Renseignement sur les menaces

R.A.S. chinoise de Hong Kong

152.32.128.85

FAI UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED Première vue 01/01/2026 14:59 UTC Dernière vue 20/06/2026 13:27 UTC Risque Critique

Période analysée : 2026-05-21 → 2026-06-20

Activité suspecte · risque 40/100

Base IP Signaler JSON CSV Pro STIX 2.1 · JSON SOC ou contact

Réputation DNSBL WHOIS Ports

24h 7j 30j 90j

100

Critique · Risque max (7j) Critique

Synthèse exécutive

Profil de menace

Score de risque 100/100 Critique

Première observation 01/01/2026 14:59 UTC

Dernière observation 20/06/2026 13:27 UTC

Événements (période) 236

MITRE ATT&CK principal T1595 78 occurrences

Activité suspecte · risque 40/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « web_probe » (signaux protocolaires) · confiance 95%

Confiance 95 % — Score WAF 8

Comparaison ASN / FAI

ASN 135377 · 152.32.128.0/24 · APNIC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 236 événements sur la période pour cette IP.

165.154.65.185 Sonde RDP 20/06/2026 19:38 UTC
104.218.164.229 Sonde RDP 20/06/2026 19:37 UTC
103.218.240.78 Sonde RDP 20/06/2026 19:32 UTC
152.32.215.252 Sonde RDP 20/06/2026 19:26 UTC
152.32.129.136 Sonde RDP 20/06/2026 19:23 UTC
118.193.33.130 Tentative d'exploit 20/06/2026 19:08 UTC
152.32.225.108 Sonde port 20/06/2026 19:07 UTC
152.32.173.15 Tentative d'exploit 20/06/2026 19:07 UTC

Événements (filtres)

236

Première observation

01/01/2026 14:59 UTC

Dernière observation

20/06/2026 13:27 UTC

Dernière activité (filtres)

20/06/2026 13:27 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

HTTP TCP 165 TLS TCP 37

HTTP

165

TLS

Géolocalisation

Origine réseau déclarée

R.A.S. chinoise de Hong Kong unknown unknown

FAI / réseau

Opérateur et dernière activité ban

UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED 1157 Port 6508 exploit_attempt

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

Sonde HTTP · via HTTP:6508 · (sonde / probe) · → /sitemap.xml

Détails protocole

Méthode: GET
Chemin: /sitemap.xml
User-Agent: Go-http-client/1.1

Aperçu payload

GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:6508 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close

Port / service

6508 · HTTP

Service émulé

HTTP

Raison confiance

Confiance 95 % — Motif catalogue confirmé

Technique MITRE

T1595

Persona capteur

mail.sensor-1.internal

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

Requête sitemap.xml Single Port Chemin bénin connu

Confiance

95%

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

236 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

236 événement(s) — page 3/5

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
08/06/2026 15:35:46 UTC	TCP	10230 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:10230 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10230 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:10230 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "0bdfa09ae8bb59e3f0a2232d2abdae33313a8348", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 127, "payload_entropy": 4.949590372843851, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 10230, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 0.3, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "be7a26cb75fb191618c28e9664c52a4b036fa82e", "event_fingerprint": "02c82964741baebb6adeee65a33355b18ec330a3", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "0a989fc3451b73686b7a165b6b3a3f67", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 10230, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8714f23ed0aeb5781fd6ab71c83ce592f1185755", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 10230, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:10230 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "10230 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10230, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 10230, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:10230 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "10230 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10230" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
08/06/2026 15:35:46 UTC	TCP	10230 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:10230 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10230 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:10230 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "0bdfa09ae8bb59e3f0a2232d2abdae33313a8348", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.89058838469889, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 10230, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 0.3, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "be7a26cb75fb191618c28e9664c52a4b036fa82e", "event_fingerprint": "54938d1fca68a737b4212ee64ab57a86c6f21142", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "b46400a609e703c97b17f4365fd2eddc", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 10230, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "606b3911b8d533774bf9e4d5d33ad481752fc8e4", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 10230, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:10230 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "10230 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10230, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 10230, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:10230 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "10230 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10230" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
08/06/2026 15:35:45 UTC	TCP	10230 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:10230 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/558.52 (KHTML, like… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10230 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 43 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/558.52 (KHTML, like Gecko) Chrome/92.0.2472 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:10230 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/558.52 (KHTML, like Gecko) Chrom Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:10230 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/558.52 (KHTML, like Gecko) Chrome/92.0.2472 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "188e10090b8b1c1903c1b3e3f2c7423643617f1a", "http_host_hash": "0bdfa09ae8bb59e3f0a2232d2abdae33313a8348", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 199, "payload_entropy": 5.439893958403759, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 10230, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 43, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e8a6798866f6959511658cb24cfeebad2313d049", "event_fingerprint": "90d5cc6e36254eaa9b31fcf3c3b377aad890f539", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "80c5d95144614a1076f44b9e9803c6d2", "payload_hash": "caf375fadd33b87a7f8e72fe255080b7", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 10230, "service": "http", "service_name": "http", "risk_score": 43 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/558.52 (KHTML, like Gecko) Chrom", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/558.52 (KHTML, like Gecko) Chrome\/92.0.2472 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/558.52 (KHTML, like Gecko) Chrome\/92.0.2472 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/558.52 (KHTML, like Gecko) Chrom", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/558.52 (KHTML, like Gecko) Chrome\/92.0.2472 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/558.52 (KHTML, like Gecko) Chrome\/92.0.2472 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/558.52 (KHTML, like Gecko) Chrom", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "119517cd63ac1a05e8c15c4b61f152109a1fbf01", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/558.52 (KHTML, like Gecko) Chrome\/92.0.2472 Safari\/537.36", "port": 10230, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/558.52 (KHTML, like Gecko) Chrom", "attack_vector": "exploit attempt \u00b7 via HTTP:10230 \u00b7 (tentative d'exploit)", "target_port_label": "10230 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10230, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/558.52 (KHTML, like Gecko) Chrome\/92.0.2472 Safari\/537.36", "port": 10230, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:10230 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/558.52 (KHTML, like Gecko) Chrom", "target_port_label": "10230 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10230" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
08/06/2026 15:35:45 UTC	TCP	10230 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:10230 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 10230 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:10230 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "0bdfa09ae8bb59e3f0a2232d2abdae33313a8348", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 127, "payload_entropy": 4.906332399825557, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 10230, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 0.3, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "be7a26cb75fb191618c28e9664c52a4b036fa82e", "event_fingerprint": "d276975a71b74520f2bc59b55dc21abefc3ea955", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "196dbedd22e4bd67c10a920f7c15fe96", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 10230, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "697e7f91c0d16f249b0275943dd8cff372e764d8", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 10230, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:10230 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "10230 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 10230, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 10230, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:10230 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:10230\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "10230 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "10230" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ], "behavior_alert_count": 1, "behavior_priority": 84 }
08/06/2026 10:57:04 UTC	TCP	11036 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:11036 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 11036 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:11036 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "fed34dd572c509f26a78d2d48339196a76423599", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 127, "payload_entropy": 4.897314706693851, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 11036, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 0.3, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "7f0cfcaf17c49ca258d2013412b6a6aee238ade5", "event_fingerprint": "bfca79a1f2184e3624bba6df99d1f3b10afebb39", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "002885be220c9298e5f1bdce8e33034f", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 11036, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2fe319d4087d6b7e390e0e4262846c383514273c", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 11036, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:11036 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "11036 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 11036, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 11036, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:11036 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "11036 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "11036" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ], "behavior_alert_count": 1, "behavior_priority": 84 }
08/06/2026 10:57:04 UTC	TCP	11036 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:11036 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 11036 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:11036 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "fed34dd572c509f26a78d2d48339196a76423599", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 127, "payload_entropy": 4.940572679712145, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 11036, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 0.3, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "7f0cfcaf17c49ca258d2013412b6a6aee238ade5", "event_fingerprint": "b88e01d090c5d022870cf609743d103916a8f2e9", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "8e2d1776c95b84605795123c6e52cc89", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 11036, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a895892b4be5ce970619b033a8e7dfdd1ad0d228", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 11036, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:11036 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "11036 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 11036, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 11036, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:11036 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "11036 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "11036" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
08/06/2026 10:57:04 UTC	TCP	11036 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:11036 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 11036 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:11036 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "fed34dd572c509f26a78d2d48339196a76423599", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.881499122574074, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 11036, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 0.3, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "7f0cfcaf17c49ca258d2013412b6a6aee238ade5", "event_fingerprint": "184107898332a6bf44c0eb806ff925bb6a1ac4b1", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "5e89c4a10d22fcb1577ad0957587b230", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 11036, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "292ef191c01026a571c7d2369369981bc120f3a6", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 11036, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:11036 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "11036 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 11036, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 11036, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:11036 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "11036 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "11036" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
08/06/2026 10:57:03 UTC	TCP	11036 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:11036 · (tentative d'exploit)	Élevée	Moyen · 43
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/568.39 (KHTML, like… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 11036 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 43 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/568.39 (KHTML, like Gecko) Chrome/74.0.1805 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:11036 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/568.39 (KHTML, like Gecko) Chrom Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:11036 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/568.39 (KHTML, like Gecko) Chrome/74.0.1805 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "cc3f531ed6446155ff014f3676caf2248a702bcd", "http_host_hash": "fed34dd572c509f26a78d2d48339196a76423599", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 199, "payload_entropy": 5.424626087035335, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 11036, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 43, "tag_count": 3, "anomaly_count": 0, "campaign_key": "89211e7ffc71e59ebc2df4ac5585449db0d49d24", "event_fingerprint": "4f9c7e8d756588a04431d6858826eb0796976e63", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 43 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "99cbd3c3ff605d9275a6d59312b2bbbc", "payload_hash": "1d7e6c1fe3a47f78263335d47e68e656", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 11036, "service": "http", "service_name": "http", "risk_score": 43 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/568.39 (KHTML, like Gecko) Chrom", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/568.39 (KHTML, like Gecko) Chrome\/74.0.1805 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/568.39 (KHTML, like Gecko) Chrome\/74.0.1805 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/568.39 (KHTML, like Gecko) Chrom", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/568.39 (KHTML, like Gecko) Chrome\/74.0.1805 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/568.39 (KHTML, like Gecko) Chrome\/74.0.1805 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/568.39 (KHTML, like Gecko) Chrom", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f2d0604a7c5820d5feaab73759eb21ed1dd2ec83", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/568.39 (KHTML, like Gecko) Chrome\/74.0.1805 Safari\/537.36", "port": 11036, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/568.39 (KHTML, like Gecko) Chrom", "attack_vector": "exploit attempt \u00b7 via HTTP:11036 \u00b7 (tentative d'exploit)", "target_port_label": "11036 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 43\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 43 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 43, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 11036, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/568.39 (KHTML, like Gecko) Chrome\/74.0.1805 Safari\/537.36", "port": 11036, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:11036 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:11036\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/568.39 (KHTML, like Gecko) Chrom", "target_port_label": "11036 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "11036" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
08/06/2026 06:53:23 UTC	TCP	23798 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:23798 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 23798 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:23798 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "cc772c9871c2022b4b9f27e87397df9af2ea0d1c", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 127, "payload_entropy": 4.972194824838158, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 23798, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "72e4243d253a79fa5fb31844c2283694a4b601a5", "event_fingerprint": "f2b75d029c3a0779d3a25a63eaf680da4d4a08aa", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "1217ded6af77981b1d00ca80edb52f50", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 23798, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e2e5a95d0d53b52743031579ae1152dd879278b8", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 23798, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:23798 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "23798 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 23798, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 23798, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:23798 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "23798 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "23798" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ], "behavior_alert_count": 1, "behavior_priority": 84 }
08/06/2026 06:53:23 UTC	TCP	23798 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:23798 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 23798 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:23798 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "cc772c9871c2022b4b9f27e87397df9af2ea0d1c", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.95697352737032, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 23798, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "72e4243d253a79fa5fb31844c2283694a4b601a5", "event_fingerprint": "634e2b6ad5c6f3242cc674e321fcc9d33499094b", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "f475374b5af582737fd2ed66d64a8eba", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 23798, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6a215f77e54c36dbbeaaed40b87828265f44ccdc", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 23798, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:23798 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "23798 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 23798, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 23798, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:23798 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "23798 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "23798" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
08/06/2026 06:53:23 UTC	TCP	23798 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:23798 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 23798 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:23798 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "cc772c9871c2022b4b9f27e87397df9af2ea0d1c", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 127, "payload_entropy": 5.015452797856451, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 23798, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "72e4243d253a79fa5fb31844c2283694a4b601a5", "event_fingerprint": "daf3f4925e7f82ab60b57de8bcf240ee3fe36270", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "111c4ed3495c46f6d742d2e4b5f0bcc3", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 23798, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "af2721f2408c8a3ab429bb84b49ebeef60d5ea04", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 23798, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:23798 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "23798 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 23798, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 23798, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:23798 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "23798 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "23798" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
08/06/2026 06:53:22 UTC	TCP	23798 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:23798 · (tentative d'exploit)	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 8_0) AppleWebKit/561.43 … Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 23798 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 8_0) AppleWebKit/561.43 (KHTML, like Gecko) Chrome/104.0.2588 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:23798 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 8_0) AppleWebKit/561.43 (KHTML, like Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:23798 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 8_0) AppleWebKit/561.43 (KHTML, like Gecko) Chrome/104.0.2588 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "9f529ff7ae27f4548c7025cc6adf8746c9a11ed4", "http_host_hash": "cc772c9871c2022b4b9f27e87397df9af2ea0d1c", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 212, "payload_entropy": 5.404896852234066, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 23798, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.4, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "5d15f67987158bb0ad7068523ca6a268b0f4a1ac", "event_fingerprint": "535df57a3c135329e1fb65c6ab13f8d38559226c", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "61b778b7abf7194add638b4ef9808be3", "payload_hash": "3180f88520fc4fc01aa544c03cc2bd77", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 23798, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0) AppleWebKit\/561.43 (KHTML, like ", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0) AppleWebKit\/561.43 (KHTML, like Gecko) Chrome\/104.0.2588 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0) AppleWebKit\/561.43 (KHTML, like Gecko) Chrome\/104.0.2588 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0) AppleWebKit\/561.43 (KHTML, like", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0) AppleWebKit\/561.43 (KHTML, like Gecko) Chrome\/104.0.2588 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0) AppleWebKit\/561.43 (KHTML, like Gecko) Chrome\/104.0.2588 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0) AppleWebKit\/561.43 (KHTML, like", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c193b09ddde02ccd5352f9122322d38f567f6f49", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0) AppleWebKit\/561.43 (KHTML, like Gecko) Chrome\/104.0.2588 Safari\/537.36", "port": 23798, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0) AppleWebKit\/561.43 (KHTML, like", "attack_vector": "exploit attempt \u00b7 via HTTP:23798 \u00b7 (tentative d'exploit)", "target_port_label": "23798 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 23798, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0) AppleWebKit\/561.43 (KHTML, like Gecko) Chrome\/104.0.2588 Safari\/537.36", "port": 23798, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:23798 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:23798\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0) AppleWebKit\/561.43 (KHTML, like", "target_port_label": "23798 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "23798" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
08/06/2026 02:06:58 UTC	TCP	1043 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:1043 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1043 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:1043 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "016a138c12e92e72cccbba909ddd4aee1ba780b7", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.959739523763947, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 1043, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "a6d94a3ae441340e2d8d1ac8aaa252ac5544e57a", "event_fingerprint": "75a98020d6b3726506359d8a2cb10ac50f359c67", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "944edf22f5ccd8d7cc8076992d34f50a", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 1043, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "99e0b018050a4da2689e914755f034130ba485da", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1043, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:1043 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "1043 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1043, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1043, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:1043 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "1043 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1043" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
08/06/2026 02:06:58 UTC	TCP	1043 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:1043 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1043 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:1043 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "016a138c12e92e72cccbba909ddd4aee1ba780b7", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.90043831356796, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 1043, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "a6d94a3ae441340e2d8d1ac8aaa252ac5544e57a", "event_fingerprint": "da103041cb02dd0137b8007ad0b42cdb79e724f6", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "54563f502831633d4a178f86ab775b59", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 1043, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4bd04ffd65612ebcd1c3ec8b38dc70d31ebc91b4", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1043, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:1043 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "1043 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1043, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1043, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:1043 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "1043 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1043" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
08/06/2026 02:06:57 UTC	TCP	1043 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:1043 · (tentative d'exploit)	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (Macintosh; Intel Mac OS X 8_0_2) AppleWebKit/538.3… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1043 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 8_0_2) AppleWebKit/538.39 (KHTML, like Gecko) Chrome/52.0.1912 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1043 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 8_0_2) AppleWebKit/538.39 (KHTML, like Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:1043 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 8_0_2) AppleWebKit/538.39 (KHTML, like Gecko) Chrome/52.0.1912 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "81eec3fe0b55745006ecd0993e6aeedad5259bad", "http_host_hash": "016a138c12e92e72cccbba909ddd4aee1ba780b7", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 212, "payload_entropy": 5.393347885178845, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 1043, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.2, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "55382c5d2387f2b3ee07b640deb38ae37c5ccaf1", "event_fingerprint": "56aab12b6e2d2062d1ffe09da1011d18115c6fe0", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "9aa3700f3a4604db130b8f8b5ab8d0cc", "payload_hash": "047283fab73c51bb0c58635ced0958c0", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 1043, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0_2) AppleWebKit\/538.39 (KHTML, like", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0_2) AppleWebKit\/538.39 (KHTML, like Gecko) Chrome\/52.0.1912 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0_2) AppleWebKit\/538.39 (KHTML, like Gecko) Chrome\/52.0.1912 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0_2) AppleWebKit\/538.39 (KHTML, like", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0_2) AppleWebKit\/538.39 (KHTML, like Gecko) Chrome\/52.0.1912 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0_2) AppleWebKit\/538.39 (KHTML, like Gecko) Chrome\/52.0.1912 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0_2) AppleWebKit\/538.39 (KHTML, like", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2e44a27c421cd8195a4948156a9a13b2665baacb", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0_2) AppleWebKit\/538.39 (KHTML, like Gecko) Chrome\/52.0.1912 Safari\/537.36", "port": 1043, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0_2) AppleWebKit\/538.39 (KHTML, like", "attack_vector": "exploit attempt \u00b7 via HTTP:1043 \u00b7 (tentative d'exploit)", "target_port_label": "1043 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1043, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0_2) AppleWebKit\/538.39 (KHTML, like Gecko) Chrome\/52.0.1912 Safari\/537.36", "port": 1043, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:1043 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_0_2) AppleWebKit\/538.39 (KHTML, like", "target_port_label": "1043 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1043" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "behavior_alert_count": 1, "behavior_priority": 72 }
08/06/2026 02:06:57 UTC	TCP	1043 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:1043 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 1043 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:1043 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "016a138c12e92e72cccbba909ddd4aee1ba780b7", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.916138233499475, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 1043, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "a6d94a3ae441340e2d8d1ac8aaa252ac5544e57a", "event_fingerprint": "36823330471663fdd5d1878352baafc5c69915df", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "3f4c456b523a8ed072ddcf747bce3149", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 1043, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "542ba1af9ab062739b4f8d5f38fe82ed72d2c35a", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1043, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:1043 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "1043 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 1043, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 1043, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:1043 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:1043\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "1043 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "1043" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ], "behavior_alert_count": 1, "behavior_priority": 84 }
08/06/2026 01:43:27 UTC	TCP	30400 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:30400 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 9460af62ae0af667 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 30400 Chemin / cible — Service TLS Payload ��@K1��B�{�r��/��H��mg�� , ��m��f�ru��o^�؟&��E�8�vV�9&�+�/�,�0̨̩� �� /5� � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��@K1��B�{�r��/��H��mg�� , ��m��f�ru��o^�؟&��E�8�vV�9&�+�/�,�0̨̩� �� /5� � Requête brute (extrait) ��@K1��B�{�r��/��H��mg�� , ��m��f�ru��o^�؟&��E�8�vV�9&�+�/�,�0̨̩� �� /5� � + 3&$ ��z'��kWgɋ&�ۣã"!��`o/ �n Meta JSON brut { "tls_ja3_hash": "9460af62ae0af667130bf0d36514f084", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 247, "payload_entropy": 5.77361701259315, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "tls", "app_proto": "tls", "asn": 135377, "country": "HK", "dst_port": 30400, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.2, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "c971806b556c34fb6905d6e5e4e08706fa069785", "event_fingerprint": "3b861b8bca710034ebc0cbedb51f5e24e4f2ce56", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "9460af62ae0af667130bf0d36514f084", "payload_hash": "de7280613e099b2efd7bb4fa6fb7093d", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "9d78dfefabcee3ee16297d72e4cafc86", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0", "tls_ja4_hash": "9d78dfefabcee3ee16297d72e4cafc86", "tls_ja4": "t13d0119_e060b20e9557_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 30400, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd@K1\ufffd\ufffdB\ufffd{\ufffdr\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0005\ufffdH\ufffd\ufffdmg\ufffd\ufffd ,\n\ufffd\u000f\ufffd\ufffdm\ufffd\ufffdf\ufffdru\ufffd\ufffd\ufffdo^\ufffd\u061f&\ufffd\ufffdE\ufffd8\ufffdvV\ufffd9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd@K1\ufffd\ufffdB\ufffd{\ufffdr\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0005\ufffdH\ufffd\ufffdmg\ufffd\ufffd ,\n\ufffd\u000f\ufffd\ufffdm\ufffd\ufffdf\ufffdru\ufffd\ufffd\ufffdo^\ufffd\u061f&\ufffd\ufffdE\ufffd8\ufffdvV\ufffd9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\u001a\ufffdz'\ufffd\ufffdkWg\u0000\u024b&\ufffd\u06e3\u00e3\"!\ufffd\ufffd`o\/\n\ufffdn", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd@K1\ufffd\ufffdB\ufffd{\ufffdr\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0005\ufffdH\ufffd\ufffdmg\ufffd\ufffd ,\n\ufffd\u000f\ufffd\ufffdm\ufffd\ufffdf\ufffdru\ufffd\ufffd\ufffdo^\ufffd\u061f&\ufffd\ufffdE\ufffd8\ufffdvV\ufffd9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4c9ee317f52751973cdfacee6c68694397426f78", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd@K1\ufffd\ufffdB\ufffd{\ufffdr\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0005\ufffdH\ufffd\ufffdmg\ufffd\ufffd ,\n\ufffd\u000f\ufffd\ufffdm\ufffd\ufffdf\ufffdru\ufffd\ufffd\ufffdo^\ufffd\u061f&\ufffd\ufffdE\ufffd8\ufffdvV\ufffd9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "tls_ja3": "9460af62ae0af667130bf0d36514f084", "tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86", "port": 30400, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffd\ufffd@K1\ufffd\ufffdB\ufffd{\ufffdr\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffdmg\ufffd\ufffd ,\n\ufffd\ufffd\ufffdm\ufffd\ufffdf\ufffdru\ufffd\ufffd\ufffdo^\ufffd\u061f&\ufffd\ufffdE\ufffd8\ufffdvV\ufffd9&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd", "attack_vector": "postgres probe \u00b7 via TLS:30400 \u00b7 (sonde \/ probe)", "target_port_label": "30400 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 30400, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd@K1\ufffd\ufffdB\ufffd{\ufffdr\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0005\ufffdH\ufffd\ufffdmg\ufffd\ufffd ,\n\ufffd\u000f\ufffd\ufffdm\ufffd\ufffdf\ufffdru\ufffd\ufffd\ufffdo^\ufffd\u061f&\ufffd\ufffdE\ufffd8\ufffdvV\ufffd9\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "tls_ja3": "9460af62ae0af667130bf0d36514f084", "tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86", "port": 30400, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:30400 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffd\ufffd@K1\ufffd\ufffdB\ufffd{\ufffdr\ufffd\ufffd\ufffd\/\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffd\ufffdmg\ufffd\ufffd ,\n\ufffd\ufffd\ufffdm\ufffd\ufffdf\ufffdru\ufffd\ufffd\ufffdo^\ufffd\u061f&\ufffd\ufffdE\ufffd8\ufffdvV\ufffd9&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd", "target_port_label": "30400 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "30400" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:30400", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
08/06/2026 01:43:27 UTC	TCP	30400	—	Sonde port Sonde port · port 30400 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 30400 Chemin / cible — Payload t3 12.1.2 AS:2048 HL:19 Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) t3 12.1.2 AS:2048 HL:19 Meta JSON brut { "bytes_in": 25, "payload_entropy": 3.7834651896016456, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": null, "app_proto": null, "asn": 135377, "country": "HK", "dst_port": 30400, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "7be7be54c46378f0ece65b0d9e232ddecf18fc00", "event_fingerprint": "57e39f10c01eaab0962f23d86942ed05c252292f", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "588580493dbf1d2ca7cd7f2cd09ed672", "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 30400, "risk_score": 44 }, "payload_preview": "t3 12.1.2\nAS:2048\nHL:19\n\n", "request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n", "payload_snippet": "t3 12.1.2\nAS:2048\nHL:19", "evidence": { "request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n", "payload_snippet": "t3 12.1.2\nAS:2048\nHL:19", "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d4641a6398f60f78e2084acfc32d6b6167caf1fa", "protocol_details": { "payload_preview": "t3 12.1.2\nAS:2048\nHL:19", "port": 30400 }, "evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19", "attack_vector": "Sonde port \u00b7 port 30400 \u00b7 (sonde \/ probe)", "target_port_label": "30400", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 30400, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "t3 12.1.2\nAS:2048\nHL:19", "port": 30400 }, "attack_vector": "Sonde port \u00b7 port 30400 \u00b7 (sonde \/ probe)", "evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19", "target_port_label": "30400", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "30400" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:30400", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
08/06/2026 01:43:26 UTC	TCP	30400 · HTTP	http	Sonde port 30400/TCP port 30400 tcp · via HTTP:30400 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA curl/7.29.0 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua botnet_http_ua_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 30400 Chemin / cible / Preuve honeypot — Sonde port 30400/TCP Connexion détectée sur le port 30400 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_30400_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.29.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.29.0 Host: 62.3.50.33 Accept: / Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "0315d257123246273ce1f3edb87d478f00f3fce8", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 74, "payload_entropy": 4.819344967782759, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 30400, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 1, "campaign_key": "7862af8b3b709ffd0734cf971452ecf574b74d71", "event_fingerprint": "8355a0308cc82edf26cc6ab022d7045471c861dd", "classification_reason": "Type \u00ab port_30400_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a6744e3c06a59e753fc74a2c54c4a161", "payload_hash": "99559ea3a5e9ac33c4b35f9a75d06c9c", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 30400, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.29.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.29.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "classification_reason": "Type \u00ab port_30400_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f70ec57244e96cc53067a9e47fad7f66e034d1ac", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.29.0", "port": 30400, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "attack_vector": "port 30400 tcp \u00b7 via HTTP:30400 \u00b7 (sonde \/ probe)", "target_port_label": "30400 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_30400_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_30400_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 30400, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.29.0", "port": 30400, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 30400 tcp \u00b7 via HTTP:30400 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "target_port_label": "30400 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "30400" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:30400" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "botnet_http_ua_host", "http_ua_suspicious", "scanner-ua" ] }
08/06/2026 01:43:19 UTC	TCP	30400	—	Sonde port Sonde port · port 30400 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 30400 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": null, "app_proto": null, "asn": 135377, "country": "HK", "dst_port": 30400, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.2, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "7be7be54c46378f0ece65b0d9e232ddecf18fc00", "event_fingerprint": "57e39f10c01eaab0962f23d86942ed05c252292f", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 30400, "risk_score": 44 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "373a33fc04a7ce06bf1436ba17d2eaa45d22ac17", "protocol_details": { "port": 30400 }, "attack_vector": "Sonde port \u00b7 port 30400 \u00b7 (sonde \/ probe)", "target_port_label": "30400", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 30400, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "port": 30400 }, "attack_vector": "Sonde port \u00b7 port 30400 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "30400", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "30400" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
07/06/2026 20:46:18 UTC	TCP	18187 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:18187 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 9460af62ae0af667 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 18187 Chemin / cible — Service TLS Payload ��m_F�5veWh��_��=w�.�r1�� %��4��#by�v?v�^��z%�Z#��&�+�/�,�0̨̩� �� /5� � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��m_F�5veWh��_��=w�.�r1�� %��4��#by�v?v�^��z%�Z#��&�+�/�,�0̨̩� �� /5� � Requête brute (extrait) ��m_F�5veWh��_��=w�.�r1�� %��4��#by�v?v�^��z%�Z#��&�+�/�,�0̨̩� �� /5� � + 3&$ wZ��\qFn��^V�� }��0�< Meta JSON brut { "tls_ja3_hash": "9460af62ae0af667130bf0d36514f084", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 247, "payload_entropy": 5.69231759796621, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "tls", "app_proto": "tls", "asn": 135377, "country": "HK", "dst_port": 18187, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 4.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "b462791f08e4a655924dcd817670f3c0c3db0b09", "event_fingerprint": "78fec3afb116b954e9fe5a991a6042794f2ac99c", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "9460af62ae0af667130bf0d36514f084", "payload_hash": "0954384643f060b60821f9e7a11673b5", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "9d78dfefabcee3ee16297d72e4cafc86", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0", "tls_ja4_hash": "9d78dfefabcee3ee16297d72e4cafc86", "tls_ja4": "t13d0119_e060b20e9557_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 18187, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003m_F\ufffd5\u0005veWh\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffd=\u0006w\ufffd.\ufffdr1\u0019\ufffd\ufffd\ufffd\u0010 \ufffd\t%\ufffd\ufffd\u00004\ufffd\ufffd#\u000eby\ufffdv?v\ufffd^\u0011\ufffd\ufffd\ufffdz%\ufffdZ#\ufffd\ufffd\u001f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003m_F\ufffd5\u0005veWh\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffd=\u0006w\ufffd.\ufffdr1\u0019\ufffd\ufffd\ufffd\u0010 \ufffd\t%\ufffd\ufffd\u00004\ufffd\ufffd#\u000eby\ufffdv?v\ufffd^\u0011\ufffd\ufffd\ufffdz%\ufffdZ#\ufffd\ufffd\u001f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 wZ\ufffd\ufffd\\\u0000q\u0013Fn\ufffd\ufffd\u0018\ufffd\ufffd\u0013\ufffd^V\ufffd\ufffd\t\ufffd\ufffd}\ufffd\ufffd\ufffd0\ufffd<", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003m_F\ufffd5\u0005veWh\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffd=\u0006w\ufffd.\ufffdr1\u0019\ufffd\ufffd\ufffd\u0010 \ufffd\t%\ufffd\ufffd\u00004\ufffd\ufffd#\u000eby\ufffdv?v\ufffd^\u0011\ufffd\ufffd\ufffdz%\ufffdZ#\ufffd\ufffd\u001f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "00ef02e06705063ed341752289aea15d5a3374b3", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003m_F\ufffd5\u0005veWh\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffd=\u0006w\ufffd.\ufffdr1\u0019\ufffd\ufffd\ufffd\u0010 \ufffd\t%\ufffd\ufffd\u00004\ufffd\ufffd#\u000eby\ufffdv?v\ufffd^\u0011\ufffd\ufffd\ufffdz%\ufffdZ#\ufffd\ufffd\u001f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "tls_ja3": "9460af62ae0af667130bf0d36514f084", "tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86", "port": 18187, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffdm_F\ufffd5veWh\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffd=w\ufffd.\ufffdr1\ufffd\ufffd\ufffd \ufffd\t%\ufffd\ufffd4\ufffd\ufffd#by\ufffdv?v\ufffd^\ufffd\ufffd\ufffdz%\ufffdZ#\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd", "attack_vector": "postgres probe \u00b7 via TLS:18187 \u00b7 (sonde \/ probe)", "target_port_label": "18187 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 18187, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003m_F\ufffd5\u0005veWh\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffd=\u0006w\ufffd.\ufffdr1\u0019\ufffd\ufffd\ufffd\u0010 \ufffd\t%\ufffd\ufffd\u00004\ufffd\ufffd#\u000eby\ufffdv?v\ufffd^\u0011\ufffd\ufffd\ufffdz%\ufffdZ#\ufffd\ufffd\u001f\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "tls_ja3": "9460af62ae0af667130bf0d36514f084", "tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86", "port": 18187, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:18187 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdm_F\ufffd5veWh\ufffd\ufffd\ufffd_\ufffd\ufffd\ufffd\ufffd=w\ufffd.\ufffdr1\ufffd\ufffd\ufffd \ufffd\t%\ufffd\ufffd4\ufffd\ufffd#by\ufffdv?v\ufffd^\ufffd\ufffd\ufffdz%\ufffdZ#\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd", "target_port_label": "18187 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "meta_truncated": true, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "18187" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:18187", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
07/06/2026 20:46:18 UTC	TCP	18187	—	Sonde port Sonde port · port 18187 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 18187 Chemin / cible — Payload t3 12.1.2 AS:2048 HL:19 Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) t3 12.1.2 AS:2048 HL:19 Meta JSON brut { "bytes_in": 25, "payload_entropy": 3.7834651896016456, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": null, "app_proto": null, "asn": 135377, "country": "HK", "dst_port": 18187, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "209f9cd021143533c6e47bcb3db7d77d8901c8bf", "event_fingerprint": "cfbdae362d9f8647e08104bdaed57a80c1de9a91", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "588580493dbf1d2ca7cd7f2cd09ed672", "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 18187, "risk_score": 44 }, "payload_preview": "t3 12.1.2\nAS:2048\nHL:19\n\n", "request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n", "payload_snippet": "t3 12.1.2\nAS:2048\nHL:19", "evidence": { "request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n", "payload_snippet": "t3 12.1.2\nAS:2048\nHL:19", "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9afa387801d2c0f5155eb6756c983fa04774cb1d", "protocol_details": { "payload_preview": "t3 12.1.2\nAS:2048\nHL:19", "port": 18187 }, "evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19", "attack_vector": "Sonde port \u00b7 port 18187 \u00b7 (sonde \/ probe)", "target_port_label": "18187", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 18187, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "t3 12.1.2\nAS:2048\nHL:19", "port": 18187 }, "attack_vector": "Sonde port \u00b7 port 18187 \u00b7 (sonde \/ probe)", "evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19", "target_port_label": "18187", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "18187" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:18187", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
07/06/2026 20:46:17 UTC	TCP	18187 · HTTP	http	Sonde port 18187/TCP port 18187 tcp · via HTTP:18187 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA curl/7.29.0 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua botnet_http_ua_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 18187 Chemin / cible / Preuve honeypot — Sonde port 18187/TCP Connexion détectée sur le port 18187 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_18187_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.29.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.29.0 Host: 62.3.50.33 Accept: / Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "0315d257123246273ce1f3edb87d478f00f3fce8", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 74, "payload_entropy": 4.819344967782759, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 18187, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 5.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 1, "campaign_key": "d1747637624a6628c62718bec8c5b9a25fc4a7c7", "event_fingerprint": "89fd9d224cc9ee5178a3527902c96819a763085d", "classification_reason": "Type \u00ab port_18187_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a6744e3c06a59e753fc74a2c54c4a161", "payload_hash": "99559ea3a5e9ac33c4b35f9a75d06c9c", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 18187, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.29.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.29.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "classification_reason": "Type \u00ab port_18187_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e5015271bc722ebf51c8c22b595ef1caab0d0fbd", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.29.0", "port": 18187, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "attack_vector": "port 18187 tcp \u00b7 via HTTP:18187 \u00b7 (sonde \/ probe)", "target_port_label": "18187 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_18187_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_18187_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 18187, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.29.0", "port": 18187, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 18187 tcp \u00b7 via HTTP:18187 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "target_port_label": "18187 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "18187" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:18187" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "botnet_http_ua_host", "http_ua_suspicious", "scanner-ua" ] }
07/06/2026 20:46:11 UTC	TCP	18187	—	Sonde port Sonde port · port 18187 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 18187 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Fp Port Probe Noise Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": null, "app_proto": null, "asn": 135377, "country": "HK", "dst_port": 18187, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "209f9cd021143533c6e47bcb3db7d77d8901c8bf", "event_fingerprint": "cfbdae362d9f8647e08104bdaed57a80c1de9a91", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-FP-port-probe-noise", "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 18187, "risk_score": 44 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "71d3bce077a3ebeb76da261eb81e1deced439080", "protocol_details": { "port": 18187 }, "attack_vector": "Sonde port \u00b7 port 18187 \u00b7 (sonde \/ probe)", "target_port_label": "18187", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 18187, "protocol_emulated": null, "tags_summary": [ "INT-FP-port-probe-noise", "INT-single-port" ], "tags_summary_labels_fr": [ "Fp Port Probe Noise", "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "port": 18187 }, "attack_vector": "Sonde port \u00b7 port 18187 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "18187", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "18187" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
07/06/2026 19:49:43 UTC	TCP	2342 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:2342 · (sonde / probe) · → /sitemap.xml	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /sitemap.xml UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2342 Chemin / cible /sitemap.xml Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête sitemap.xml Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:2342 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "e4125b27c8557ae36964d834e22b7ebd29d3f295", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.966523277512148, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 2342, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "5a3295f73834e494ee11f404c61cf663125cc3c7", "event_fingerprint": "07c5fe7f3a686e997635c664a103cac018dffa25", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 92, "precision_signals": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "f1faa392b83d93a14ba9f92825dc676b", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 2342, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "68aa0df22e8cc5d438f9b8f55601365dfdc4a160", "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 2342, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:2342 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "target_port_label": "2342 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2342, "protocol_emulated": null, "tags_summary": [ "INT-benign-sitemap", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate sitemap.xml", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/sitemap.xml", "request_line": "GET \/sitemap.xml HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 2342, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:2342 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/sitemap.xml", "evidence_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "2342 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2342" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
07/06/2026 19:49:43 UTC	TCP	2342 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:2342 · (sonde / probe) · → /robots.txt	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /robots.txt UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2342 Chemin / cible /robots.txt Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête robots.txt Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:2342 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "e4125b27c8557ae36964d834e22b7ebd29d3f295", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.907276337346148, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 2342, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "5a3295f73834e494ee11f404c61cf663125cc3c7", "event_fingerprint": "43f7bd67891b437884b7eee31a27473528f8077b", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "1233dbcdd865b908092763372b488045", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 2342, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b26ef141c6a560d5de82270fb6bbfd3b02ccb756", "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 2342, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:2342 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "target_port_label": "2342 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2342, "protocol_emulated": null, "tags_summary": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate robots.txt", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/robots.txt", "request_line": "GET \/robots.txt HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 2342, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:2342 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/robots.txt", "evidence_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "2342 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2342" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
07/06/2026 19:49:42 UTC	TCP	2342 · HTTP	http	Tentative d'exploit exploit attempt · via HTTP:2342 · (tentative d'exploit)	Élevée	Moyen · 46
Étape Tentative d'exploit Chaîne Exploitation Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0001 TA0001 TA0002 Protocole GET / UA Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/566.54 (KHTML, like… Émulateur HTTP WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2342 Chemin / cible / Service HTTP Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Risque capteur Moyen · 46 Confiance : Confiance 62 % — 3 tag(s) WAF Signaux MITRE-T1190 Technique MITRE TA0001 Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/566.54 (KHTML, like Gecko) Chrome/86.0.263 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2342 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/566.54 (KHTML, like Gecko) Chrome Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2342 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/566.54 (KHTML, like Gecko) Chrome/86.0.263 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "e19ace3a2505543199fb6ab3378e27fb48ae9901", "http_host_hash": "e4125b27c8557ae36964d834e22b7ebd29d3f295", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 197, "payload_entropy": 5.407982297947986, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 2342, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.8, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 46, "tag_count": 3, "anomaly_count": 0, "campaign_key": "cf692c4e7ebba82e6ef137e750dba35ad144b480", "event_fingerprint": "d973324371d919327036f4ac1eb2229120479bec", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ba0e26a0938d70d1fb2cf29bd30a2227", "payload_hash": "a378ccad5a3c25e6258ed112787e781d", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2342, "service": "http", "service_name": "http", "risk_score": 46 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/566.54 (KHTML, like Gecko) Chrome", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/566.54 (KHTML, like Gecko) Chrome\/86.0.263 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/566.54 (KHTML, like Gecko) Chrome\/86.0.263 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/566.54 (KHTML, like Gecko) Chrome", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/566.54 (KHTML, like Gecko) Chrome\/86.0.263 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/566.54 (KHTML, like Gecko) Chrome\/86.0.263 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/566.54 (KHTML, like Gecko) Chrome", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "mitre": "TA0001", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ac6a8f4bfde7303f91b8545277fd2c337826032d", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/566.54 (KHTML, like Gecko) Chrome\/86.0.263 Safari\/537.36", "port": 2342, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/566.54 (KHTML, like Gecko) Chrome", "attack_vector": "exploit attempt \u00b7 via HTTP:2342 \u00b7 (tentative d'exploit)", "target_port_label": "2342 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "classification_reason_label_fr": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 46\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 62 % \u2014 via HTTP", "confidence_pct": 62, "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 46 }, "attack_stage": "exploit_attempt", "attack_stage_label": "Tentative d'exploit", "attack_chain_stage": "exploitation", "attack_chain_stage_label_fr": "Exploitation", "risk_score": 46, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2342, "protocol_emulated": null, "tags_summary": [ "MITRE-T1190" ], "tags_summary_labels_fr": [ "MITRE-T1190" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0001", "mitre_technique": "TA0001", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/566.54 (KHTML, like Gecko) Chrome\/86.0.263 Safari\/537.36", "port": 2342, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "exploit attempt \u00b7 via HTTP:2342 \u00b7 (tentative d'exploit)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/566.54 (KHTML, like Gecko) Chrome", "target_port_label": "2342 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 62 % \u2014 3 tag(s) WAF", "confidence_factors_fr": "Confiance 62 % \u2014 Score WAF 72 \u00b7 3 tag(s) WAF", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": false, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": true, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "exploitation", "label_fr": "Exploitation", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2342" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploitation", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
07/06/2026 19:49:42 UTC	TCP	2342 · HTTP	http	Sonde HTTP Sonde HTTP · via HTTP:2342 · (sonde / probe) · → /favicon.ico	Moyenne	Moyen · 40
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE T1595 TA0007 TA0001 Protocole GET /favicon.ico UA Go-http-client/1.1 Émulateur HTTP WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2342 Chemin / cible /favicon.ico Service HTTP Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Risque capteur Moyen · 40 Confiance : Confiance 95 % — Motif catalogue confirmé Signaux Requête favicon.ico Single Port Chemin bénin connu Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:2342 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "e4125b27c8557ae36964d834e22b7ebd29d3f295", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.922921987247676, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 2342, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3.1, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "5a3295f73834e494ee11f404c61cf663125cc3c7", "event_fingerprint": "c3b88577d76ed580cf149af681c9d5af49e6d6fb", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 94, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "20ae2443f768c76c8adcd2e10a59c4e4", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 2342, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "mitre": "T1595", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5252f39a678fc7e16fe90851145a423e2b03345a", "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 2342, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "attack_vector": "Sonde HTTP \u00b7 via HTTP:2342 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "target_port_label": "2342 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "classification_reason_label_fr": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 40\/100", "confidence_pct": 95, "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 40, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 2342, "protocol_emulated": null, "tags_summary": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "tags_summary_labels_fr": [ "Requ\u00eate favicon.ico", "Single Port", "Chemin b\u00e9nin connu" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "T1595", "mitre_technique": "T1595", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": null, "protocol_details": { "http_method": "GET", "http_path": "\/favicon.ico", "request_line": "GET \/favicon.ico HTTP\/1.1", "http_user_agent": "Go-http-client\/1.1", "port": 2342, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "Sonde HTTP \u00b7 via HTTP:2342 \u00b7 (sonde \/ probe) \u00b7 \u2192 \/favicon.ico", "evidence_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2342\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "target_port_label": "2342 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 95 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 95 % \u2014 Score WAF 8", "campaign_hint_fr": null, "attack_phases_timeline_fr": [ { "key": "recon", "label_fr": "Reconnaissance", "active": false, "kind": "stage" }, { "key": "probe", "label_fr": "Sonde \/ probe", "active": true, "kind": "stage" }, { "key": "exploit_attempt", "label_fr": "Tentative d'exploit", "active": false, "kind": "stage" }, { "key": "post_exploit", "label_fr": "Post-exploitation", "active": false, "kind": "stage" }, { "key": "c2", "label_fr": "Commande & contr\u00f4le", "active": false, "kind": "stage" }, { "key": "discovery", "label_fr": "D\u00e9couverte", "active": true, "kind": "chain", "hint_fr": null } ] }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2342" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
07/06/2026 18:42:42 UTC	TCP	7411 · TLS	tls	Sonde PostgreSQL postgres probe · via TLS:7411 · (sonde / probe)	Élevée	Faible · 35
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole JA3 9460af62ae0af667 Émulateur TLS WAF — Recommandation Surveiller Tags tls_ja3 tls_no_sni tls_weak_cipher Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7411 Chemin / cible — Service TLS Payload ��F�n�I%y%�hg��Wd"GRE��/b��W$�2 �jL��Oﮆ�^�Ax ,"��t��ȶ�&�+�/�,�0̨̩� �� /5� � Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49% Confiance classification 57% Corrélation +8 Risque capteur Faible · 35 Confiance : Confiance 49 % — Motif catalogue confirmé Signaux pat-0369 Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL startup STUN binding Minecraft varint handshake SOCKS5 greeting SIP TLS ClientHello TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��F�n�I%y%�hg��Wd"GRE��/b��W$�2 �jL��Oﮆ�^�Ax ,"��t��ȶ�&�+�/�,�0̨̩� �� /5� � Requête brute (extrait) ��F�n�I%y%�hg��Wd"GRE��/b��W$�2 �jL��Oﮆ�^�Ax ,"��t��ȶ�&�+�/�,�0̨̩� �� /5� � + 3&$ ��KEi� ��1? ��[��~�S�s�F?$ Meta JSON brut { "tls_ja3_hash": "9460af62ae0af667130bf0d36514f084", "tls_sni": null, "tls_weak_cipher": true, "tls_weak_cipher_count": 4, "bytes_in": 247, "payload_entropy": 5.8527285555468715, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "tls", "app_proto": "tls", "asn": 135377, "country": "HK", "dst_port": 7411, "risk_waf": 8, "risk_classification": 32, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 43, "risk_novelty": 15, "risk_boost": 6, "risk_granularity": 1.4, "risk_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15 }, "risk_score": 35, "tag_count": 3, "anomaly_count": 0, "campaign_key": "e317b0904471c846bafbce48feba1f9417da247c", "event_fingerprint": "c48e7b24058c3fd88ca496e3c3fe70d164e671e5", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.57, "classification_confidence": 0.57, "precision_score": 58, "precision_signals": [ "pat-0369" ], "kb_rule_ids": [ "pat-0369" ], "matched_patterns": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "matched_pattern_names": [ "PostgreSQL startup", "STUN binding", "Minecraft varint handshake", "SOCKS5 greeting", "SIP TLS ClientHello", "TFTP RRQ" ], "pattern_ids": [ "pat-0369", "pat-0771", "pat-0554", "pat-0567", "pat-0578", "pat-0536" ], "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "named_classification_skipped": false, "service_name": "tls", "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "ja3": "9460af62ae0af667130bf0d36514f084", "payload_hash": "eef1d8ff1b5b8f4792efddb58b0bfad2", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5", "ja4": "9d78dfefabcee3ee16297d72e4cafc86", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner" }, "tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0", "tls_ja4_hash": "9d78dfefabcee3ee16297d72e4cafc86", "tls_ja4": "t13d0119_e060b20e9557_cc710080a5f9", "tls_version": "0x0303", "tls_cipher_count": 19, "ja3_client_category": "nmap_scanner", "target_context": { "dst_port": 7411, "service": "tls", "service_name": "tls", "risk_score": 35 }, "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003F\ufffdn\ufffdI%\u001ay%\ufffdhg\ufffd\ufffdWd\"GRE\ufffd\u0015\ufffd\/b\ufffd\ufffd\ufffdW$\ufffd2 \ufffdjL\ufffd\ufffdO\u000e\ufb86\ufffd^\ufffd\u0016A\u0019x\t,\"\ufffd\ufffd\ufffdt\ufffd\ufffd\ufffd\ufffd\ufffd\u0236\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "evidence": { "request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003F\ufffdn\ufffdI%\u001ay%\ufffdhg\ufffd\ufffdWd\"GRE\ufffd\u0015\ufffd\/b\ufffd\ufffd\ufffdW$\ufffd2 \ufffdjL\ufffd\ufffdO\u000e\ufb86\ufffd^\ufffd\u0016A\u0019x\t,\"\ufffd\ufffd\ufffdt\ufffd\ufffd\ufffd\ufffd\ufffd\u0236\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffdKEi\ufffd\u0014\u000b\u0012\ufffd\ufffd\ufffd1?\t\ufffd\ufffd\ufffd[\ufffd\ufffd\ufffd\ufffd~\ufffdS\ufffds\ufffdF?$", "payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003F\ufffdn\ufffdI%\u001ay%\ufffdhg\ufffd\ufffdWd\"GRE\ufffd\u0015\ufffd\/b\ufffd\ufffd\ufffdW$\ufffd2 \ufffdjL\ufffd\ufffdO\u000e\ufb86\ufffd^\ufffd\u0016A\u0019x\t,\"\ufffd\ufffd\ufffdt\ufffd\ufffd\ufffd\ufffd\ufffd\u0236\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "230cc9bb1734a3440af863f37318b92782eb7446", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003F\ufffdn\ufffdI%\u001ay%\ufffdhg\ufffd\ufffdWd\"GRE\ufffd\u0015\ufffd\/b\ufffd\ufffd\ufffdW$\ufffd2 \ufffdjL\ufffd\ufffdO\u000e\ufb86\ufffd^\ufffd\u0016A\u0019x\t,\"\ufffd\ufffd\ufffdt\ufffd\ufffd\ufffd\ufffd\ufffd\u0236\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "tls_ja3": "9460af62ae0af667130bf0d36514f084", "tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86", "port": 7411, "service": "tls", "service_label_fr": "TLS" }, "evidence_snippet": "\ufffd\ufffdF\ufffdn\ufffdI%y%\ufffdhg\ufffd\ufffdWd\"GRE\ufffd\ufffd\/b\ufffd\ufffd\ufffdW$\ufffd2 \ufffdjL\ufffd\ufffdO\ufb86\ufffd^\ufffdAx\t,\"\ufffd\ufffd\ufffdt\ufffd\ufffd\ufffd\ufffd\ufffd\u0236\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd", "attack_vector": "postgres probe \u00b7 via TLS:7411 \u00b7 (sonde \/ probe)", "target_port_label": "7411 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "site_display": { "classification": null, "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 35\/100 (Faible) \u2014 MITRE TA0007 \u2014 confiance 57 % \u2014 via TLS \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 57, "confidence_breakdown": { "waf": 8, "classification": 32, "behavior": 0, "geo": 0, "protocol": 43, "novelty": 15, "risk_score": 35, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 35, "risk_label": "Faible", "service_name": "tls", "service_label_fr": "TLS", "dst_port": 7411, "protocol_emulated": null, "tags_summary": [ "pat-0369" ], "tags_summary_labels_fr": [ "pat-0369" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-tls", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003F\ufffdn\ufffdI%\u001ay%\ufffdhg\ufffd\ufffdWd\"GRE\ufffd\u0015\ufffd\/b\ufffd\ufffd\ufffdW$\ufffd2 \ufffdjL\ufffd\ufffdO\u000e\ufb86\ufffd^\ufffd\u0016A\u0019x\t,\"\ufffd\ufffd\ufffdt\ufffd\ufffd\ufffd\ufffd\ufffd\u0236\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001", "tls_ja3": "9460af62ae0af667130bf0d36514f084", "tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86", "port": 7411, "service": "tls", "service_label_fr": "TLS" }, "attack_vector": "postgres probe \u00b7 via TLS:7411 \u00b7 (sonde \/ probe)", "evidence_snippet": "\ufffd\ufffdF\ufffdn\ufffdI%y%\ufffdhg\ufffd\ufffdWd\"GRE\ufffd\ufffd\/b\ufffd\ufffd\ufffdW$\ufffd2 \ufffdjL\ufffd\ufffdO\ufb86\ufffd^\ufffdAx\t,\"\ufffd\ufffd\ufffdt\ufffd\ufffd\ufffd\ufffd\ufffd\u0236\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd", "target_port_label": "7411 \u00b7 TLS", "emulator_service": "tls", "confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9", "confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "tls", "service_banner": "honeypot-tls", "service_os": "linux", "dst_port": "7411" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:7411", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "ban_policy": "advisory_monitor", "tags_list": [ "tls_ja3", "tls_no_sni", "tls_weak_cipher" ] }
07/06/2026 18:42:42 UTC	TCP	7411	—	Sonde port Sonde port · port 7411 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7411 Chemin / cible — Payload t3 12.1.2 AS:2048 HL:19 Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 58% Corrélation +8 Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) t3 12.1.2 AS:2048 HL:19 Meta JSON brut { "bytes_in": 25, "payload_entropy": 3.7834651896016456, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": null, "app_proto": null, "asn": 135377, "country": "HK", "dst_port": 7411, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.3, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "3581f31f4861c8d5873e595852ed275ab666f578", "event_fingerprint": "45427e6a592b173fb99bf97ee8fa4f9161a6c484", "classification_confidence": 0.58, "confidence": 0.58, "precision_signals": [ "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "588580493dbf1d2ca7cd7f2cd09ed672", "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 7411, "risk_score": 44 }, "payload_preview": "t3 12.1.2\nAS:2048\nHL:19\n\n", "request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n", "payload_snippet": "t3 12.1.2\nAS:2048\nHL:19", "evidence": { "request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n", "payload_snippet": "t3 12.1.2\nAS:2048\nHL:19", "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a30f825d3b7a786450e47c8fdeedccf8027b2e9c", "protocol_details": { "payload_preview": "t3 12.1.2\nAS:2048\nHL:19", "port": 7411 }, "evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19", "attack_vector": "Sonde port \u00b7 port 7411 \u00b7 (sonde \/ probe)", "target_port_label": "7411", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 58 % \u2014 multi-protocole (3 protocoles \u00b7 5 min)", "confidence_pct": 58, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 7411, "protocol_emulated": null, "tags_summary": [ "INT-single-port" ], "tags_summary_labels_fr": [ "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "payload_preview": "t3 12.1.2\nAS:2048\nHL:19", "port": 7411 }, "attack_vector": "Sonde port \u00b7 port 7411 \u00b7 (sonde \/ probe)", "evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19", "target_port_label": "7411", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "7411" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 3, "multi_protocol_sample": [ "http", "port:7411", "tls" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
07/06/2026 18:42:41 UTC	TCP	7411 · HTTP	http	Sonde port 7411/TCP port 7411 tcp · via HTTP:7411 · (sonde / probe)	Élevée	Moyen · 42
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces Corrélations Multi-protocole corrélé (5 min) MITRE TA0007 TA0007 TA0001 Protocole GET / UA curl/7.29.0 Émulateur HTTP WAF 6 Recommandation Surveiller Tags 950734:sap-sapcontrol-path scanner-ua anomaly:scanner-ua botnet_http_ua_host Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 7411 Chemin / cible / Preuve honeypot — Sonde port 7411/TCP Connexion détectée sur le port 7411 (TCP) du capteur simulé. Service HTTP Pourquoi cette classification : Type « port_7411_tcp » (signaux protocolaires) · confiance 55% Confiance classification 63% Corrélation +8 Risque capteur Moyen · 42 Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET / HTTP/1.1` User-Agent curl/7.29.0 Règles WAF sap-sapcontrol-path scanner-ua Payload (extrait) GET / HTTP/1.1 User-Agent: curl/7.29.0 Host: 62.3.50.33 Accept: / Meta JSON brut { "http_header_count": 3, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "0315d257123246273ce1f3edb87d478f00f3fce8", "http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 74, "payload_entropy": 4.819344967782759, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 7411, "risk_waf": 32, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 30, "risk_boost": 0, "risk_granularity": 2.1, "risk_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30 }, "risk_score": 42, "tag_count": 5, "anomaly_count": 1, "campaign_key": "82d205b8fd7f0e4a1c1d53a6d3f8af842d490948", "event_fingerprint": "aa9fc779fe28d5261eb0744e31a7f7ae6e4048a0", "classification_reason": "Type \u00ab port_7411_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "confidence": 0.63, "classification_confidence": 0.63, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 42, "correlation_boost": 8 }, "named_classification_skipped": true, "named_candidate": "web_scanner", "service_name": "http", "risk_confidence_factor": 55, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "a6744e3c06a59e753fc74a2c54c4a161", "payload_hash": "99559ea3a5e9ac33c4b35f9a75d06c9c", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 7411, "service": "http", "service_name": "http", "risk_score": 42 }, "payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "method": "GET", "path": "\/", "user_agent": "curl\/7.29.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "evidence": { "method": "GET", "path": "\/", "user_agent": "curl\/7.29.0", "waf_tags": [ "950734:sap-sapcontrol-path", "scanner-ua" ], "waf_rule_names": [ "sap-sapcontrol-path", "scanner-ua" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "classification_reason": "Type \u00ab port_7411_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6c2ced3bd16506bc6f79f09cf0797f29a3dc2ae5", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.29.0", "port": 7411, "service": "http", "service_label_fr": "HTTP" }, "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "attack_vector": "port 7411 tcp \u00b7 via HTTP:7411 \u00b7 (sonde \/ probe)", "target_port_label": "7411 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_7411_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "classification_reason_label_fr": "Type \u00ab port_7411_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 42\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 63 % \u2014 via HTTP \u2014 multi-protocole (2 protocoles \u00b7 5 min)", "confidence_pct": 63, "confidence_breakdown": { "waf": 32, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 30, "risk_score": 42, "correlation_boost": 8 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 42, "risk_label": "Moyen", "service_name": "http", "service_label_fr": "HTTP", "dst_port": 7411, "protocol_emulated": null, "tags_summary": null, "tags_summary_labels_fr": null, "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot-http", "correlation_flags": [ "multi_protocol_correlation" ], "correlation_flags_labels_fr": [ "Multi-protocole corr\u00e9l\u00e9 (5 min)" ], "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Corr\u00e9lation +8", "protocol_details": { "http_method": "GET", "http_path": "\/", "request_line": "GET \/ HTTP\/1.1", "http_user_agent": "curl\/7.29.0", "port": 7411, "service": "http", "service_label_fr": "HTTP" }, "attack_vector": "port 7411 tcp \u00b7 via HTTP:7411 \u00b7 (sonde \/ probe)", "evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: \/", "target_port_label": "7411 \u00b7 HTTP", "emulator_service": "http", "confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF", "confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "7411" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "multi_protocol_correlation": true, "multi_protocol_count": 2, "multi_protocol_sample": [ "http", "port:7411" ], "multi_protocol_window_s": 300, "behavior_alerts": [ "multi_protocol_correlation" ], "correlation_confidence_boost": 8, "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950734:sap-sapcontrol-path", "anomaly:scanner-ua", "botnet_http_ua_host", "http_ua_suspicious", "scanner-ua" ], "behavior_alert_count": 1, "behavior_priority": 72 }
07/06/2026 18:42:35 UTC	TCP	7411	—	Sonde port Sonde port · port 7411 · (sonde / probe)	Faible	Moyen · 44
Étape Sonde / probe Chaîne Découverte Persona mail.sensor-1.internal Rôle capteur Renseignement menaces MITRE TA0007 TA0007 TA0001 Protocole WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7411 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Confiance modérée — signal unique Risque capteur Moyen · 44 Confiance : Confiance modérée (50 %) — signal principal unique Signaux Single Port Technique MITRE TA0007 Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": null, "app_proto": null, "asn": 135377, "country": "HK", "dst_port": 7411, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 0.3, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 44, "tag_count": 0, "anomaly_count": 0, "campaign_key": "3581f31f4861c8d5873e595852ed275ab666f578", "event_fingerprint": "45427e6a592b173fb99bf97ee8fa4f9161a6c484", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 7411, "risk_score": 44 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre": "TA0007", "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "27b70ecd9baa23eee52d97dd015f36a148f96d00", "protocol_details": { "port": 7411 }, "attack_vector": "Sonde port \u00b7 port 7411 \u00b7 (sonde \/ probe)", "target_port_label": "7411", "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "site_display": { "classification": null, "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "executive_one_liner_fr": "Activit\u00e9 suspecte \u2014 risque 44\/100 (Moyen) \u2014 MITRE TA0007 \u2014 confiance 50 %", "confidence_pct": 50, "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 44 }, "attack_stage": "probe", "attack_stage_label": "Sonde \/ probe", "attack_chain_stage": "discovery", "attack_chain_stage_label_fr": "D\u00e9couverte", "risk_score": 44, "risk_label": "Moyen", "service_name": null, "service_label_fr": null, "dst_port": 7411, "protocol_emulated": null, "tags_summary": [ "INT-single-port" ], "tags_summary_labels_fr": [ "Single Port" ], "recommended_action": "monitor", "recommended_action_label": "Surveiller", "mitre": "TA0007", "mitre_technique": "TA0007", "persona_hostname": "mail.sensor-1.internal", "persona_service_banner": "honeypot", "correlation_flags": null, "correlation_flags_labels_fr": null, "sensor_role": "threat_intelligence", "sensor_role_label_fr": "Renseignement menaces", "confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique", "protocol_details": { "port": 7411 }, "attack_vector": "Sonde port \u00b7 port 7411 \u00b7 (sonde \/ probe)", "evidence_snippet": null, "target_port_label": "7411", "emulator_service": null, "confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique", "confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8" }, "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "7411" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "discovery", "matched_patterns": [], "ban_policy": "advisory_monitor" }
07/06/2026 02:05:01 UTC	TCP	6053 · HTTP	http	Sonde HTTP	Moyenne	Moyen · 40
Étape Sonde / probe MITRE T1595 TA0007 TA0001 WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6053 Chemin / cible /favicon.ico Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:6053 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "c1d799579e3f41c395653847249bb1730e2dd25b", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.91304014202675, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 6053, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "a3beb3ca08a18adfbdfa18c2aae50fdc4360236a", "event_fingerprint": "3f0bd24ca053a8eb4a8f275fac600d23f9b0347c", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 102, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "ac31c0845c5197c6174e76d8d652be6b", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 6053, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a3a935afdc5b2f7e0654dddf15110e58bb8d6cb0", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6053" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
07/06/2026 02:05:01 UTC	TCP	6053 · HTTP	http	Sonde HTTP	Moyenne	Moyen · 40
Étape Sonde / probe MITRE T1595 TA0007 TA0001 WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6053 Chemin / cible /robots.txt Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:6053 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "c1d799579e3f41c395653847249bb1730e2dd25b", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.897315437363455, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 6053, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 40, "tag_count": 1, "anomaly_count": 0, "campaign_key": "a3beb3ca08a18adfbdfa18c2aae50fdc4360236a", "event_fingerprint": "f739e02237ed43ae1e82bb4a15988e973b91e8c0", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 102, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 40 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "7d88c920877a08d0ca6e6866c178fdfc", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 6053, "service": "http", "service_name": "http", "risk_score": 40 }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aefed6813008317c1e1ebb0f3034b931e737b76b", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6053" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
07/06/2026 02:05:01 UTC	TCP	6053 · HTTP	http	Sonde HTTP	Moyenne	Faible · 35
Étape Sonde / probe MITRE TA0007 TA0001 WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6053 Chemin / cible /sitemap.xml Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 34% Confiance classification 34% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:6053 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "c1d799579e3f41c395653847249bb1730e2dd25b", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.956641432291222, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 6053, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.6, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 35, "tag_count": 1, "anomaly_count": 0, "campaign_key": "a3beb3ca08a18adfbdfa18c2aae50fdc4360236a", "event_fingerprint": "f4015ad9f8b833da8c0e33fe25c6761b372db329", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%", "confidence": 0.34, "classification_confidence": 0.34, "precision_score": 40, "precision_signals": [ "INT-single-port" ], "kb_rule_ids": [ "INT-single-port" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 35 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 34, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "04773abd22b82c7487056d0bba7d1b56", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 6053, "service": "http", "service_name": "http", "risk_score": 35 }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "062e791bc6a468b2ea33a93643867f590667ff6b", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6053" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
07/06/2026 02:05:00 UTC	TCP	6053 · HTTP	http	Tentative d'exploit	Élevée	Moyen · 44
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 6053 Chemin / cible / Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 8_0_1; Win64; x64) AppleWebKit/552.50 (KHTML, like Gecko) Chrome/61.0.1164 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6053 User-Agent: Mozilla/5.0 (Windows NT 8_0_1; Win64; x64) AppleWebKit/552.50 (KHTML, like Ge Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:6053 User-Agent: Mozilla/5.0 (Windows NT 8_0_1; Win64; x64) AppleWebKit/552.50 (KHTML, like Gecko) Chrome/61.0.1164 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "cb9f9e592373ad0bfc24e034fc8af7dbaf3a6b16", "http_host_hash": "c1d799579e3f41c395653847249bb1730e2dd25b", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.392104143367686, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 6053, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.3, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "795f2378d0bb676179e47f530c439b148e90ff56", "event_fingerprint": "00b52bcc8b95550dd1b67117b1b8ed9df8a51383", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 44 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "ff5f0cab2eca865642594e74e72131c1", "payload_hash": "000a358a1f70fabf03ce5eb4868767a4", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 6053, "service": "http", "service_name": "http", "risk_score": 44 }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Mozilla\/5.0 (Windows NT 8_0_1; Win64; x64) AppleWebKit\/552.50 (KHTML, like Ge", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 8_0_1; Win64; x64) AppleWebKit\/552.50 (KHTML, like Gecko) Chrome\/61.0.1164 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Mozilla\/5.0 (Windows NT 8_0_1; Win64; x64) AppleWebKit\/552.50 (KHTML, like Gecko) Chrome\/61.0.1164 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Mozilla\/5.0 (Windows NT 8_0_1; Win64; x64) AppleWebKit\/552.50 (KHTML, like Ge", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 8_0_1; Win64; x64) AppleWebKit\/552.50 (KHTML, like Gecko) Chrome\/61.0.1164 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Mozilla\/5.0 (Windows NT 8_0_1; Win64; x64) AppleWebKit\/552.50 (KHTML, like Gecko) Chrome\/61.0.1164 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:6053\r\nUser-Agent: Mozilla\/5.0 (Windows NT 8_0_1; Win64; x64) AppleWebKit\/552.50 (KHTML, like Ge", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "bd1e2f1306fad69154b8fe4b60c0c5394b7bddbe", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "6053" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploit_attempt", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
06/06/2026 21:34:31 UTC	TCP	2197 · HTTP	http	Sonde HTTP	Moyenne	Faible · 16
Étape Sonde / probe MITRE TA0007 TA0001 WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2197 Chemin / cible /sitemap.xml Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 34% Confiance classification 34% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:2197 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "7e636f698108a038d50208d0f2f4fdee952ac3ba", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.985494384857888, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 2197, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 16, "tag_count": 1, "anomaly_count": 0, "campaign_key": "aa3a8256bfc5ecbfb534abbfefbc6a971fe81f0d", "event_fingerprint": "b39fcf037095d351b477f9d794b5f0b78a6db0e9", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%", "confidence": 0.34, "classification_confidence": 0.34, "precision_score": 40, "precision_signals": [ "INT-single-port" ], "kb_rule_ids": [ "INT-single-port" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 16 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 34, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "ac67ba165d6dedae88f1ab03d4a75e84", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 2197, "service": "http", "service_name": "http" }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4538f551e338eb206de40e8db0c10816c019e620", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2197" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
06/06/2026 21:34:31 UTC	TCP	2197 · HTTP	http	Sonde HTTP	Moyenne	Faible · 21
Étape Sonde / probe MITRE T1595 TA0007 TA0001 WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2197 Chemin / cible /robots.txt Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:2197 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "7e636f698108a038d50208d0f2f4fdee952ac3ba", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.926399213550654, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 2197, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 21, "tag_count": 1, "anomaly_count": 0, "campaign_key": "aa3a8256bfc5ecbfb534abbfefbc6a971fe81f0d", "event_fingerprint": "44883271c4b5393262c754ce91ec2f1c55929bf2", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 102, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 21 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "e2451c0340211b9000be46a14ab5bebb", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 2197, "service": "http", "service_name": "http" }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b1ece6f44798c5ec1ee7f942a591a7035b5ff754", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2197" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
06/06/2026 21:34:30 UTC	TCP	2197 · HTTP	http	Tentative d'exploit	Élevée	Moyen · 47
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2197 Chemin / cible / Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/550.35 (KHTML, like Gecko) Chrome/102.0.475 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2197 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/550.35 (KHTML, like Gecko) Chrome Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:2197 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/550.35 (KHTML, like Gecko) Chrome/102.0.475 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "1b737439750febbb381a81620e85285983759afb", "http_host_hash": "7e636f698108a038d50208d0f2f4fdee952ac3ba", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 198, "payload_entropy": 5.431421035504837, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 2197, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 5.4, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 47, "tag_count": 3, "anomaly_count": 0, "campaign_key": "c6c69df29ff3925b16b708cfe86d6dd87be40faa", "event_fingerprint": "cf70722894be80e89d2746bf52299c38c5575e24", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "confidence_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15, "risk_score": 47 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "dced437fa286fa8b3893fb4213da24a2", "payload_hash": "e6cc34fa05f98f9b49598125f2ee0a25", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 2197, "service": "http", "service_name": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/550.35 (KHTML, like Gecko) Chrome", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/550.35 (KHTML, like Gecko) Chrome\/102.0.475 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/550.35 (KHTML, like Gecko) Chrome\/102.0.475 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/550.35 (KHTML, like Gecko) Chrome", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/550.35 (KHTML, like Gecko) Chrome\/102.0.475 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/550.35 (KHTML, like Gecko) Chrome\/102.0.475 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/550.35 (KHTML, like Gecko) Chrome", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4ff0e09e1a522255e9f7ca8798d7446f05d81a88", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2197" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "exploit_attempt", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "behavior_alert_count": 1, "behavior_priority": 72 }
06/06/2026 21:34:30 UTC	TCP	2197 · HTTP	http	Sonde HTTP	Moyenne	Faible · 21
Étape Sonde / probe MITRE T1595 TA0007 TA0001 WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 2197 Chemin / cible /favicon.ico Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 95% Confiance classification 95% Technique MITRE T1595 Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:2197 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "7e636f698108a038d50208d0f2f4fdee952ac3ba", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.941893094593416, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 2197, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.7, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 21, "tag_count": 1, "anomaly_count": 0, "campaign_key": "aa3a8256bfc5ecbfb534abbfefbc6a971fe81f0d", "event_fingerprint": "4c93c8e53554fa071a5c396ce300a5d997a9bf00", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%", "confidence": 0.95, "classification_confidence": 0.95, "precision_score": 102, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "confidence_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15, "risk_score": 21 }, "named_classification_skipped": false, "service_name": "http", "risk_confidence_factor": 95, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "4401dd835d3286183a94ae991694c613", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 2197, "service": "http", "service_name": "http" }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:2197\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "mitre_techniques": [ "T1595" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e03e1df27dc20f1697ab2376e117ce1a763181b4", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "http", "service_banner": "honeypot-http", "service_os": "linux", "dst_port": "2197" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ], "behavior_alert_count": 1, "behavior_priority": 72 }
06/06/2026 14:17:20 UTC	TCP	3444	http	Sonde HTTP	Moyenne	Faible · 17
Étape Sonde / probe MITRE TA0007 TA0001 WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3444 Chemin / cible /favicon.ico Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 94% Confiance classification 94% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:3444 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "4c3ffd77abb1fb0272abc8b7c4e3a60b3b4bc5a5", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.922921987247676, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 3444, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 0.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 17, "tag_count": 1, "anomaly_count": 0, "campaign_key": "2fdf68fdea8bcb37efad88bc8334809c058dac66", "event_fingerprint": "09126971d0fcef9965968b657eb320e0ea7545cb", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 94%", "confidence": 0.94, "classification_confidence": 0.94, "precision_score": 102, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "risk_confidence_factor": 94, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "cc14f0b7f06557e7ad22f33698c17323", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 3444, "service": "http" }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 94%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0334b4add757ded73f1f0f8f16111b3d9a46b125", "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
06/06/2026 14:17:20 UTC	TCP	3444	http	Sonde HTTP	Moyenne	Faible · 12
Étape Sonde / probe MITRE TA0007 TA0001 WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3444 Chemin / cible /sitemap.xml Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 34% Confiance classification 34% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:3444 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "4c3ffd77abb1fb0272abc8b7c4e3a60b3b4bc5a5", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.966523277512148, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 3444, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 0.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 12, "tag_count": 1, "anomaly_count": 0, "campaign_key": "2fdf68fdea8bcb37efad88bc8334809c058dac66", "event_fingerprint": "7f34227eebe66d25217deb06e31bdf49abdd3245", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%", "confidence": 0.34, "classification_confidence": 0.34, "precision_score": 40, "precision_signals": [ "INT-single-port" ], "kb_rule_ids": [ "INT-single-port" ], "risk_confidence_factor": 34, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "9ea09789ed55a5653c35e20b545af28d", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 3444, "service": "http" }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "5cf244c79f6f67d77ca82ff2609e952aac6a02a2", "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
06/06/2026 14:17:20 UTC	TCP	3444	http	Sonde HTTP	Moyenne	Faible · 17
Étape Sonde / probe MITRE TA0007 TA0001 WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3444 Chemin / cible /robots.txt Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 94% Confiance classification 94% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:3444 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "4c3ffd77abb1fb0272abc8b7c4e3a60b3b4bc5a5", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 125, "payload_entropy": 4.907276337346148, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 3444, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 0.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 17, "tag_count": 1, "anomaly_count": 0, "campaign_key": "2fdf68fdea8bcb37efad88bc8334809c058dac66", "event_fingerprint": "f85987a2b1fd0f95541be703d3b6f27b0e61be6b", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 94%", "confidence": 0.94, "classification_confidence": 0.94, "precision_score": 102, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "risk_confidence_factor": 94, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "d37280cc36a3a381d70fca64d589b464", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 3444, "service": "http" }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 94%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "c91e16df91c69f76bc2b59b304e6f4592a73eda4", "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
06/06/2026 14:17:19 UTC	TCP	3444	http	Tentative d'exploit	Élevée	Moyen · 44
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 3444 Chemin / cible / Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 8_1) AppleWebKit/576.47 (KHTML, like Gecko) Chrome/86.0.803 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3444 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 8_1) AppleWebKit/576.47 (KHTML, like G Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:3444 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 8_1) AppleWebKit/576.47 (KHTML, like Gecko) Chrome/86.0.803 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "fa149183ca0e07625aa969a26f24f82a42131d94", "http_host_hash": "4c3ffd77abb1fb0272abc8b7c4e3a60b3b4bc5a5", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.3819208055399, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 3444, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.5, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "d3ea1d8de49a4f5636929fefd3563321e0823fdd", "event_fingerprint": "3cc8278898335dd8402c4d746722f6b66b43c9e5", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "0a491e15a589f9730ef5c7b8b3f265fc", "payload_hash": "f9925156150c68a18480cf817431479b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 3444, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_1) AppleWebKit\/576.47 (KHTML, like G", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_1) AppleWebKit\/576.47 (KHTML, like Gecko) Chrome\/86.0.803 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_1) AppleWebKit\/576.47 (KHTML, like Gecko) Chrome\/86.0.803 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_1) AppleWebKit\/576.47 (KHTML, like G", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_1) AppleWebKit\/576.47 (KHTML, like Gecko) Chrome\/86.0.803 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_1) AppleWebKit\/576.47 (KHTML, like Gecko) Chrome\/86.0.803 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:3444\r\nUser-Agent: Mozilla\/5.0 (Macintosh; Intel Mac OS X 8_1) AppleWebKit\/576.47 (KHTML, like G", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ed527fa93555cb61f1b4bd6a1fb2b98f462327de", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
05/06/2026 05:51:02 UTC	TCP	26080	http	Sonde HTTP	Moyenne	Faible · 18
Étape Sonde / probe MITRE TA0007 TA0001 WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 26080 Chemin / cible /favicon.ico Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 94% Confiance classification 94% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:26080 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "e88b5d974cc5e774b3056abe47e186460655de11", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 127, "payload_entropy": 4.94455880118204, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 26080, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 18, "tag_count": 1, "anomaly_count": 0, "campaign_key": "1185a64ed9389b991e996ee96f2bf624b184fccc", "event_fingerprint": "835ad1810bfeb460ca6ba08c912bbf159acd84bd", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 94%", "confidence": 0.94, "classification_confidence": 0.94, "precision_score": 102, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "risk_confidence_factor": 94, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "9ab579d39c4e2c97005a364d5ff4973d", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 26080, "service": "http" }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 94%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "18a3a0df848ebf1d18af32b2de84a4ad2d535444", "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
05/06/2026 05:51:02 UTC	TCP	26080	http	Sonde HTTP	Moyenne	Faible · 18
Étape Sonde / probe MITRE TA0007 TA0001 WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /robots.txt TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 26080 Chemin / cible /robots.txt Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 94% Confiance classification 94% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /robots.txt HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /robots.txt HTTP/1.1 Host: 62.3.50.33:26080 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "txt", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "e88b5d974cc5e774b3056abe47e186460655de11", "http_target_hash": "b7a9adb9fec4116c29da690c45d9a67df535af9d", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.929118170193123, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 26080, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 18, "tag_count": 1, "anomaly_count": 0, "campaign_key": "1185a64ed9389b991e996ee96f2bf624b184fccc", "event_fingerprint": "0bd0b0104bcaa509504318b5054530afd64d363e", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 94%", "confidence": 0.94, "classification_confidence": 0.94, "precision_score": 102, "precision_signals": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-robots", "INT-single-port", "INT-benign-path-cap" ], "risk_confidence_factor": 94, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "c728455fb247923fb2881a7a8d5fa7d3", "path_pattern_hash": "adada1317532a28bebf63fe6edbea3e4" }, "target_context": { "dst_port": 26080, "service": "http" }, "payload_preview": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/robots.txt", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/robots.txt HTTP\/1.1", "request_sample": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/robots.txt HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 94%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6ad63cc3b5540fd3f665d3d24e3f89289cb2e857", "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
05/06/2026 05:51:02 UTC	TCP	26080	http	Sonde HTTP	Moyenne	Faible · 13
Étape Sonde / probe MITRE TA0007 TA0001 WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 26080 Chemin / cible /sitemap.xml Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 34% Confiance classification 34% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:26080 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "e88b5d974cc5e774b3056abe47e186460655de11", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 127, "payload_entropy": 4.987816774200334, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 26080, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 1.8, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 13, "tag_count": 1, "anomaly_count": 0, "campaign_key": "1185a64ed9389b991e996ee96f2bf624b184fccc", "event_fingerprint": "2599b835ddedc39f6bbe508e605096e0de09f713", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%", "confidence": 0.34, "classification_confidence": 0.34, "precision_score": 40, "precision_signals": [ "INT-single-port" ], "kb_rule_ids": [ "INT-single-port" ], "risk_confidence_factor": 34, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "541411d44cb7aabc5c24122775263842", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 26080, "service": "http" }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8d90571c68922ce40ae8008db98b2fef67b522a3", "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
05/06/2026 05:51:01 UTC	TCP	26080	http	Tentative d'exploit	Élevée	Moyen · 44
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF 16 Recommandation Surveiller Tags 950326:rce-0 950470:nosqli-3 950734:sap-sapcontrol-path Cible HTTP GET / TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 26080 Chemin / cible / Pourquoi cette classification : Tentative d'exploit (tag rce-0) · confiance 62% Confiance classification 62% Tactiques MITRE TA0001 TA0002 Ligne de requête `GET / HTTP/1.1` User-Agent Mozilla/5.0 (Windows NT 9_2; Win64; x64) AppleWebKit/575.40 (KHTML, like Gecko) Chrome/100.0.1404 Safari/537.36 Règles WAF rce-0 nosqli-3 sap-sapcontrol-path Payload (extrait) GET / HTTP/1.1 Host: 62.3.50.33:26080 User-Agent: Mozilla/5.0 (Windows NT 9_2; Win64; x64) AppleWebKit/575.40 (KHTML, like Gec Requête brute (extrait) GET / HTTP/1.1 Host: 62.3.50.33:26080 User-Agent: Mozilla/5.0 (Windows NT 9_2; Win64; x64) AppleWebKit/575.40 (KHTML, like Gecko) Chrome/100.0.1404 Safari/537.36 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 0, "http_path_ext": null, "http_ua_hash": "8aa850df3d7345916217b25fdb1d8defc01f90e0", "http_host_hash": "e88b5d974cc5e774b3056abe47e186460655de11", "http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": false, "http_ua_is_browser": true, "bytes_in": 209, "payload_entropy": 5.4153788180617495, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 26080, "risk_waf": 72, "risk_classification": 72, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 25, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 2.5, "risk_breakdown": { "waf": 72, "classification": 72, "behavior": 0, "geo": 0, "protocol": 25, "novelty": 15 }, "risk_score": 44, "tag_count": 3, "anomaly_count": 0, "campaign_key": "98a4ed698544c9807c0d7f75a605f3dc2d2c28ff", "event_fingerprint": "720635327087beea358d8245c9d25224c543f322", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%", "confidence": 0.62, "classification_confidence": 0.62, "precision_score": 73, "precision_signals": [ "MITRE-T1190" ], "kb_rule_ids": [ "MITRE-T1190" ], "risk_confidence_factor": 62, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "c55893e35d491533525ed0468d5f267e", "payload_hash": "13c0728f23e5a054e5c79611d469d57b", "path_pattern_hash": "8a5edab282632443219e051e4ade2d1d" }, "target_context": { "dst_port": 26080, "service": "http" }, "payload_preview": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 9_2; Win64; x64) AppleWebKit\/575.40 (KHTML, like Gec", "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 9_2; Win64; x64) AppleWebKit\/575.40 (KHTML, like Gecko) Chrome\/100.0.1404 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 9_2; Win64; x64) AppleWebKit\/575.40 (KHTML, like Gecko) Chrome\/100.0.1404 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 9_2; Win64; x64) AppleWebKit\/575.40 (KHTML, like Gec", "evidence": { "method": "GET", "path": "\/", "user_agent": "Mozilla\/5.0 (Windows NT 9_2; Win64; x64) AppleWebKit\/575.40 (KHTML, like Gecko) Chrome\/100.0.1404 Safari\/537.36", "waf_tags": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ], "waf_rule_names": [ "rce-0", "nosqli-3", "sap-sapcontrol-path" ], "request_line": "GET \/ HTTP\/1.1", "request_sample": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 9_2; Win64; x64) AppleWebKit\/575.40 (KHTML, like Gecko) Chrome\/100.0.1404 Safari\/537.36\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/ HTTP\/1.1\r\nHost: 62.3.50.33:26080\r\nUser-Agent: Mozilla\/5.0 (Windows NT 9_2; Win64; x64) AppleWebKit\/575.40 (KHTML, like Gec", "classification_reason": "Tentative d'exploit (tag rce-0) \u00b7 confiance 62%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8cfbf2017e7a4abad610eb9a66f9268127910f4c", "ban_policy": "advisory_monitor", "tags_list": [ "950326:rce-0", "950470:nosqli-3", "950734:sap-sapcontrol-path" ] }
05/06/2026 05:01:55 UTC	TCP	8085	http	Sonde HTTP	Moyenne	Faible · 21
Étape Sonde / probe MITRE TA0007 TA0001 WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /favicon.ico TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8085 Chemin / cible /favicon.ico Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 94% Confiance classification 94% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /favicon.ico HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /favicon.ico HTTP/1.1 Host: 62.3.50.33:8085 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "ico", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "8307e910dac7083f4f0d52abcc8375f89d55b254", "http_target_hash": "a40fba6620dee3abd15532f18848dacb6bb80f01", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.938795003120691, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 8085, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 21, "tag_count": 1, "anomaly_count": 0, "campaign_key": "fca10d503f307308de9a8a72e6930a43523b7afc", "event_fingerprint": "0541a1f13b56651e26c7bdef266e5fd70cfabde2", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 94%", "confidence": 0.94, "classification_confidence": 0.94, "precision_score": 102, "precision_signals": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "kb_rule_ids": [ "INT-benign-favicon", "INT-single-port", "INT-benign-path-cap" ], "risk_confidence_factor": 94, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "fe58d26cfbf45e2cd3f7ece3c2053e1b", "path_pattern_hash": "b18036488649e7cc8a55b0a02c8b737a" }, "target_context": { "dst_port": 8085, "service": "http" }, "payload_preview": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8085\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8085\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8085\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/favicon.ico", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/favicon.ico HTTP\/1.1", "request_sample": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8085\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/favicon.ico HTTP\/1.1\r\nHost: 62.3.50.33:8085\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 94%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "aa6c92c6f85c87ebad735fd3c11fdbdde5861e36", "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }
05/06/2026 05:01:55 UTC	TCP	8085	http	Sonde HTTP	Moyenne	Faible · 16
Étape Sonde / probe MITRE TA0007 TA0001 WAF 0 Recommandation Surveiller Tags http_ua_suspicious Cible HTTP GET /sitemap.xml TLS SNI — Capteur paris-1
Preuve / Evidence Méthode GET Port 8085 Chemin / cible /sitemap.xml Pourquoi cette classification : Type « web_probe » (signaux protocolaires) · confiance 34% Confiance classification 34% Tactiques MITRE TA0007 TA0001 Ligne de requête `GET /sitemap.xml HTTP/1.1` User-Agent Go-http-client/1.1 Règles WAF — Payload (extrait) GET /sitemap.xml HTTP/1.1 Host: 62.3.50.33:8085 User-Agent: Go-http-client/1.1 Accept-Encoding: gzip Connection: close Meta JSON brut { "http_header_count": 4, "http_query_params": 0, "http_path_depth": 1, "http_path_ext": "xml", "http_ua_hash": "c3e68bb8f388240c7ecaebb8bcb80a85536526f2", "http_host_hash": "8307e910dac7083f4f0d52abcc8375f89d55b254", "http_target_hash": "aefeebe85207f9638bc792aa32d2470b82e35120", "http_referer_hash": null, "http_method": "GET", "http_ua_is_cli": true, "http_ua_is_browser": false, "bytes_in": 126, "payload_entropy": 4.982396293385163, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "http", "app_proto": "http", "asn": 135377, "country": "HK", "dst_port": 8085, "risk_waf": 8, "risk_classification": 38, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 35, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 4.3, "risk_breakdown": { "waf": 8, "classification": 38, "behavior": 0, "geo": 0, "protocol": 35, "novelty": 15 }, "risk_score": 16, "tag_count": 1, "anomaly_count": 0, "campaign_key": "fca10d503f307308de9a8a72e6930a43523b7afc", "event_fingerprint": "f1012c6cdaa62cfb1acdb88b29e5ec9af1d6221c", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%", "confidence": 0.34, "classification_confidence": 0.34, "precision_score": 40, "precision_signals": [ "INT-single-port" ], "kb_rule_ids": [ "INT-single-port" ], "risk_confidence_factor": 34, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "HK", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "http_ua_hash": "12bd583dd25b868e6423d8f04cc19fd1", "payload_hash": "41c01b34b44ebbc3771ad0af5c1b14ab", "path_pattern_hash": "7efd2a819481844ebcfd47a818831daf" }, "target_context": { "dst_port": 8085, "service": "http" }, "payload_preview": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:8085\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:8085\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:8085\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "evidence": { "method": "GET", "path": "\/sitemap.xml", "user_agent": "Go-http-client\/1.1", "request_line": "GET \/sitemap.xml HTTP\/1.1", "request_sample": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:8085\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n", "payload_snippet": "GET \/sitemap.xml HTTP\/1.1\r\nHost: 62.3.50.33:8085\r\nUser-Agent: Go-http-client\/1.1\r\nAccept-Encoding: gzip\r\nConnection: close", "classification_reason": "Type \u00ab web_probe \u00bb (signaux protocolaires) \u00b7 confiance 34%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e4fde5647faf5824cb2c4483910243bd91a66767", "ban_policy": "advisory_monitor", "tags_list": [ "http_ua_suspicious" ] }

152.32.128.85

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence