP	5000 · HTTP	http	Sonde port 5000/TCP	Élevée	Faible · 38
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible / Preuve honeypot — Sonde port 5000/TCP Connexion détectée sur le port 5000 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_5000_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 5000, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 6, "anomaly_count": 1, "campaign_key": "2c9e6de3d0ef08c3b213ac439c060c62edec0f6a", "event_fingerprint": "2bc1c2cda4344dbe8adb234d705fd0cba69a3120", "classification_reason": "Type \u00ab port_5000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5000, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_5000_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e400f78bb2caac2d3661d1b9cc9bf648c1668f5", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "5000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ], "behavior_alert_count": 1, "behavior_priority": 72 }
07/06/2026 00:42:27 UTC	TCP	8085 · HTTP	http	Sonde port 8085/TCP	Élevée	Faible · 38
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8085 Chemin / cible / Preuve honeypot — Sonde port 8085/TCP Connexion détectée sur le port 8085 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_8085_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8085, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 6, "anomaly_count": 1, "campaign_key": "de578c983cf6ca85fdb286751bcffe843d981741", "event_fingerprint": "b83aea09999e0a97772ac80be9abdd6aac8e5919", "classification_reason": "Type \u00ab port_8085_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8085, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8085_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "26620ceda2ea2f2c5dd47d6c144341271dd263f7", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8085" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ], "behavior_alert_count": 1, "behavior_priority": 72 }
07/06/2026 00:05:11 UTC	TCP	8000 · SAP ICM	sap-icm	Sonde SAP ICM HTTP	Élevée	Faible · 34
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags http_get_probe net_sap_web_probe sap_icm_emulated sap_icm_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Pourquoi cette classification : Type « sap_web_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "sap-icm", "app_proto": "sap-icm", "asn": 209630, "country": "AE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 48, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 15 }, "risk_score": 34, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5dd8b425ee22c6c2bdbfb7ac7e7032daa914f354", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 15, "risk_score": 34 }, "named_classification_skipped": false, "service_name": "sap-icm", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "2dea5f3383fd8694e14eaf8b920fd9fc" }, "target_context": { "dst_port": 8000, "service": "sap-icm", "service_name": "sap-icm", "risk_score": 34 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf38f3f5ee1135c0e18cfda336cd76669075723a", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "sap_icm", "service_banner": "honeypot-sap-icm", "service_os": "linux", "dst_port": "8000" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ] }
06/06/2026 23:41:02 UTC	TCP	1111 · HTTP	http	Sonde port 1111/TCP	Élevée	Faible · 38
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1111 Chemin / cible / Preuve honeypot — Sonde port 1111/TCP Connexion détectée sur le port 1111 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_1111_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 1111, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.9, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 38, "tag_count": 5, "anomaly_count": 1, "campaign_key": "ea297c22c9b3f1f14cc6f6ddb3fc6aa88d165ae1", "event_fingerprint": "a2620a823d751bad85b7b2ead0c891288e81bc46", "classification_reason": "Type \u00ab port_1111_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 1111, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_1111_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1f371fef750cd67fb6865cd34b79c3f662ca2440", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1111" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "scanner-ua" ], "behavior_alert_count": 1, "behavior_priority": 72 }
06/06/2026 23:01:17 UTC	TCP	8181 · HTTP	http	Sonde port 8181/TCP	Élevée	Faible · 38
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8181 Chemin / cible / Preuve honeypot — Sonde port 8181/TCP Connexion détectée sur le port 8181 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_8181_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8181, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 38, "tag_count": 5, "anomaly_count": 1, "campaign_key": "f0b43653fcbd76eee02bf3d5a7df293964891864", "event_fingerprint": "7dc05c84705bb631a906361f6f851bd772b4c42a", "classification_reason": "Type \u00ab port_8181_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8181, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8181_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a22e82457d27902ed70ab8bc1feda1139c957933", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8181" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "scanner-ua" ] }
06/06/2026 22:48:35 UTC	TCP	8081 · HTTP	http	Sonde port 8081/TCP	Élevée	Faible · 38
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8081 Chemin / cible / Preuve honeypot — Sonde port 8081/TCP Connexion détectée sur le port 8081 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_8081_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8081, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 38, "tag_count": 6, "anomaly_count": 1, "campaign_key": "be4657ce52d3c7c246c62c1791104ff2773199e6", "event_fingerprint": "232c358527f57073b8ce3ac2952e07107acffec0", "classification_reason": "Type \u00ab port_8081_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8081, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8081_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4a98e1d8b413887775d3caffaeea3ac0a23678c3", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8081" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
06/06/2026 21:56:47 UTC	TCP	8899 · HTTP	http	Sonde port 8899/TCP	Élevée	Faible · 38
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8899 Chemin / cible / Preuve honeypot — Sonde port 8899/TCP Connexion détectée sur le port 8899 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_8899_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8899, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 38, "tag_count": 5, "anomaly_count": 1, "campaign_key": "7ebdcbbac76e056f78f6e438c0be13aaecc1801c", "event_fingerprint": "793795ecabb0e7b3bd3556d3c5479dad3f8b107e", "classification_reason": "Type \u00ab port_8899_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 38 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8899, "service": "http", "service_name": "http", "risk_score": 38 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8899_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "019e7128e36d280e74ce411e9f581c40551e9f71", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8899" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "scanner-ua" ] }
06/06/2026 21:34:29 UTC	TCP	8083 · HTTP	http	Sonde port 8083/TCP	Élevée	Faible · 27
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8083 Chemin / cible / Preuve honeypot — Sonde port 8083/TCP Connexion détectée sur le port 8083 (TCP) du capteur simulé. Pourquoi cette classification : Type « port_8083_tcp » (signaux protocolaires) · confiance 55% Confiance classification 55% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8083, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.8, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 27, "tag_count": 6, "anomaly_count": 1, "campaign_key": "865f10df46a58aa51f18e87a7e20752382edd35c", "event_fingerprint": "5ae896afc025344dead8f70651f37e38c582ab4f", "classification_reason": "Type \u00ab port_8083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.55, "classification_confidence": 0.55, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30, "risk_score": 27 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8083, "service": "http", "service_name": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab port_8083_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f05565b4918615825d9b2375a25d342150d2f4e3", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "8083" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
06/06/2026 20:59:01 UTC	TCP	8801 · HTTP	http	Scanner web	Élevée	Faible · 18
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8801 Chemin / cible / Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0% Confiance classification 0% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8801, "risk_waf": 32, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 32, "classification": 42, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 18, "tag_count": 5, "anomaly_count": 1, "campaign_key": "12a59529462aaef8b9a32b31441476aba2edd604", "event_fingerprint": "ed58fc0ca64b05d9728517d553a89cfb9855518b", "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "classification": 0, "kb_score": 0, "rule_count": 0, "payload_proof": false, "pattern_proof": false }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8801, "service": "http", "service_name": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "disclosed_scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6c50d674c7bfefff30c39d0f7744e16e8d53c1bf", "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "scanner-ua" ] }
06/06/2026 20:52:36 UTC	TCP	88 · KERBEROS	kerberos	kerberos	Moyenne	Faible · 1
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 88 Chemin / cible — Pourquoi cette classification : Type « kerberos » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "6e82000c0a104142434445464748494a", "emulator_response_len": 16, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "well_known", "org": "LLC Vash Kredit Bank", "service": "kerberos", "app_proto": "kerberos", "asn": 209630, "country": "AE", "dst_port": 88, "risk_waf": 8, "risk_classification": 16, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 32, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.5, "risk_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 32, "novelty": 15 }, "risk_score": 1, "tag_count": 1, "anomaly_count": 0, "campaign_key": "8e9cb969ceab740c93efec9e791ca73d858fd046", "event_fingerprint": "31e4a798ccff9624b861a6d5c96061ad06a8a14c", "classification_reason": "Type \u00ab kerberos \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "classification": 0, "kb_score": 0, "rule_count": 0, "payload_proof": false, "pattern_proof": false }, "named_classification_skipped": false, "service_name": "kerberos", "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "d6f845779b5f0a377f3854eb15f1b5b6" }, "target_context": { "dst_port": 88, "service": "kerberos", "service_name": "kerberos" }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab kerberos \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7c727866aecc7234e2975d9009b209aa393f0f34", "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe" ] }
06/06/2026 20:19:45 UTC	TCP	7777	game-unreal	Sonde jeu Unreal	Moyenne	Faible · 2
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags http_get_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7777 Chemin / cible — Pourquoi cette classification : Type « game-unreal » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "32323020686f6e6579706f742067616d655f756e7265616c20726561647920706f72743d373737370d0a", "emulator_response_len": 42, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "game-unreal", "app_proto": "game-unreal", "asn": 209630, "country": "AE", "dst_port": 7777, "risk_waf": 8, "risk_classification": 16, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 32, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 16, "behavior": 0, "geo": 0, "protocol": 32, "novelty": 15 }, "risk_score": 2, "tag_count": 1, "anomaly_count": 0, "campaign_key": "3e7ec7f3991985c9eedf55a9c367a039789da62e", "event_fingerprint": "a35789f75452d6a73be983d5f266e3a77d710b7e", "classification_reason": "Type \u00ab game-unreal \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "10384eda5161b41f764c9b11f5a8ba8f" }, "target_context": { "dst_port": 7777, "service": "game-unreal" }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab game-unreal \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "573eb95ef8f84cc7da981b47951c693b05a7e3e6", "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe" ] }
06/06/2026 19:43:10 UTC	TCP	8888	http	Scanner web	Élevée	Faible · 28
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8888 Chemin / cible / Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8888, "risk_waf": 32, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.6, "risk_breakdown": { "waf": 32, "classification": 42, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 28, "tag_count": 6, "anomaly_count": 1, "campaign_key": "e0db4986cd303a2bdf1668e4cfb3f7289d4e64d7", "event_fingerprint": "02d83459edfce64ea9c4204521900a0d5452ec35", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0599" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8888, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 50%" }, "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "disclosed_scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3674159bd90f0f04bf9f56ff051f27b6f08c8ac3", "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
06/06/2026 18:55:53 UTC	TCP	8443	https	Sonde PostgreSQL	Élevée	Faible · 15
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��K�3�(�I��hV�QUT݅��l��^� O�La� ߋ��TlX�d}��>�,�+�/�,�0̨̩� �� E� Requête brute (extrait) ��K�3�(�I��hV�QUT݅��l��^� O�La� ߋ��TlX�d}��>�,�+�/�,�0̨̩� �� E � � + 3��gL Ojt$�(��X�c�l�,�g�äZ� 0��5� /Mżj� Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 1457, "payload_entropy": 7.71972999392895, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "https", "app_proto": "https", "asn": 209630, "country": "AE", "dst_port": 8443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 15, "tag_count": 3, "anomaly_count": 0, "campaign_key": "841a7de3c3cbd932ffe2df923d0bb6a948309046", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "745dbdd02db3d9956409dd322c289efc", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 8443, "service": "https" }, "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdK\ufffd3\ufffd(\ufffdI\ufffd\ufffd\ufffd\ufffdhV\ufffdQUT\u0745\ufffd\ufffd\ufffd\ufffd\u0006l\ufffd\ufffd\ufffd^\ufffd \u0016\u0012O\ufffdLa\ufffd\t\u07cb\u0013\u0018\ufffd\ufffd\ufffd\ufffdTlX\u0007\ufffdd}\ufffd\ufffd\u0004\ufffd\ufffd>\ufffd,\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdK\ufffd3\ufffd(\ufffdI\ufffd\ufffd\ufffd\ufffdhV\ufffdQUT\u0745\ufffd\ufffd\ufffd\ufffd\u0006l\ufffd\ufffd\ufffd^\ufffd \u0016\u0012O\ufffdLa\ufffd\t\u07cb\u0013\u0018\ufffd\ufffd\ufffd\ufffdTlX\u0007\ufffdd}\ufffd\ufffd\u0004\ufffd\ufffd>\ufffd,\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffdg\u0002L\n\u0003O\u0016jt$\ufffd(\ufffd\u001b\ufffd\u001bX\ufffdc\ufffdl\ufffd,\ufffdg\ufffd\u00e4Z\ufffd\n0\u0013\ufffd\ufffd\ufffd\u00025\u0011\ufffd \t\/M\u017cj\u0000\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdK\ufffd3\ufffd(\ufffdI\ufffd\ufffd\ufffd\ufffdhV\ufffdQUT\u0745\ufffd\ufffd\ufffd\ufffd\u0006l\ufffd\ufffd\ufffd^\ufffd \u0016\u0012O\ufffdLa\ufffd\t\u07cb\u0013\u0018\ufffd\ufffd\ufffd\ufffdTlX\u0007\ufffdd}\ufffd\ufffd\u0004\ufffd\ufffd>\ufffd,\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdK\ufffd3\ufffd(\ufffdI\ufffd\ufffd\ufffd\ufffdhV\ufffdQUT\u0745\ufffd\ufffd\ufffd\ufffd\u0006l\ufffd\ufffd\ufffd^\ufffd \u0016\u0012O\ufffdLa\ufffd\t\u07cb\u0013\u0018\ufffd\ufffd\ufffd\ufffdTlX\u0007\ufffdd}\ufffd\ufffd\u0004\ufffd\ufffd>\ufffd,\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffdg\u0002L\n\u0003O\u0016jt$\ufffd(\ufffd\u001b\ufffd\u001bX\ufffdc\ufffdl*\ufffd,\ufffdg\ufffd\u00e4Z\ufffd\n0\u0013\ufffd\ufffd\ufffd\u00025\u0011\ufffd \t\/M\u017cj\u0000\ufffd", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003\ufffdK\ufffd3\ufffd(\ufffdI\ufffd\ufffd\ufffd\ufffdhV\ufffdQUT\u0745\ufffd\ufffd\ufffd\ufffd\u0006l\ufffd\ufffd\ufffd^\ufffd \u0016\u0012O\ufffdLa\ufffd\t\u07cb\u0013\u0018\ufffd\ufffd\ufffd\ufffdTlX\u0007\ufffdd}\ufffd\ufffd\u0004\ufffd\ufffd>\ufffd,\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a0f96d66e5b27c14c758fa247f0df2a5731770fd", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello" ] }
06/06/2026 18:50:37 UTC	TCP	8800	http	Scanner web	Élevée	Faible · 17
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8800 Chemin / cible / Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0% Confiance classification 0% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8800, "risk_waf": 32, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 32, "classification": 42, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 17, "tag_count": 5, "anomaly_count": 1, "campaign_key": "3f12b58264a4a8f3046396d6378a65e61f6df2f4", "event_fingerprint": "e6640c6d3870992e0b8e6aebbdfbb668a25fb3ee", "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8800, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "disclosed_scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "71f4f31e4aee017a33b27707ada31a72347a0bf2", "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "scanner-ua" ] }
06/06/2026 18:00:13 UTC	TCP	8899	http	Scanner web	Élevée	Faible · 13
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8899 Chemin / cible / Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0% Confiance classification 0% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8899, "risk_waf": 32, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 32, "classification": 42, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 13, "tag_count": 5, "anomaly_count": 1, "campaign_key": "7ebdcbbac76e056f78f6e438c0be13aaecc1801c", "event_fingerprint": "793795ecabb0e7b3bd3556d3c5479dad3f8b107e", "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8899, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "disclosed_scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b4b34cfe477fd739ce3cbae942ee0983cf10d38b", "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "scanner-ua" ] }
06/06/2026 17:30:29 UTC	TCP	8443	https	Sonde PostgreSQL	Élevée	Faible · 15
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags http_alt_port net_web_probe tls_clienthello Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8443 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��%�Q��X^;n�6��Iz�:Y��j��?�+ �u�2��s��?�}�[�p��[��?��+�/�,�0̨̩� �� E� Requête brute (extrait) ��%�Q��X^;n�6��Iz�:Y��j��?�+ �u�2��s��?� }�[�p��[��?��+�/�,�0̨̩� �� E � � + 3��I_fQ��&�H@6�r��n�c�va�{6Y�K S#;$�j�# Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a204170616368652f322e342e35370d0a436f6e74656e742d4c656e6774683a20320d0a436f6e6e656374696f6e3a20636c6f73650d0a0d0a4f4b", "emulator_response_len": 82, "bytes_in": 1398, "payload_entropy": 7.745041735737252, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "https", "app_proto": "https", "asn": 209630, "country": "AE", "dst_port": 8443, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 33, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.8, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 33, "novelty": 15 }, "risk_score": 15, "tag_count": 3, "anomaly_count": 0, "campaign_key": "841a7de3c3cbd932ffe2df923d0bb6a948309046", "event_fingerprint": "48aa5a12dd4150e072f6d3dd03f9143ac67f8d69", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "9e51dd9e3b8baa7f7c617f1000e8b251", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 8443, "service": "https" }, "payload_preview": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003%\ufffdQ\ufffd\ufffd\ufffdX^;n\ufffd6\ufffd\u0014\ufffd\ufffdIz\ufffd:Y\ufffd\ufffdj\ufffd\ufffd\ufffd?\ufffd\u0014+ \ufffdu\ufffd2\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd?\ufffd\f}\ufffd[\ufffdp\u0005\ufffd\ufffd[\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd?\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003%\ufffdQ\ufffd\ufffd\ufffdX^;n\ufffd6\ufffd\u0014\ufffd\ufffdIz\ufffd:Y\ufffd\ufffdj\ufffd\ufffd\ufffd?\ufffd\u0014+ \ufffdu\ufffd2\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd?\ufffd\f}\ufffd[\ufffdp\u0005\ufffd\ufffd[\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd?\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\u0014\ufffdI_fQ\ufffd\ufffd\ufffd\ufffd&\ufffdH@\u001b6\ufffdr\ufffd\u001d\u0014\ufffd\ufffd\ufffd\ufffdn\ufffdc\ufffdva\ufffd\u0003{6Y\ufffdK\nS\u0014#\u0000;$\ufffdj\u0004\ufffd#", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003%\ufffdQ\ufffd\ufffd\ufffdX^;n\ufffd6\ufffd\u0014\ufffd\ufffdIz\ufffd:Y\ufffd\ufffdj\ufffd\ufffd\ufffd?\ufffd\u0014+ \ufffdu\ufffd2\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd?\ufffd\f}\ufffd[\ufffdp\u0005\ufffd\ufffd[\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd?\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "evidence": { "request_sample": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003%\ufffdQ\ufffd\ufffd\ufffdX^;n\ufffd6\ufffd\u0014\ufffd\ufffdIz\ufffd:Y\ufffd\ufffdj\ufffd\ufffd\ufffd?\ufffd\u0014+ \ufffdu\ufffd2\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd?\ufffd\f}\ufffd[\ufffdp\u0005\ufffd\ufffd[\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd?\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\f\u0000\n\u0011\ufffd\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0004\ufffd\u0004\ufffd\u0011\ufffd\u0004\ufffd\u0014\ufffdI_fQ\ufffd\ufffd\ufffd\ufffd&\ufffdH@\u001b6\ufffdr\ufffd\u001d\u0014\ufffd\ufffd\ufffd\ufffdn\ufffdc\ufffdva\ufffd\u0003{6Y\ufffdK\nS\u0014#\u0000;$\ufffdj\u0004\ufffd#", "payload_snippet": "\u0016\u0003\u0001\u0005\ufffd\u0001\u0000\u0005\ufffd\u0003\u0003%\ufffdQ\ufffd\ufffd\ufffdX^;n\ufffd6\ufffd\u0014\ufffd\ufffdIz\ufffd:Y\ufffd\ufffdj\ufffd\ufffd\ufffd?\ufffd\u0014+ \ufffdu\ufffd2\ufffd\ufffd\ufffds\ufffd\ufffd\ufffd?\ufffd\f}\ufffd[\ufffdp\u0005\ufffd\ufffd[\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd?\ufffd\ufffd\u0000\u001a\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0005E\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e488f68577032c53008f9f835156bcf03365da9e", "ban_policy": "advisory_monitor", "tags_list": [ "http_alt_port", "net_web_probe", "tls_clienthello" ] }
06/06/2026 17:04:48 UTC	TCP	8800	http	Scanner web	Élevée	Faible · 17
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8800 Chemin / cible / Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0% Confiance classification 0% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8800, "risk_waf": 32, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 6.1, "risk_breakdown": { "waf": 32, "classification": 42, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 17, "tag_count": 5, "anomaly_count": 1, "campaign_key": "3f12b58264a4a8f3046396d6378a65e61f6df2f4", "event_fingerprint": "e6640c6d3870992e0b8e6aebbdfbb668a25fb3ee", "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8800, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "disclosed_scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "71f4f31e4aee017a33b27707ada31a72347a0bf2", "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "scanner-ua" ] }
06/06/2026 16:46:09 UTC	TCP	8000	sap-icm	Sonde SAP ICM HTTP	Élevée	Faible · 8
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags http_get_probe net_sap_web_probe sap_icm_emulated sap_icm_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 8000 Chemin / cible — Pourquoi cette classification : Type « sap_web_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205341502049434d0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2036300d0a0d0a3c68746d6c3e3c626f64793e53415020496e7465726e657420436f6d6d756e69636174696f6e204d616e616765723c", "emulator_response_len": 141, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "sap-icm", "app_proto": "sap-icm", "asn": 209630, "country": "AE", "dst_port": 8000, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 48, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.7, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 15 }, "risk_score": 8, "tag_count": 4, "anomaly_count": 0, "campaign_key": "5dd8b425ee22c6c2bdbfb7ac7e7032daa914f354", "event_fingerprint": "40ac2e001fc92fc4c26729171b1b914e26c42c6a", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "2dea5f3383fd8694e14eaf8b920fd9fc" }, "target_context": { "dst_port": 8000, "service": "sap-icm" }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "Type \u00ab sap_web_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bf38f3f5ee1135c0e18cfda336cd76669075723a", "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "net_sap_web_probe", "sap_icm_emulated", "sap_icm_payload" ] }
06/06/2026 15:50:46 UTC	TCP	8081	http	Scanner web	Élevée	Faible · 16
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8081 Chemin / cible / Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0% Confiance classification 0% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8081, "risk_waf": 32, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 32, "classification": 42, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 16, "tag_count": 5, "anomaly_count": 1, "campaign_key": "2d9c80e944c07b9cba1f72a339b05c14ab8199a8", "event_fingerprint": "232c358527f57073b8ce3ac2952e07107acffec0", "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8081, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "disclosed_scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "803224c64a3758a5d24e4132e5575cd1cb31329d", "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "scanner-ua" ], "behavior_alert_count": 1, "behavior_priority": 72 }
06/06/2026 15:11:10 UTC	TCP	5000	http	Scanner web	Élevée	Faible · 15
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 5000 Chemin / cible / Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0% Confiance classification 0% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "protocol_emulated": true, "emulator_response": "485454502f312e3120323030204f4b0d0a5365727665723a205765726b7a6575672f332e302e3120507974686f6e2f332e31320d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a2035380d0a0d0a3c21646f63747970652068746d6c3e3c7469746c653e466c61736b3c", "emulator_response_len": 158, "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 5000, "risk_waf": 32, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 3.5, "risk_breakdown": { "waf": 32, "classification": 42, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 30 }, "risk_score": 15, "tag_count": 6, "anomaly_count": 1, "campaign_key": "2c9e6de3d0ef08c3b213ac439c060c62edec0f6a", "event_fingerprint": "2bc1c2cda4344dbe8adb234d705fd0cba69a3120", "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 5000, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "disclosed_scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e5739bfbd50fc03753aa5960ee7c009157165e64", "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "net_web_probe", "scanner-ua" ] }
06/06/2026 14:18:11 UTC	TCP	8801	http	Scanner web	Élevée	Faible · 18
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8801 Chemin / cible / Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0% Confiance classification 0% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "registered", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 8801, "risk_waf": 32, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 6.2, "risk_breakdown": { "waf": 32, "classification": 42, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 18, "tag_count": 5, "anomaly_count": 1, "campaign_key": "12a59529462aaef8b9a32b31441476aba2edd604", "event_fingerprint": "ed58fc0ca64b05d9728517d553a89cfb9855518b", "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 8801, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "disclosed_scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6c50d674c7bfefff30c39d0f7744e16e8d53c1bf", "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "scanner-ua" ] }
06/06/2026 13:30:48 UTC	TCP	81	http	Scanner web	Élevée	Faible · 16
Étape Sonde / probe MITRE TA0007 TA0001 WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua http_missing_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 81 Chemin / cible / Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0% Confiance classification 0% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.68.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.68.0 Connection: close Meta JSON brut { "http_header_count": 2, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "bc1bc2956e51c5b9c9f7c213c207ff9a36c04117", "http_host_hash": null, "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 62, "payload_entropy": 4.732027963438207, "port_category": "well_known", "org": "LLC Vash Kredit Bank", "service": "http", "app_proto": "http", "asn": 209630, "country": "AE", "dst_port": 81, "risk_waf": 32, "risk_classification": 42, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 4.8, "risk_breakdown": { "waf": 32, "classification": 42, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 16, "tag_count": 5, "anomaly_count": 1, "campaign_key": "8e66c7dcfef475b3eba3e75bc1c8db47cdd1e617", "event_fingerprint": "93b99149c88203d13851e75b2e5467efcd0111cb", "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "AE", "asn": 209630, "org": "LLC Vash Kredit Bank", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c2d945f9e2ebe73a50cc502e17a53fdc", "payload_hash": "ac7f8a04638b9d43b6172e3bf0e60155", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 81, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.68.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.68.0\r\nConnection: close", "classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "disclosed_scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "768be7662a7ce8ab0d1f4390995207a32fc4935c", "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "http_missing_host", "http_ua_suspicious", "scanner-ua" ] }

151.243.11.35

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap 24h

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence