Détails IP 152.32.182.165

Synthèse exécutive

Profil de menace

Score de risque 87/100 Critique

Première observation 01/01/2026 18:17 UTC

Dernière observation 18/06/2026 05:23 UTC

Événements (période) 243

MITRE ATT&CK principal TA0007 83 occurrences

Activité suspecte · risque 44/100

Pourquoi listée

Synthèse décisionnelle honeypot — seuil de listing maintenu à 1 événement qualifié.

Type « port_probe » (signaux protocolaires) · confiance 50%

Confiance 58 % — Score WAF 8 · Bonus corrélation +8

Comparaison ASN / FAI

ASN 135377 · 152.32.182.0/24 · APNIC — 8 pair(s) ASN/FAI listé(s) — activité locale élevée vs pairs · 243 événements sur la période pour cette IP.

101.36.106.134 Tentative d'exploit 18/06/2026 11:54 UTC
118.194.250.22 Sonde port 18/06/2026 11:53 UTC
118.26.36.18 Sonde port 18/06/2026 11:50 UTC
165.154.120.223 Tentative d'exploit 18/06/2026 11:49 UTC
118.193.56.229 Sonde port 18/06/2026 11:49 UTC
118.194.251.144 Sonde port 18/06/2026 11:49 UTC
152.32.173.15 Tentative d'exploit 18/06/2026 11:47 UTC
118.194.251.58 Tentative d'exploit 18/06/2026 11:43 UTC

Événements (filtres)

243

Première observation

01/01/2026 18:17 UTC

Dernière observation

18/06/2026 05:23 UTC

Dernière activité (filtres)

18/06/2026 05:23 UTC

Événements 7j

Ports distincts (7j)

Classifications (7j)

Sévérité max (7j)

Élevée

Activité multi-protocole

Cette IP touche plusieurs services simulés (pas seulement le web).

SAP Diag TCP 146 TLS TCP 41 HTTP TCP 20

SAP Diag

146

TLS

HTTP

Géolocalisation

Origine réseau déclarée

États-Unis unknown unknown

FAI / réseau

Opérateur et dernière activité ban

UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED 767 Port 2278 port_probe

Renseignement menaces

Score capteur — surveiller, investiguer ou bloquer.

Recommandation

Stade d'attaque

Sonde / probe

Chaîne d'attaque

Découverte

Vecteur d'attaque

Sonde port · port 2278 · (sonde / probe)

Détails protocole

Aperçu payload

t3 12.1.2 AS:2048 HL:19

Port / service

2278

Raison confiance

Confiance modérée (50 %) — signal principal unique

Technique MITRE

TA0007

Persona capteur

mail.sensor-1.internal

Corrélations comportementales

Multi-protocole corrélé (5 min)

Recommandation

Surveiller

Rôle capteur

Renseignement menaces

Signaux de précision

Fp Port Probe Noise Single Port

Confiance

58% Corrélation +8

Famille de menace

scanner

MITRE ATT&CK — tactiques

Reconnaissance Développement Accès Exécution Persistance Élévation Contournement Accès Découverte Mouvement Collecte Commande Exfiltration Impact

Décomposition confiance

Filtres

Les dates De/À priment sur la période. Affinez protocole, port, service et classification.

proto=Tous service=Tous port=Tous type=Tous sév.=Toutes

Période

Protocole

Port (dst)

Service

Classification

Sévérité min

Sévérité max

Réinitialiser

Timeline

243 événements filtrés — activité quotidienne

Ports 24 h

Top ports ciblés sur les dernières 24 heures

Top ports

SSH 22, RDP 3389, HTTP alternatifs…

Top classifications

Web, SSH, SAP, scans…

Heatmap attaques 7j

Intensité par jour et heure (UTC capteur)

Chronologie des événements

243 événement(s) — page 3/5

Horodatage	Proto	Port	Service	Classification	Sévérité	Risque
06/06/2026 21:47:40 UTC	TCP	7672	—	Sonde port	Faible	Faible · 16
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags — Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 7672 Chemin / cible — Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Meta JSON brut { "bytes_in": 0, "payload_entropy": 0, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": null, "app_proto": null, "asn": 135377, "country": "US", "dst_port": 7672, "risk_waf": 8, "risk_classification": 48, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 0, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 2.4, "risk_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0 }, "risk_score": 16, "tag_count": 0, "anomaly_count": 0, "campaign_key": "5f7e6c64484487974ac1dccbb8aab4c214bb66c5", "event_fingerprint": "c79338d59e28e8e94b398ab5240b581475084654", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "INT-single-port" ], "classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "confidence_breakdown": { "waf": 8, "classification": 48, "behavior": 0, "geo": 0, "protocol": 0, "novelty": 0, "risk_score": 16 }, "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d" }, "target_context": { "dst_port": 7672 }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9913ea1a607a2d1f0be581347b31b37a17fdb7b2", "honeypot_persona": { "sensor_id": "sensor-1", "hostname": "mail.sensor-1.internal", "mail_host": "mail.sensor-1.internal", "ldap_dc": "dc.sensor-1.internal", "k8s_cluster": "hp-sensor-1", "domain": "sensor-1.internal", "service_role": "generic", "service_banner": "honeypot", "service_os": "linux", "dst_port": "7672" }, "hostname": "mail.sensor-1.internal", "sensor_id": "sensor-1", "attack_chain_stage": "probe", "matched_patterns": [], "ban_policy": "advisory_monitor" }
06/06/2026 02:38:08 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) CNXN2��host:: Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 31, "payload_entropy": 3.3729205036561045, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2ab0510cc4156c41c24112bc2a720db2", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000", "request_sample": "CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000", "payload_snippet": "CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000", "evidence": { "request_sample": "CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000", "payload_snippet": "CNXN\u0000\u0000\u0000\u0001\u0000\u0010\u0000\u0000\u0007\u0000\u0000\u00002\u0002\u0000\u0000\ufffd\ufffd\ufffd\ufffdhost::\u0000", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "3d8a16a25f717326e29be1e9e48e77a62038e617", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:38:06 UTC	TCP	3203	sap-diag	mqtt probe	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags mqtt_connect net_sap_diag_probe sap_diag_emulated sap_diag_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « mqtt_probe » (signaux protocolaires) · confiance 97% Confiance classification 97% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) MQTT protocol UA nmap Sigma nmap UA MQTT alt CONNECT Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) MQTTnmap Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 18, "payload_entropy": 3.4193819456463714, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10 }, "risk_score": 24, "tag_count": 5, "anomaly_count": 0, "campaign_key": "fed91112f44a2e1abeb2dab93a9ccb7c59fd8109", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%", "confidence": 0.97, "classification_confidence": 0.97, "precision_score": 110, "precision_signals": [ "pat-0373", "pat-0615" ], "kb_rule_ids": [ "pat-0373", "pat-0615" ], "matched_patterns": [ "pat-0373", "pat-0448", "pat-0543", "pat-0615", "pat-0554" ], "matched_pattern_names": [ "MQTT protocol", "UA nmap", "Sigma nmap UA", "MQTT alt CONNECT", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0373", "pat-0448", "pat-0543", "pat-0615", "pat-0554" ], "risk_confidence_factor": 97, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ad60b419f2f0103bea99389955f5bdf8", "path_pattern_hash": "4449b927317468afa12a2f935a413459" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0010\u0010\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0004nmap", "request_sample": "\u0010\u0010\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0004nmap", "payload_snippet": "\u0010\u0010\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0004nmap", "evidence": { "request_sample": "\u0010\u0010\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0004nmap", "payload_snippet": "\u0010\u0010\u0000\u0004MQTT\u0004\u0002\u0000\u001e\u0000\u0004nmap", "classification_reason": "Type \u00ab mqtt_probe \u00bb (signaux protocolaires) \u00b7 confiance 97%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b1f8b239f1a3b5f3e2df23e84a26366e052ea1fd", "ban_policy": "advisory_monitor", "tags_list": [ "mqtt_connect", "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:38:03 UTC	TCP	3203	sap-diag	Sonde WebSphere	Élevée	Faible · 20
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « websphere_probe » (signaux protocolaires) · confiance 47% Confiance classification 47% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) GIOP WebSphere IIOP Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) GIOP$abcdefget Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 48, "payload_entropy": 2.5723387961875535, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 54, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 54, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 20, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab websphere_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "confidence": 0.47, "classification_confidence": 0.47, "precision_score": 56, "precision_signals": [ "pat-0605" ], "kb_rule_ids": [ "pat-0605" ], "matched_patterns": [ "pat-0605", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "GIOP WebSphere IIOP", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0605", "pat-0554", "pat-0536" ], "risk_confidence_factor": 47, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a2295e3d24182f08220a2dae2c40ff1c", "path_pattern_hash": "a8ef247ba3612b90c1c670387b185e85" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "GIOP\u0001\u0000\u0001\u0000$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0006\u0000\u0000\u0000abcdef\u0000\u0000\u0004\u0000\u0000\u0000get\u0000\u0000\u0000\u0000\u0000", "request_sample": "GIOP\u0001\u0000\u0001\u0000$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0006\u0000\u0000\u0000abcdef\u0000\u0000\u0004\u0000\u0000\u0000get\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "GIOP\u0001\u0000\u0001\u0000$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0006\u0000\u0000\u0000abcdef\u0000\u0000\u0004\u0000\u0000\u0000get\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "GIOP\u0001\u0000\u0001\u0000$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0006\u0000\u0000\u0000abcdef\u0000\u0000\u0004\u0000\u0000\u0000get\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "GIOP\u0001\u0000\u0001\u0000$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0006\u0000\u0000\u0000abcdef\u0000\u0000\u0004\u0000\u0000\u0000get\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab websphere_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "enterprise_scan", "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "50f672a3f41a2c23f3b1c73d75aa157a4fe65554", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:38:00 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 11
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) � Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 2, "payload_entropy": 1, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 11, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4b24f4cca7e61459da3fb7bee3042b66", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\ufffd\u0001", "request_sample": "\ufffd\u0001", "payload_snippet": "\ufffd\u0001", "evidence": { "request_sample": "\ufffd\u0001", "payload_snippet": "\ufffd\u0001", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f2512bbcc1025d891a11ad59e5d426cb3e3d6292", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:37:57 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 11
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Redis INFO User-Agent — Règles WAF — Payload (extrait) 1 $4 info Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 14, "payload_entropy": 3.128085278891395, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 11, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "matched_patterns": [ "pat-0411" ], "matched_pattern_names": [ "Redis INFO" ], "pattern_ids": [ "pat-0411" ], "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4f9ff4b8ec8624803229b3cea88426af", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "1\r\n$4\r\ninfo\r\n", "request_sample": "1\r\n$4\r\ninfo\r\n", "payload_snippet": "1\r\n$4\r\ninfo", "evidence": { "request_sample": "1\r\n$4\r\ninfo\r\n", "payload_snippet": "1\r\n$4\r\ninfo", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "69fb4bc91202fb5226872ba9d40dde142fb9e716", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:37:54 UTC	TCP	3203	sap-diag	Protocole TDS MSSQL	Élevée	Faible · 20
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « mssql_tds » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) MSSQL TDS prelogin Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) A:0��test.$cmd��serverStatus�? Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 65, "payload_entropy": 3.3778795428324466, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 20, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0356" ], "kb_rule_ids": [ "pat-0356" ], "matched_patterns": [ "pat-0356", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "MSSQL TDS prelogin", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0356", "pat-0554", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "bf7469d78bb1798d5188209f4494c1a3", "path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "A\u0000\u0000\u0000:0\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000test.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001serverStatus\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "request_sample": "A\u0000\u0000\u0000:0\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000test.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001serverStatus\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "payload_snippet": "A\u0000\u0000\u0000:0\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000test.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001serverStatus\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "evidence": { "request_sample": "A\u0000\u0000\u0000:0\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000test.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001serverStatus\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "payload_snippet": "A\u0000\u0000\u0000:0\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0007\u0000\u0000\u0000\u0000\u0000\u0000test.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\u001b\u0000\u0000\u0000\u0001serverStatus\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd?\u0000", "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e65e06c1d0fdeb399b22019a233aa68de68a790", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:37:52 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 18, "payload_entropy": 1.2086489509530647, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0532" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "817773a4a3987fc7642ff30928d792fc", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0000\u0003\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u000f\u0000", "request_sample": "\u0000\u0003\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u000f\u0000", "payload_snippet": "\u0000\u0003\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u000f\u0000", "evidence": { "request_sample": "\u0000\u0003\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u000f\u0000", "payload_snippet": "\u0000\u0003\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u000f\u0000", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "8884ca36a1bebedbd802deee8f217c158d5f1437", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:37:49 UTC	TCP	3203	sap-diag	Sonde RDP	Élevée	Faible · 20
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags db2_probe net_db2_probe sap_diag_emulated sap_diag_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « rdp_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header NFS RPC mount RADIUS Access-Request Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��SQLDB2RA�� @ @@@@@@@ Requête brute (extrait) ��SQLDB2RA�� @ @@@@@@@@@@��@@�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 450, "payload_entropy": 1.82286057779224, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10 }, "risk_score": 20, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1801a9b16f30994c4cb36d32c32fe247e45de025", "event_fingerprint": "1d72c0002c2546cecaae8165877e05ab283960fc", "classification_reason": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0532", "pat-0577", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "RDP TPKT header", "NFS RPC mount", "RADIUS Access-Request", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0348", "pat-0532", "pat-0577", "pat-0554", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "eceedace3cdd6b7c3a4b6f3b21c20f1b", "path_pattern_hash": "5dd788b551ee7afb63321e74cfc538f6" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0001\ufffd\u0000\u0000\u0000\u0004\u0000\u0000\ufffd\u0001\u0000\u0000SQLDB2RA\u0000\u0001\u0000\u0000\u0004\u0001\u0001\u0000\u0005\u0000\u001d\u0000\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\b\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000@\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001", "request_sample": "\u0001\ufffd\u0000\u0000\u0000\u0004\u0000\u0000\ufffd\u0001\u0000\u0000SQLDB2RA\u0000\u0001\u0000\u0000\u0004\u0001\u0001\u0000\u0005\u0000\u001d\u0000\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\b\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000@\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0002\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0004\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0003\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\b\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0010\u0000\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\u0010\u0000\u0000\u0000\u0001\u0000\u0000\ufffd", "payload_snippet": "\u0001\ufffd\u0000\u0000\u0000\u0004\u0000\u0000\ufffd\u0001\u0000\u0000SQLDB2RA\u0000\u0001\u0000\u0000\u0004\u0001\u0001\u0000\u0005\u0000\u001d\u0000\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\b\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000@\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001", "evidence": { "request_sample": "\u0001\ufffd\u0000\u0000\u0000\u0004\u0000\u0000\ufffd\u0001\u0000\u0000SQLDB2RA\u0000\u0001\u0000\u0000\u0004\u0001\u0001\u0000\u0005\u0000\u001d\u0000\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\b\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000@\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0002\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0000\u0004\u0000\u0000\u0000\u0004\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0003\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\b\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0010\u0000\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\u0010\u0000\u0000\u0000\u0001\u0000\u0000\ufffd", "payload_snippet": "\u0001\ufffd\u0000\u0000\u0000\u0004\u0000\u0000\ufffd\u0001\u0000\u0000SQLDB2RA\u0000\u0001\u0000\u0000\u0004\u0001\u0001\u0000\u0005\u0000\u001d\u0000\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\ufffd\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\t\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000\u0001\b\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0001\u0000\u0000@\u0000\u0000\u0000@\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001\u0004\u0000\u0000\u0000\u0004\u0000\u0000@\u0000\u0000\u0000\u0001", "classification_reason": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "013bb608bae5cfca4840c1bc4a127ed4a9cc47b1", "ban_policy": "advisory_monitor", "tags_list": [ "db2_probe", "net_db2_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:37:46 UTC	TCP	3203	sap-diag	Sonde Memcached	Élevée	Faible · 23
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « memcached_probe » (signaux protocolaires) · confiance 99% Confiance classification 99% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Memcached stats Memcached stats User-Agent — Règles WAF — Payload (extrait) stats Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 7, "payload_entropy": 2.2359263506290326, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 23, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab memcached_probe \u00bb (signaux protocolaires) \u00b7 confiance 99%", "confidence": 0.99, "classification_confidence": 0.99, "precision_score": 112, "precision_signals": [ "pat-0374", "pat-0533" ], "kb_rule_ids": [ "pat-0374", "pat-0533" ], "matched_patterns": [ "pat-0374", "pat-0533" ], "matched_pattern_names": [ "Memcached stats", "Memcached stats" ], "pattern_ids": [ "pat-0374", "pat-0533" ], "risk_confidence_factor": 99, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "11e629574907d3a9ced402e26f4a98df", "path_pattern_hash": "549d36783f9e3c43618e715d78a40b3b" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "stats\r\n", "request_sample": "stats\r\n", "payload_snippet": "stats", "evidence": { "request_sample": "stats\r\n", "payload_snippet": "stats", "classification_reason": "Type \u00ab memcached_probe \u00bb (signaux protocolaires) \u00b7 confiance 99%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "13874aad021362d5f08730cc918c70caeca0c046", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:37:43 UTC	TCP	3203	sap-diag	Protocole TDS MSSQL	Élevée	Faible · 21
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags mssql_tds net_mssql_tds sap_diag_emulated sap_diag_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « mssql_tds » (signaux protocolaires) · confiance 74% Confiance classification 74% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) MSSQL TDS prelogin Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) 4(�UMSSQLServerH Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 52, "payload_entropy": 3.604409845438833, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10 }, "risk_score": 21, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1e6c58d2799a129782ed46d0eb8328c494cb6760", "event_fingerprint": "efadfe041a03601f892f04054fbd6c49c0ef73f4", "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 74%", "confidence": 0.74, "classification_confidence": 0.74, "precision_score": 83, "precision_signals": [ "pat-0519", "INT-upstream" ], "kb_rule_ids": [ "pat-0519", "INT-upstream" ], "matched_patterns": [ "pat-0519", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "MSSQL TDS prelogin", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0519", "pat-0554", "pat-0536" ], "risk_confidence_factor": 74, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "23edc99bdfe5fe902f5ff28aa98ef130", "path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\f\u0003\u0000(\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000MSSQLServer\u0000H\u000f\u0000\u0000", "request_sample": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\f\u0003\u0000(\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000MSSQLServer\u0000H\u000f\u0000\u0000", "payload_snippet": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\f\u0003\u0000(\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000MSSQLServer\u0000H\u000f\u0000\u0000", "evidence": { "request_sample": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\f\u0003\u0000(\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000MSSQLServer\u0000H\u000f\u0000\u0000", "payload_snippet": "\u0012\u0001\u00004\u0000\u0000\u0000\u0000\u0000\u0000\u0015\u0000\u0006\u0001\u0000\u001b\u0000\u0001\u0002\u0000\u001c\u0000\f\u0003\u0000(\u0000\u0004\ufffd\b\u0000\u0001U\u0000\u0000\u0000MSSQLServer\u0000H\u000f\u0000\u0000", "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 74%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1e66576ae9316c144596d8da14222ae49320bce2", "ban_policy": "advisory_monitor", "tags_list": [ "mssql_tds", "net_mssql_tds", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:37:40 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) root Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 13, "payload_entropy": 2.7773627950641693, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10 }, "risk_score": 22, "tag_count": 5, "anomaly_count": 0, "campaign_key": "5eef8ca42df2a176510357ae5a63e8ba2a3562f9", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2167ce4c1a0201b2283cc57c40a74bac", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0004\u0001\u0000\u0016\u0000\u0000\u0001root\u0000", "request_sample": "\u0004\u0001\u0000\u0016\u0000\u0000\u0001root\u0000", "payload_snippet": "\u0004\u0001\u0000\u0016\u0000\u0000\u0001root\u0000", "evidence": { "request_sample": "\u0004\u0001\u0000\u0016\u0000\u0000\u0001root\u0000", "payload_snippet": "\u0004\u0001\u0000\u0016\u0000\u0000\u0001root\u0000", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "42b0d5e61d26223340f752c399924eca2fe127c1", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe", "socks4_greeting" ] }
06/06/2026 02:37:37 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) � google.comPGET / HTTP/1.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 41, "payload_entropy": 4.503416638553355, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0567" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d345b721f5d98a2b04db9dadef49f152", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0005\u0004\u0000\u0001\u0002\ufffd\u0005\u0001\u0000\u0003\ngoogle.com\u0000PGET \/ HTTP\/1.0\r\n\r\n", "request_sample": "\u0005\u0004\u0000\u0001\u0002\ufffd\u0005\u0001\u0000\u0003\ngoogle.com\u0000PGET \/ HTTP\/1.0\r\n\r\n", "payload_snippet": "\u0005\u0004\u0000\u0001\u0002\ufffd\u0005\u0001\u0000\u0003\ngoogle.com\u0000PGET \/ HTTP\/1.0", "evidence": { "request_sample": "\u0005\u0004\u0000\u0001\u0002\ufffd\u0005\u0001\u0000\u0003\ngoogle.com\u0000PGET \/ HTTP\/1.0\r\n\r\n", "payload_snippet": "\u0005\u0004\u0000\u0001\u0002\ufffd\u0005\u0001\u0000\u0003\ngoogle.com\u0000PGET \/ HTTP\/1.0", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "af394d0dc9161b3d87187025eb957ca6e7e15b70", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:37:35 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) Z6,� :4�(CONNECT_DATA=(COMMAND=version)) Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 90, "payload_entropy": 3.5636982611044665, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ee3f9a4a2b04c32e4d515a179936da49", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0000Z\u0000\u0000\u0001\u0000\u0000\u0000\u00016\u0001,\u0000\u0000\b\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000 \u0000:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00004\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(CONNECT_DATA=(COMMAND=version))", "request_sample": "\u0000Z\u0000\u0000\u0001\u0000\u0000\u0000\u00016\u0001,\u0000\u0000\b\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000 \u0000:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00004\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(CONNECT_DATA=(COMMAND=version))", "payload_snippet": "\u0000Z\u0000\u0000\u0001\u0000\u0000\u0000\u00016\u0001,\u0000\u0000\b\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000 \u0000:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00004\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(CONNECT_DATA=(COMMAND=version))", "evidence": { "request_sample": "\u0000Z\u0000\u0000\u0001\u0000\u0000\u0000\u00016\u0001,\u0000\u0000\b\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000 \u0000:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00004\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(CONNECT_DATA=(COMMAND=version))", "payload_snippet": "\u0000Z\u0000\u0000\u0001\u0000\u0000\u0000\u00016\u0001,\u0000\u0000\b\u0000\ufffd\b\u0000\u0000\u0000\u0001\u0000 \u0000:\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00004\ufffd\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000(CONNECT_DATA=(COMMAND=version))", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "788182b5415ddc1b6fac78a811780354be63fde1", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:37:32 UTC	TCP	3203	sap-diag	Sonde Kafka	Élevée	Faible · 20
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « kafka_probe » (signaux protocolaires) · confiance 47% Confiance classification 47% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Kafka ApiVersions key RADIUS Access-Request Minecraft varint handshake TFTP RRQ WireGuard handshake User-Agent — Règles WAF — Payload (extrait) ��MMS��NSPlayer/9.0.0.2980; {0000AA00-0A00-00a Requête brute (extrait) �� MMS�� NSPlayer/9.0.0.2980; {0000AA00-0A00-00a0-AA0A-0000A0AA0AA0}�m�_ Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 175, "payload_entropy": 3.1019691748828695, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 20, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "confidence": 0.47, "classification_confidence": 0.47, "precision_score": 56, "precision_signals": [ "pat-0556" ], "kb_rule_ids": [ "pat-0556" ], "matched_patterns": [ "pat-0556", "pat-0577", "pat-0554", "pat-0536", "pat-0623" ], "matched_pattern_names": [ "Kafka ApiVersions key", "RADIUS Access-Request", "Minecraft varint handshake", "TFTP RRQ", "WireGuard handshake" ], "pattern_ids": [ "pat-0556", "pat-0577", "pat-0554", "pat-0536", "pat-0623" ], "risk_confidence_factor": 47, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f884620dcffbd325c528857bf10be8ac", "path_pattern_hash": "369bfdf011acc5969bcb68a7ffd2ca13" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0001\u0000\u0000\ufffd\ufffd\ufffd\u000b\ufffd\ufffd\u0000\u0000\u0000MMS\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0001\u0000\u0003\u0000\ufffd\ufffd\ufffd\ufffd\u000b\u0000\u0004\u0000\u001c\u0000\u0003\u0000N\u0000S\u0000P\u0000l\u0000a\u0000y\u0000e\u0000r\u0000\/\u00009\u0000.\u00000\u0000.\u00000\u0000.\u00002\u00009\u00008\u00000\u0000;\u0000 \u0000{\u00000\u00000\u00000\u00000\u0000A\u0000A\u00000\u00000\u0000-\u00000\u0000A\u00000\u00000\u0000-\u00000\u00000\u0000a", "request_sample": "\u0001\u0000\u0000\ufffd\ufffd\ufffd\u000b\ufffd\ufffd\u0000\u0000\u0000MMS\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0001\u0000\u0003\u0000\ufffd\ufffd\ufffd\ufffd\u000b\u0000\u0004\u0000\u001c\u0000\u0003\u0000N\u0000S\u0000P\u0000l\u0000a\u0000y\u0000e\u0000r\u0000\/\u00009\u0000.\u00000\u0000.\u00000\u0000.\u00002\u00009\u00008\u00000\u0000;\u0000 \u0000{\u00000\u00000\u00000\u00000\u0000A\u0000A\u00000\u00000\u0000-\u00000\u0000A\u00000\u00000\u0000-\u00000\u00000\u0000a\u00000\u0000-\u0000A\u0000A\u00000\u0000A\u0000-\u00000\u00000\u00000\u00000\u0000A\u00000\u0000A\u0000A\u00000\u0000A\u0000A\u00000\u0000}\u0000\u0000\u0000\ufffdm\ufffd_", "payload_snippet": "\u0001\u0000\u0000\ufffd\ufffd\ufffd\u000b\ufffd\ufffd\u0000\u0000\u0000MMS\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0001\u0000\u0003\u0000\ufffd\ufffd\ufffd\ufffd\u000b\u0000\u0004\u0000\u001c\u0000\u0003\u0000N\u0000S\u0000P\u0000l\u0000a\u0000y\u0000e\u0000r\u0000\/\u00009\u0000.\u00000\u0000.\u00000\u0000.\u00002\u00009\u00008\u00000\u0000;\u0000 \u0000{\u00000\u00000\u00000\u00000\u0000A\u0000A\u00000\u00000\u0000-\u00000\u0000A\u00000\u00000\u0000-\u00000\u00000\u0000a", "evidence": { "request_sample": "\u0001\u0000\u0000\ufffd\ufffd\ufffd\u000b\ufffd\ufffd\u0000\u0000\u0000MMS\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0001\u0000\u0003\u0000\ufffd\ufffd\ufffd\ufffd\u000b\u0000\u0004\u0000\u001c\u0000\u0003\u0000N\u0000S\u0000P\u0000l\u0000a\u0000y\u0000e\u0000r\u0000\/\u00009\u0000.\u00000\u0000.\u00000\u0000.\u00002\u00009\u00008\u00000\u0000;\u0000 \u0000{\u00000\u00000\u00000\u00000\u0000A\u0000A\u00000\u00000\u0000-\u00000\u0000A\u00000\u00000\u0000-\u00000\u00000\u0000a\u00000\u0000-\u0000A\u0000A\u00000\u0000A\u0000-\u00000\u00000\u00000\u00000\u0000A\u00000\u0000A\u0000A\u00000\u0000A\u0000A\u00000\u0000}\u0000\u0000\u0000\ufffdm\ufffd_", "payload_snippet": "\u0001\u0000\u0000\ufffd\ufffd\ufffd\u000b\ufffd\ufffd\u0000\u0000\u0000MMS\u0014\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0001\u0000\u0003\u0000\ufffd\ufffd\ufffd\ufffd\u000b\u0000\u0004\u0000\u001c\u0000\u0003\u0000N\u0000S\u0000P\u0000l\u0000a\u0000y\u0000e\u0000r\u0000\/\u00009\u0000.\u00000\u0000.\u00000\u0000.\u00002\u00009\u00008\u00000\u0000;\u0000 \u0000{\u00000\u00000\u00000\u00000\u0000A\u0000A\u00000\u00000\u0000-\u00000\u0000A\u00000\u00000\u0000-\u00000\u00000\u0000a", "classification_reason": "Type \u00ab kafka_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9d719cefffc325f6df5ebd797dba1a93c07a4a1a", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ], "behavior_alert_count": 1, "behavior_priority": 72 }
06/06/2026 02:37:29 UTC	TCP	3203	sap-diag	Sonde Java RMI	Élevée	Faible · 20
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « java_rmi_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Java RMI JRMI User-Agent — Règles WAF — Payload (extrait) JRMIK Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 7, "payload_entropy": 2.807354922057604, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 20, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0604" ], "kb_rule_ids": [ "pat-0604" ], "matched_patterns": [ "pat-0604" ], "matched_pattern_names": [ "Java RMI JRMI" ], "pattern_ids": [ "pat-0604" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "d8c49a0f759e2102fb8fa8368049d06a", "path_pattern_hash": "7a566ca86213ccd15a91c0b5a885a24f" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "JRMI\u0000\u0002K", "request_sample": "JRMI\u0000\u0002K", "payload_snippet": "JRMI\u0000\u0002K", "evidence": { "request_sample": "JRMI\u0000\u0002K", "payload_snippet": "JRMI\u0000\u0002K", "classification_reason": "Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "enterprise_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "202b7d86e4402f43147c30aa8833ed89f6c94d44", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ], "behavior_alert_count": 1, "behavior_priority": 72 }
06/06/2026 02:37:26 UTC	TCP	3203	sap-diag	Protocole wire MongoDB	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags mongodb_wire_protocol net_mongodb_wire_protocol rdp_cookie_alt sap_diag_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « mongodb_wire_protocol » (signaux protocolaires) · confiance 80% Confiance classification 80% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) NFS RPC mount Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) :/@=/@ Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 60, "payload_entropy": 1.3389205950315934, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10 }, "risk_score": 22, "tag_count": 6, "anomaly_count": 0, "campaign_key": "cbcdb3cd70bd57ed729dfb0a84fe1b4ea07e5778", "event_fingerprint": "1479913c72585ed16c6a75b790a8367150cbf83b", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 80%", "confidence": 0.8, "classification_confidence": 0.8, "precision_score": 90, "precision_signals": [ "ET-PROTO-MongoDB-Wire", "INT-upstream" ], "kb_rule_ids": [ "ET-PROTO-MongoDB-Wire", "INT-upstream" ], "matched_patterns": [ "pat-0532", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "NFS RPC mount", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0532", "pat-0554", "pat-0536" ], "classification_parent": "mongodb_probe", "risk_confidence_factor": 80, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f60433e5ca098d6d06ab4b829e9f35c4", "path_pattern_hash": "9060bd55aeb34075959b54fecab264ea" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": ":\u0000\u0000\u0000\/\u0000\u0000\u0000\u0002\u0000\u0000@\u0002\u000f\u0000\u0001\u0000=\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\/\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": ":\u0000\u0000\u0000\/\u0000\u0000\u0000\u0002\u0000\u0000@\u0002\u000f\u0000\u0001\u0000=\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\/\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": ":\u0000\u0000\u0000\/\u0000\u0000\u0000\u0002\u0000\u0000@\u0002\u000f\u0000\u0001\u0000=\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\/\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": ":\u0000\u0000\u0000\/\u0000\u0000\u0000\u0002\u0000\u0000@\u0002\u000f\u0000\u0001\u0000=\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\/\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": ":\u0000\u0000\u0000\/\u0000\u0000\u0000\u0002\u0000\u0000@\u0002\u000f\u0000\u0001\u0000=\u0005\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\/\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000@\u001f\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 80%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "4108cde4357b79f8bef7f8c2a8a7c70dc7923bda", "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_wire_protocol", "net_mongodb_wire_protocol", "rdp_cookie_alt", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:37:23 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) DmdT�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 23, "payload_entropy": 2.6081816167087406, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "947f08e762562490af13d3254ff011a6", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "DmdT\u0000\u0000\u0000\u0017\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0011\u0011\u0000\ufffd\u0001\ufffd\u0013", "request_sample": "DmdT\u0000\u0000\u0000\u0017\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0011\u0011\u0000\ufffd\u0001\ufffd\u0013", "payload_snippet": "DmdT\u0000\u0000\u0000\u0017\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0011\u0011\u0000\ufffd\u0001\ufffd\u0013", "evidence": { "request_sample": "DmdT\u0000\u0000\u0000\u0017\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0011\u0011\u0000\ufffd\u0001\ufffd\u0013", "payload_snippet": "DmdT\u0000\u0000\u0000\u0017\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0011\u0011\u0000\ufffd\u0001\ufffd\u0013", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e15a00a0bcfe453b84682fe0f53d591e932cfac5", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:37:21 UTC	TCP	3203	sap-diag	Sonde RDP	Élevée	Faible · 19
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « rdp_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header S7 TPKT packet Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 22, "payload_entropy": 3.133919825058653, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 19, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0348" ], "kb_rule_ids": [ "pat-0348" ], "matched_patterns": [ "pat-0348", "pat-0376", "pat-0554" ], "matched_pattern_names": [ "RDP TPKT header", "S7 TPKT packet", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0348", "pat-0376", "pat-0554" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "097791b86f9950e021480f7ef5b4d939", "path_pattern_hash": "5dd788b551ee7afb63321e74cfc538f6" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0014\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001\n", "request_sample": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0014\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001\n", "payload_snippet": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0014\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001", "evidence": { "request_sample": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0014\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001\n", "payload_snippet": "\u0003\u0000\u0000\u0016\u0011\ufffd\u0000\u0000\u0000\u0014\u0000\ufffd\u0002\u0001\u0000\ufffd\u0002\u0001\u0002\ufffd\u0001", "classification_reason": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "260954850443792fcc02b546d95a48e52f16a68f", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:37:18 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �t+ Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 11, "payload_entropy": 2.4040097573248604, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "95bb1798cbe14e09d8a7b5feb33c741f", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\ufffdt\u0000\u0000\u0000\u0005\u0000+\u000e\u0001\u0000", "request_sample": "\ufffdt\u0000\u0000\u0000\u0005\u0000+\u000e\u0001\u0000", "payload_snippet": "\ufffdt\u0000\u0000\u0000\u0005\u0000+\u000e\u0001\u0000", "evidence": { "request_sample": "\ufffdt\u0000\u0000\u0000\u0005\u0000+\u000e\u0001\u0000", "payload_snippet": "\ufffdt\u0000\u0000\u0000\u0005\u0000+\u000e\u0001\u0000", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "254ed956ef80c51577767ecf5234ff77671b84fe", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:37:15 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) 0.26.00.26.10202cb962ac59075b964b07152d234b70 Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 56, "payload_entropy": 3.7279714939527033, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "fca620885715d4e346da0f82d84da595", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0000\u0000\u0000\u0006\u0000\u0000\u00000.26.0\u0007\u0000\u0000\u00000.26.10202cb962ac59075b964b07152d234b70", "request_sample": "\u0000\u0000\u0000\u0006\u0000\u0000\u00000.26.0\u0007\u0000\u0000\u00000.26.10202cb962ac59075b964b07152d234b70", "payload_snippet": "\u0000\u0000\u0000\u0006\u0000\u0000\u00000.26.0\u0007\u0000\u0000\u00000.26.10202cb962ac59075b964b07152d234b70", "evidence": { "request_sample": "\u0000\u0000\u0000\u0006\u0000\u0000\u00000.26.0\u0007\u0000\u0000\u00000.26.10202cb962ac59075b964b07152d234b70", "payload_snippet": "\u0000\u0000\u0000\u0006\u0000\u0000\u00000.26.0\u0007\u0000\u0000\u00000.26.10202cb962ac59075b964b07152d234b70", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "9bbb5734819c8d6ca0b6d880a335330caacb0026", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:37:12 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 23
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags mongodb_version mongodb_version_2 net_sap_diag_probe sap_diag_emulated Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ){"Type":"Auth","Payload":{"Version":"2"}} Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 49, "payload_entropy": 4.193778152167447, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10 }, "risk_score": 23, "tag_count": 6, "anomaly_count": 0, "campaign_key": "8612be970b5543162f24db1b7a9e4c4a3d3e6235", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "493a3d213b080175a70a3be3bdf3d870", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": ")\u0000\u0000\u0000\u0000\u0000\u0000\u0000{\"Type\":\"Auth\",\"Payload\":{\"Version\":\"2\"}}", "request_sample": ")\u0000\u0000\u0000\u0000\u0000\u0000\u0000{\"Type\":\"Auth\",\"Payload\":{\"Version\":\"2\"}}", "payload_snippet": ")\u0000\u0000\u0000\u0000\u0000\u0000\u0000{\"Type\":\"Auth\",\"Payload\":{\"Version\":\"2\"}}", "evidence": { "request_sample": ")\u0000\u0000\u0000\u0000\u0000\u0000\u0000{\"Type\":\"Auth\",\"Payload\":{\"Version\":\"2\"}}", "payload_snippet": ")\u0000\u0000\u0000\u0000\u0000\u0000\u0000{\"Type\":\"Auth\",\"Payload\":{\"Version\":\"2\"}}", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "efe9181693c9200ec0b7a2e5578e691a4b7a886d", "ban_policy": "advisory_monitor", "tags_list": [ "mongodb_version", "mongodb_version_2", "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:37:09 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 12, "payload_entropy": 0.8112781244591328, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "89fcddd8e965f8ff958358b927013df6", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000", "request_sample": "\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\u0001\u0000\u0001\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f647a837f03d72975bc16bf460d18b5af60a9610", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:37:07 UTC	TCP	3203	sap-diag	Sonde OPC-UA	Élevée	Faible · 16
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « opcua_probe » (signaux protocolaires) · confiance 47% Confiance classification 47% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) LFI Double-dot bypass OPC UA HEL Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) HELF;��opc.tcp://85.214.126.3:4840 Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 59, "payload_entropy": 3.860214023388077, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 16, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%", "confidence": 0.47, "classification_confidence": 0.47, "precision_score": 56, "precision_signals": [ "pat-0626" ], "kb_rule_ids": [ "pat-0626" ], "matched_patterns": [ "pat-0103", "pat-0626", "pat-0554" ], "matched_pattern_names": [ "LFI Double-dot bypass", "OPC UA HEL", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0103", "pat-0626", "pat-0554" ], "risk_confidence_factor": 47, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "405e43878bd2caed9a786695e348bf9d", "path_pattern_hash": "9665a326f7d8f70f1661dab78807b951" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "HELF;\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001b\u0000\u0000\u0000opc.tcp:\/\/85.214.126.3:4840", "request_sample": "HELF;\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001b\u0000\u0000\u0000opc.tcp:\/\/85.214.126.3:4840", "payload_snippet": "HELF;\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001b\u0000\u0000\u0000opc.tcp:\/\/85.214.126.3:4840", "evidence": { "request_sample": "HELF;\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001b\u0000\u0000\u0000opc.tcp:\/\/85.214.126.3:4840", "payload_snippet": "HELF;\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u001b\u0000\u0000\u0000opc.tcp:\/\/85.214.126.3:4840", "classification_reason": "Type \u00ab opcua_probe \u00bb (signaux protocolaires) \u00b7 confiance 47%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "a97e53ea8787b0933e3f650f089af7254c321f92", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:37:04 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) G�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 16, "payload_entropy": 1.6216407621868583, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f49be22988ace8a28a7eea705f9e0c37", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0010\u0000\u0000\u0000G\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\ufffd\u0000", "request_sample": "\u0010\u0000\u0000\u0000G\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\ufffd\u0000", "payload_snippet": "\u0010\u0000\u0000\u0000G\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\ufffd\u0000", "evidence": { "request_sample": "\u0010\u0000\u0000\u0000G\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\ufffd\u0000", "payload_snippet": "\u0010\u0000\u0000\u0000G\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\ufffd\u0000", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7256510b605063b2bd3bd9e173e8ef2a15392282", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:37:01 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) mi{"code":105,"language":"GO","version":317,"opaque":2,"flag":0,"remark":"","extFields":{"topic":"TBW102"}} Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 113, "payload_entropy": 4.641748802606944, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "94179f64d7c7524a23b3cbf2af232c73", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0000\u0000\u0000m\u0000\u0000\u0000i{\"code\":105,\"language\":\"GO\",\"version\":317,\"opaque\":2,\"flag\":0,\"remark\":\"\",\"extFields\":{\"topic\":\"TBW102\"}}", "request_sample": "\u0000\u0000\u0000m\u0000\u0000\u0000i{\"code\":105,\"language\":\"GO\",\"version\":317,\"opaque\":2,\"flag\":0,\"remark\":\"\",\"extFields\":{\"topic\":\"TBW102\"}}", "payload_snippet": "\u0000\u0000\u0000m\u0000\u0000\u0000i{\"code\":105,\"language\":\"GO\",\"version\":317,\"opaque\":2,\"flag\":0,\"remark\":\"\",\"extFields\":{\"topic\":\"TBW102\"}}", "evidence": { "request_sample": "\u0000\u0000\u0000m\u0000\u0000\u0000i{\"code\":105,\"language\":\"GO\",\"version\":317,\"opaque\":2,\"flag\":0,\"remark\":\"\",\"extFields\":{\"topic\":\"TBW102\"}}", "payload_snippet": "\u0000\u0000\u0000m\u0000\u0000\u0000i{\"code\":105,\"language\":\"GO\",\"version\":317,\"opaque\":2,\"flag\":0,\"remark\":\"\",\"extFields\":{\"topic\":\"TBW102\"}}", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "662b9acea78e75d53848bc915f2966175955fd78", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:36:58 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) 2W2Cwx^j��2J`{"@timestamp":"2023-11-10T16:31:19.3549634+08:00","message":"t","offset":1000,"type":"filebeat"}6 Requête brute (extrait) 2W2Cwx^j��2J`{"@timestamp":"2023-11-10T16:31:19.3549634+08:00","message":"t","offset":1000,"type":"filebeat"}6� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 131, "payload_entropy": 4.943692969509017, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "7ac31581d9769a3294f2b8ec05c3e9e6", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "2W\u0000\u0000\u0000\u00012C\u0000\u0000\u0000wx^\u0000j\u0000\ufffd\ufffd2J\u0000\u0000\u0000\u0001\u0000\u0000\u0000`{\"@timestamp\":\"2023-11-10T16:31:19.3549634+08:00\",\"message\":\"t\",\"offset\":1000,\"type\":\"filebeat\"}\u0003\u00006", "request_sample": "2W\u0000\u0000\u0000\u00012C\u0000\u0000\u0000wx^\u0000j\u0000\ufffd\ufffd2J\u0000\u0000\u0000\u0001\u0000\u0000\u0000`{\"@timestamp\":\"2023-11-10T16:31:19.3549634+08:00\",\"message\":\"t\",\"offset\":1000,\"type\":\"filebeat\"}\u0003\u00006\ufffd\u001b", "payload_snippet": "2W\u0000\u0000\u0000\u00012C\u0000\u0000\u0000wx^\u0000j\u0000\ufffd\ufffd2J\u0000\u0000\u0000\u0001\u0000\u0000\u0000`{\"@timestamp\":\"2023-11-10T16:31:19.3549634+08:00\",\"message\":\"t\",\"offset\":1000,\"type\":\"filebeat\"}\u0003\u00006", "evidence": { "request_sample": "2W\u0000\u0000\u0000\u00012C\u0000\u0000\u0000wx^\u0000j\u0000\ufffd\ufffd2J\u0000\u0000\u0000\u0001\u0000\u0000\u0000`{\"@timestamp\":\"2023-11-10T16:31:19.3549634+08:00\",\"message\":\"t\",\"offset\":1000,\"type\":\"filebeat\"}\u0003\u00006\ufffd\u001b", "payload_snippet": "2W\u0000\u0000\u0000\u00012C\u0000\u0000\u0000wx^\u0000j\u0000\ufffd\ufffd2J\u0000\u0000\u0000\u0001\u0000\u0000\u0000`{\"@timestamp\":\"2023-11-10T16:31:19.3549634+08:00\",\"message\":\"t\",\"offset\":1000,\"type\":\"filebeat\"}\u0003\u00006", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e762c6e2f31e0243a262bd0d3bc5f19ad894f173", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ], "behavior_alert_count": 1, "behavior_priority": 72 }
06/06/2026 02:36:55 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) a 4.6.2.3" 8798306680 Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 29, "payload_entropy": 4.064203408622266, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a28a90b32f6006a6cfa98505ba373419", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0000\u0000\u0000\u0019a\n\u00074.6.2.3\u0010\u0006\"\t8798306680\u0001", "request_sample": "\u0000\u0000\u0000\u0019a\n\u00074.6.2.3\u0010\u0006\"\t8798306680\u0001", "payload_snippet": "\u0000\u0000\u0000\u0019a\n\u00074.6.2.3\u0010\u0006\"\t8798306680\u0001", "evidence": { "request_sample": "\u0000\u0000\u0000\u0019a\n\u00074.6.2.3\u0010\u0006\"\t8798306680\u0001", "payload_snippet": "\u0000\u0000\u0000\u0019a\n\u00074.6.2.3\u0010\u0006\"\t8798306680\u0001", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "72beec53d74f59e81f2302c83dd873c06fe99922", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ], "behavior_alert_count": 1, "behavior_priority": 72 }
06/06/2026 02:36:53 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��]I223.75.123.71 IP USER LOGON QWRtaW4= QWRtaW4= 65536 UTF-8 805306367 1 Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 93, "payload_entropy": 4.682586603096229, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4d682adf59b1d9e41be709f5ccbc8084", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\ufffd\ufffd\ufffd\ufffd\u0000\u0000]\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000I\u0000\u0000\u0000223.75.123.71\tIP\tUSER\tLOGON\tQWRtaW4=\tQWRtaW4=\t\t65536\tUTF-8\t805306367\t1\n\n\n", "request_sample": "\ufffd\ufffd\ufffd\ufffd\u0000\u0000]\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000I\u0000\u0000\u0000223.75.123.71\tIP\tUSER\tLOGON\tQWRtaW4=\tQWRtaW4=\t\t65536\tUTF-8\t805306367\t1\n\n\n", "payload_snippet": "\ufffd\ufffd\ufffd\ufffd\u0000\u0000]\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000I\u0000\u0000\u0000223.75.123.71\tIP\tUSER\tLOGON\tQWRtaW4=\tQWRtaW4=\t\t65536\tUTF-8\t805306367\t1", "evidence": { "request_sample": "\ufffd\ufffd\ufffd\ufffd\u0000\u0000]\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000I\u0000\u0000\u0000223.75.123.71\tIP\tUSER\tLOGON\tQWRtaW4=\tQWRtaW4=\t\t65536\tUTF-8\t805306367\t1\n\n\n", "payload_snippet": "\ufffd\ufffd\ufffd\ufffd\u0000\u0000]\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000I\u0000\u0000\u0000223.75.123.71\tIP\tUSER\tLOGON\tQWRtaW4=\tQWRtaW4=\t\t65536\tUTF-8\t805306367\t1", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1760eb8c50bb265211a7b17cdc37e313a620c191", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:36:50 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �`�� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 32, "payload_entropy": 1.498778124459133, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "48d1c4bf25ef5b6ad32d76fb795398b9", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\ufffd\u0005\u0000`\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0005\u0002\u0000\u0001\u0000\u0000\ufffd\ufffd", "request_sample": "\ufffd\u0005\u0000`\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0005\u0002\u0000\u0001\u0000\u0000\ufffd\ufffd", "payload_snippet": "\ufffd\u0005\u0000`\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0005\u0002\u0000\u0001\u0000\u0000\ufffd\ufffd", "evidence": { "request_sample": "\ufffd\u0005\u0000`\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0005\u0002\u0000\u0001\u0000\u0000\ufffd\ufffd", "payload_snippet": "\ufffd\u0005\u0000`\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0005\u0002\u0000\u0001\u0000\u0000\ufffd\ufffd", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "0e66250ed8c56aeeed084f6ddf741733c97b116e", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:36:47 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 11
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) EXAMPLE.COM Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 13, "payload_entropy": 3.3927474104487847, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 11, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "b95100bea23f1bbc831cc0175ad22cfe", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "EXAMPLE.COM\r\n", "request_sample": "EXAMPLE.COM\r\n", "payload_snippet": "EXAMPLE.COM", "evidence": { "request_sample": "EXAMPLE.COM\r\n", "payload_snippet": "EXAMPLE.COM", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "36f865ae975a7d263f85b3a9a792184e5d4d864c", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:36:44 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 12
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags cryptominer_probe net_sap_diag_probe sap_diag_emulated sap_diag_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"YOUR_WALLET_ADDRESS","pass":"x","agent":"XMRig/6.20.0-C3Pool","algo" Requête brute (extrait) {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"YOUR_WALLET_ADDRESS","pass":"x","agent":"XMRig/6.20.0-C3Pool","algo":["cn/1"],"algo-perf":{"cn/1":63.32038223248976}}} Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 179, "payload_entropy": 5.098770336543975, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.7, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 25 }, "risk_score": 12, "tag_count": 6, "anomaly_count": 0, "campaign_key": "f82729adc359e9fee1a1072921fa921b5eaef326", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "c500383ebccf2fc673ea77e9e47d6daf", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"YOUR_WALLET_ADDRESS\",\"pass\":\"x\",\"agent\":\"XMRig\/6.20.0-C3Pool\",\"algo\"", "request_sample": "{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"YOUR_WALLET_ADDRESS\",\"pass\":\"x\",\"agent\":\"XMRig\/6.20.0-C3Pool\",\"algo\":[\"cn\/1\"],\"algo-perf\":{\"cn\/1\":63.32038223248976}}}\n", "payload_snippet": "{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"YOUR_WALLET_ADDRESS\",\"pass\":\"x\",\"agent\":\"XMRig\/6.20.0-C3Pool\",\"algo\"", "evidence": { "request_sample": "{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"YOUR_WALLET_ADDRESS\",\"pass\":\"x\",\"agent\":\"XMRig\/6.20.0-C3Pool\",\"algo\":[\"cn\/1\"],\"algo-perf\":{\"cn\/1\":63.32038223248976}}}\n", "payload_snippet": "{\"id\":1,\"jsonrpc\":\"2.0\",\"method\":\"login\",\"params\":{\"login\":\"YOUR_WALLET_ADDRESS\",\"pass\":\"x\",\"agent\":\"XMRig\/6.20.0-C3Pool\",\"algo\"", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d0d9121e98c29851ed79e2209c608d2c80f1f45c", "ban_policy": "advisory_monitor", "tags_list": [ "cryptominer_probe", "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe", "xmrig_pattern" ] }
06/06/2026 02:36:41 UTC	TCP	3203	sap-diag	Sonde PostgreSQL	Élevée	Faible · 21
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) PostgreSQL cancel request PostgreSQL startup Kafka ApiVersions key Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) �� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 14, "payload_entropy": 1.9502120649147467, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 21, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 116, "precision_signals": [ "pat-0368", "pat-0369" ], "kb_rule_ids": [ "pat-0368", "pat-0369" ], "matched_patterns": [ "pat-0368", "pat-0369", "pat-0556", "pat-0554" ], "matched_pattern_names": [ "PostgreSQL cancel request", "PostgreSQL startup", "Kafka ApiVersions key", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0368", "pat-0369", "pat-0556", "pat-0554" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "19214bd9a0c01f9428154f3b658852b6", "path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0000\u0000\u0000\n\u0000\u0012\u0000\u0000\ufffd\ufffd\ufffd\u0000\u0000", "request_sample": "\u0000\u0000\u0000\n\u0000\u0012\u0000\u0000\ufffd\ufffd\ufffd\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000\n\u0000\u0012\u0000\u0000\ufffd\ufffd\ufffd\u0000\u0000", "evidence": { "request_sample": "\u0000\u0000\u0000\n\u0000\u0012\u0000\u0000\ufffd\ufffd\ufffd\u0000\u0000", "payload_snippet": "\u0000\u0000\u0000\n\u0000\u0012\u0000\u0000\ufffd\ufffd\ufffd\u0000\u0000", "classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "176863165572d440b36138c57edaa99b85a148ec", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:36:38 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �anonymous_command_on Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 40, "payload_entropy": 3.2516094970590266, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ade4c3e7a4c503a0785a09ddcef1efb8", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\ufffd\u0001\u0000\u0001\u0000\u0000\u0000\u0014anonymous_command_on\u0000\u0000\u0000\u0000\b\u0000\u0001\u0000\u0000\u0000\u0000\u0000", "request_sample": "\ufffd\u0001\u0000\u0001\u0000\u0000\u0000\u0014anonymous_command_on\u0000\u0000\u0000\u0000\b\u0000\u0001\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0001\u0000\u0001\u0000\u0000\u0000\u0014anonymous_command_on\u0000\u0000\u0000\u0000\b\u0000\u0001\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\ufffd\u0001\u0000\u0001\u0000\u0000\u0000\u0014anonymous_command_on\u0000\u0000\u0000\u0000\b\u0000\u0001\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\ufffd\u0001\u0000\u0001\u0000\u0000\u0000\u0014anonymous_command_on\u0000\u0000\u0000\u0000\b\u0000\u0001\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "b002434df6c030b20e63919b80b707adc5e863a3", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:36:36 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) #!:62710* fd135ge@&yt_02123456 Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 39, "payload_entropy": 4.6632313853624945, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "268e50c3963f0c6fe6ca87afd0ce66b8", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "#\u0000\u0000\u0000\u0012!\u0010\u0003\u001a\u0006:62710\rfd135ge@&yt_02\u0006123456", "request_sample": "#\u0000\u0000\u0000\u0012!\u0010\u0003\u001a\u0006:62710\rfd135ge@&yt_02\u0006123456", "payload_snippet": "#\u0000\u0000\u0000\u0012!\u0010\u0003\u001a\u0006:62710\rfd135ge@&yt_02\u0006123456", "evidence": { "request_sample": "#\u0000\u0000\u0000\u0012!\u0010\u0003\u001a\u0006:62710\rfd135ge@&yt_02\u0006123456", "payload_snippet": "#\u0000\u0000\u0000\u0012!\u0010\u0003\u001a\u0006:62710*\rfd135ge@&yt_02\u0006123456", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "1ea77364e2a1c0da47c61d65fbd103df87043782", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:36:33 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �x#.�=��$�'��WE$e�V�>\� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 43, "payload_entropy": 5.10068335935326, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "f4f17bcdc73af477913b79f96989f7d8", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\ufffdx\u0017\u0001#\u0000\u0000\u0000.\ufffd=\b\ufffd\ufffd\ufffd$\u0000\ufffd'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffdW\u001dE\u0005$e\ufffdV\ufffd>\\\ufffd", "request_sample": "\ufffdx\u0017\u0001#\u0000\u0000\u0000.\ufffd=\b\ufffd\ufffd\ufffd$\u0000\ufffd'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffdW\u001dE\u0005$e\ufffdV\ufffd>\\\ufffd", "payload_snippet": "\ufffdx\u0017\u0001#\u0000\u0000\u0000.\ufffd=\b\ufffd\ufffd\ufffd$\u0000\ufffd'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffdW\u001dE\u0005$e\ufffdV\ufffd>\\\ufffd", "evidence": { "request_sample": "\ufffdx\u0017\u0001#\u0000\u0000\u0000.\ufffd=\b\ufffd\ufffd\ufffd$\u0000\ufffd'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffdW\u001dE\u0005$e\ufffdV\ufffd>\\\ufffd", "payload_snippet": "\ufffdx\u0017\u0001#\u0000\u0000\u0000.\ufffd=\b\ufffd\ufffd\ufffd$\u0000\ufffd'\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0017\ufffd\ufffdW\u001dE\u0005$e\ufffdV\ufffd>\\\ufffd", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "db2ecadf063d31f0c818a3ae36cf763443cb5aa7", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:36:30 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) �+<M��noneppap Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 156, "payload_entropy": 1.0056921668856296, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "5ca0ed1490012fe941f931322c79c1f4", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\ufffd\ufffd\u0000\u0001none\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000ppap\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\ufffd\ufffd\u0000\u0001none\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000ppap\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\ufffd\ufffd\u0000\u0001none\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000ppap\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\ufffd\ufffd\u0000\u0001none\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000ppap\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0000\ufffd\u0000\u0001\u001a+<M\u0000\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0001\u0000\u0000\u0000\u0001\ufffd\ufffd\u0000\u0001none\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000ppap\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "854d4dd20682fedc51b2b8514d2056011a8b9a6f", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:36:27 UTC	TCP	3203	sap-diag	Cross-site scripting	Élevée	Faible · 23
Étape Tentative d'exploit MITRE TA0001 TA0002 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « xss_attack » (signaux protocolaires) · confiance 59% Confiance classification 59% Tactiques MITRE TA0001 TA0002 Motifs de détection (base) CRS 941130 LFI Double-dot bypass XMPP stream User-Agent — Règles WAF — Payload (extrait) <?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' xml:lang='ru-RU' to='. Requête brute (extrait) <?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' xml:lang='ru-RU' to='.' version='1.0'> Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 144, "payload_entropy": 4.6684321087757565, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 68, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 68, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 23, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%", "confidence": 0.59, "classification_confidence": 0.59, "precision_score": 70, "precision_signals": [ "pat-0284" ], "kb_rule_ids": [ "pat-0284" ], "matched_patterns": [ "pat-0284", "pat-0103", "pat-0530" ], "matched_pattern_names": [ "CRS 941130", "LFI Double-dot bypass", "XMPP stream" ], "pattern_ids": [ "pat-0284", "pat-0103", "pat-0530" ], "risk_confidence_factor": 59, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "2c2f7964ac7971e254cec36837483540", "path_pattern_hash": "e84c630ed8a3a6084c1b662f626e7300" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='ru-RU' to='.", "request_sample": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='ru-RU' to='.' version='1.0'>", "payload_snippet": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='ru-RU' to='.", "evidence": { "request_sample": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='ru-RU' to='.' version='1.0'>", "payload_snippet": "<?xml version='1.0'?><stream:stream xmlns:stream='http:\/\/etherx.jabber.org\/streams' xmlns='jabber:client' xml:lang='ru-RU' to='.", "classification_reason": "Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%" }, "attack_stage": "exploit_attempt", "mitre_tactics": [ "TA0001", "TA0002" ], "threat_family": [ "unknown" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "572faa133ed4d0d2b4378bda9ace84baad3a3bc8", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ], "behavior_alert_count": 1, "behavior_priority": 96 }
06/06/2026 02:36:24 UTC	TCP	3203	sap-diag	Protocole TDS MSSQL	Élevée	Faible · 21
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags mssql_tds net_mssql_tds sap_diag_emulated sap_diag_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « mssql_tds » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) index� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 20, "payload_entropy": 2.1709505944546685, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 10, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 10 }, "risk_score": 21, "tag_count": 5, "anomaly_count": 0, "campaign_key": "1e6c58d2799a129782ed46d0eb8328c494cb6760", "event_fingerprint": "efadfe041a03601f892f04054fbd6c49c0ef73f4", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "78303524a43907117dd5e6de4f427da3", "path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0012\u0002index\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\u0000\u0000\u0000", "request_sample": "\u0012\u0002index\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\u0000\u0000\u0000", "payload_snippet": "\u0012\u0002index\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0012\u0002index\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\u0000\u0000\u0000", "payload_snippet": "\u0012\u0002index\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "67b63570dd9e9aac2e3269a55eade30e70491be3", "ban_policy": "advisory_monitor", "tags_list": [ "mssql_tds", "net_mssql_tds", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:36:21 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) ��JoinåNodes�UserStateLen��Addr��8�Incarnation�Meta��Name�DESKTOP-NR8TTVR�Port� �State�Vsn� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 118, "payload_entropy": 5.151202745659785, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "e4c389aa171b6c4fc8c08b745ec87f45", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0006\ufffd\ufffdJoin\u00e5Nodes\u0001\ufffdUserStateLen\u0000\ufffd\ufffdAddr\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd8\u0001\ufffdIncarnation\u0001\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\u001f\n\ufffdState\u0000\ufffdVsn\ufffd\u0001\u0005\u0002\u0000\u0000\u0000", "request_sample": "\u0006\ufffd\ufffdJoin\u00e5Nodes\u0001\ufffdUserStateLen\u0000\ufffd\ufffdAddr\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd8\u0001\ufffdIncarnation\u0001\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\u001f\n\ufffdState\u0000\ufffdVsn\ufffd\u0001\u0005\u0002\u0000\u0000\u0000", "payload_snippet": "\u0006\ufffd\ufffdJoin\u00e5Nodes\u0001\ufffdUserStateLen\u0000\ufffd\ufffdAddr\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd8\u0001\ufffdIncarnation\u0001\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\u001f\n\ufffdState\u0000\ufffdVsn\ufffd\u0001\u0005\u0002\u0000\u0000\u0000", "evidence": { "request_sample": "\u0006\ufffd\ufffdJoin\u00e5Nodes\u0001\ufffdUserStateLen\u0000\ufffd\ufffdAddr\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd8\u0001\ufffdIncarnation\u0001\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\u001f\n\ufffdState\u0000\ufffdVsn\ufffd\u0001\u0005\u0002\u0000\u0000\u0000", "payload_snippet": "\u0006\ufffd\ufffdJoin\u00e5Nodes\u0001\ufffdUserStateLen\u0000\ufffd\ufffdAddr\ufffd\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd8\u0001\ufffdIncarnation\u0001\ufffdMeta\ufffd\ufffdName\ufffdDESKTOP-NR8TTVR\ufffdPort\ufffd\u001f\n\ufffdState\u0000\ufffdVsn\ufffd\u0001\u0005\u0002\u0000\u0000\u0000", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "6f57bf188897983139dbec7debbad94fb8dd932c", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:36:19 UTC	TCP	3203	sap-diag	Sonde RDP	Élevée	Faible · 24
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « rdp_probe » (signaux protocolaires) · confiance 100% Confiance classification 100% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) RDP TPKT header RDP negotiation Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) � Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 11, "payload_entropy": 1.6729330318733675, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 52, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 52, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 24, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%", "confidence": 1, "classification_confidence": 1, "precision_score": 116, "precision_signals": [ "pat-0348", "pat-0352" ], "kb_rule_ids": [ "pat-0348", "pat-0352" ], "matched_patterns": [ "pat-0348", "pat-0352", "pat-0554" ], "matched_pattern_names": [ "RDP TPKT header", "RDP negotiation", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0348", "pat-0352", "pat-0554" ], "risk_confidence_factor": 100, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "6771a78868614c6768349c36da4591da", "path_pattern_hash": "5dd788b551ee7afb63321e74cfc538f6" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0003\u0000\u0000\u000b\u0006\ufffd\u0000\u0000\u0000\u0000\u0000", "request_sample": "\u0003\u0000\u0000\u000b\u0006\ufffd\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u000b\u0006\ufffd\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "\u0003\u0000\u0000\u000b\u0006\ufffd\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "\u0003\u0000\u0000\u000b\u0006\ufffd\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab rdp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "917ee8c8b868f0a53144d106ecbd716f5be5138a", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:36:16 UTC	TCP	3203	sap-diag	Protocole TDS MSSQL	Élevée	Faible · 20
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « mssql_tds » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) MSSQL TDS prelogin Minecraft varint handshake User-Agent — Règles WAF — Payload (extrait) TNMPTNME Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 16, "payload_entropy": 2.5306390622295662, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 56, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 56, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 20, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0356" ], "kb_rule_ids": [ "pat-0356" ], "matched_patterns": [ "pat-0356", "pat-0554" ], "matched_pattern_names": [ "MSSQL TDS prelogin", "Minecraft varint handshake" ], "pattern_ids": [ "pat-0356", "pat-0554" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "4128f0bf8d86360e67d6f2d54987a8fb", "path_pattern_hash": "285321e27377a1f85e5a231ca6cbffb2" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "TNMP\u0004\u0000\u0000\u0000TNME\u0000\u0000\u0004\u0000", "request_sample": "TNMP\u0004\u0000\u0000\u0000TNME\u0000\u0000\u0004\u0000", "payload_snippet": "TNMP\u0004\u0000\u0000\u0000TNME\u0000\u0000\u0004\u0000", "evidence": { "request_sample": "TNMP\u0004\u0000\u0000\u0000TNME\u0000\u0000\u0004\u0000", "payload_snippet": "TNMP\u0004\u0000\u0000\u0000TNME\u0000\u0000\u0004\u0000", "classification_reason": "Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "database_scan" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "7b65f6b3f1faa36dfb142f409606e5f8805be3a6", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:36:13 UTC	TCP	3203	sap-diag	sip probe	Élevée	Faible · 16
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sip_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SIP protocol User-Agent — Règles WAF — Payload (extrait) INVITES sip:nm SIP/2.0 Via: SIP/2.0/TCP nm;branch=foo From: <sip:nm@nm>;tag=root To: <sip:nm2@nm2> Call-ID: 50000 CSeq: 42 Requête brute (extrait) INVITES sip:nm SIP/2.0 Via: SIP/2.0/TCP nm;branch=foo From: <sip:nm@nm>;tag=root To: <sip:nm2@nm2> Call-ID: 50000 CSeq: 42 OPTIONS Max-Forwards: 70 Content-Length: 0 Contact: <sip:nm@nm> Accept: application/sdp Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 223, "payload_entropy": 5.2138020186451035, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 16, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab sip_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0384" ], "kb_rule_ids": [ "pat-0384" ], "matched_patterns": [ "pat-0384" ], "matched_pattern_names": [ "SIP protocol" ], "pattern_ids": [ "pat-0384" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "a45f037b8553e06cc139b7e55155fc44", "path_pattern_hash": "850113ca2503ddab2e70a7e8c1732065" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "INVITES sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 ", "request_sample": "INVITES sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 OPTIONS\r\nMax-Forwards: 70\r\nContent-Length: 0\r\nContact: <sip:nm@nm>\r\nAccept: application\/sdp\r\n\r\n", "payload_snippet": "INVITES sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "evidence": { "request_sample": "INVITES sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 OPTIONS\r\nMax-Forwards: 70\r\nContent-Length: 0\r\nContact: <sip:nm@nm>\r\nAccept: application\/sdp\r\n\r\n", "payload_snippet": "INVITES sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "classification_reason": "Type \u00ab sip_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "ba561397bb3978bf853230d77182b727fa73c7c8", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:36:10 UTC	TCP	3203	sap-diag	sip probe	Élevée	Faible · 16
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sip_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) SIP protocol HTTP OPTIONS method SIP OPTIONS User-Agent — Règles WAF — Payload (extrait) OPTIONS sip:nm SIP/2.0 Via: SIP/2.0/TCP nm;branch=foo From: <sip:nm@nm>;tag=root To: <sip:nm2@nm2> Call-ID: 50000 CSeq: 42 Requête brute (extrait) OPTIONS sip:nm SIP/2.0 Via: SIP/2.0/TCP nm;branch=foo From: <sip:nm@nm>;tag=root To: <sip:nm2@nm2> Call-ID: 50000 CSeq: 42 OPTIONS Max-Forwards: 70 Content-Length: 0 Contact: <sip:nm@nm> Accept: application/sdp Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 223, "payload_entropy": 5.197167462839961, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 36, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 15, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 36, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 15 }, "risk_score": 16, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab sip_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0384" ], "kb_rule_ids": [ "pat-0384" ], "matched_patterns": [ "pat-0384", "pat-0420", "pat-0535" ], "matched_pattern_names": [ "SIP protocol", "HTTP OPTIONS method", "SIP OPTIONS" ], "pattern_ids": [ "pat-0384", "pat-0420", "pat-0535" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "0712a7f81d9d033f2caa8a8a90bbc4a8", "path_pattern_hash": "850113ca2503ddab2e70a7e8c1732065" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 ", "request_sample": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 OPTIONS\r\nMax-Forwards: 70\r\nContent-Length: 0\r\nContact: <sip:nm@nm>\r\nAccept: application\/sdp\r\n\r\n", "payload_snippet": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "evidence": { "request_sample": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42 OPTIONS\r\nMax-Forwards: 70\r\nContent-Length: 0\r\nContact: <sip:nm@nm>\r\nAccept: application\/sdp\r\n\r\n", "payload_snippet": "OPTIONS sip:nm SIP\/2.0\r\nVia: SIP\/2.0\/TCP nm;branch=foo\r\nFrom: <sip:nm@nm>;tag=root\r\nTo: <sip:nm2@nm2>\r\nCall-ID: 50000\r\nCSeq: 42", "classification_reason": "Type \u00ab sip_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "scanner" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "d8aedf94198219cf2f87d5121438b73f1d90a5d9", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:36:07 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) 0`� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 14, "payload_entropy": 2.9852281360342516, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "548b3df94bdc85e8b94b0de75b5e0379", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "0\f\u0002\u0001\u0001`\u0007\u0002\u0001\u0002\u0004\u0000\ufffd\u0000", "request_sample": "0\f\u0002\u0001\u0001`\u0007\u0002\u0001\u0002\u0004\u0000\ufffd\u0000", "payload_snippet": "0\f\u0002\u0001\u0001`\u0007\u0002\u0001\u0002\u0004\u0000\ufffd\u0000", "evidence": { "request_sample": "0\f\u0002\u0001\u0001`\u0007\u0002\u0001\u0002\u0004\u0000\ufffd\u0000", "payload_snippet": "0\f\u0002\u0001\u0001`\u0007\u0002\u0001\u0002\u0004\u0000\ufffd\u0000", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "2240fcac0af3e4cc0260f931ccf4e539c5e7c355", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:36:05 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) 0�-c�$ d�objectClass0� Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 51, "payload_entropy": 3.7946877264252636, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "edc124f1d34ba290330abcac2736b204", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "0\ufffd\u0000\u0000\u0000-\u0002\u0001\u0007c\ufffd\u0000\u0000\u0000$\u0004\u0000\n\u0001\u0000\n\u0001\u0000\u0002\u0001\u0000\u0002\u0001d\u0001\u0001\u0000\ufffd\u000bobjectClass0\ufffd\u0000\u0000\u0000\u0000", "request_sample": "0\ufffd\u0000\u0000\u0000-\u0002\u0001\u0007c\ufffd\u0000\u0000\u0000$\u0004\u0000\n\u0001\u0000\n\u0001\u0000\u0002\u0001\u0000\u0002\u0001d\u0001\u0001\u0000\ufffd\u000bobjectClass0\ufffd\u0000\u0000\u0000\u0000", "payload_snippet": "0\ufffd\u0000\u0000\u0000-\u0002\u0001\u0007c\ufffd\u0000\u0000\u0000$\u0004\u0000\n\u0001\u0000\n\u0001\u0000\u0002\u0001\u0000\u0002\u0001d\u0001\u0001\u0000\ufffd\u000bobjectClass0\ufffd\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "0\ufffd\u0000\u0000\u0000-\u0002\u0001\u0007c\ufffd\u0000\u0000\u0000$\u0004\u0000\n\u0001\u0000\n\u0001\u0000\u0002\u0001\u0000\u0002\u0001d\u0001\u0001\u0000\ufffd\u000bobjectClass0\ufffd\u0000\u0000\u0000\u0000", "payload_snippet": "0\ufffd\u0000\u0000\u0000-\u0002\u0001\u0007c\ufffd\u0000\u0000\u0000$\u0004\u0000\n\u0001\u0000\n\u0001\u0000\u0002\u0001\u0000\u0002\u0001d\u0001\u0001\u0000\ufffd\u000bobjectClass0\ufffd\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e0d60c4dc792d63da5c8ce56fd03dadc566d4a57", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:36:02 UTC	TCP	3203	sap-diag	modbus probe	Élevée	Faible · 21
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « modbus_probe » (signaux protocolaires) · confiance 49% Confiance classification 49% Tactiques MITRE TA0007 TA0001 Motifs de détection (base) Modbus TCP header Minecraft varint handshake TFTP RRQ User-Agent — Règles WAF — Payload (extrait) ��versionfGH� =Z ��YKI � ģA��/Satoshi:0.15.1/ Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 126, "payload_entropy": 3.6365655435185062, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 58, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 58, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 21, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab modbus_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%", "confidence": 0.49, "classification_confidence": 0.49, "precision_score": 58, "precision_signals": [ "pat-0357" ], "kb_rule_ids": [ "pat-0357" ], "matched_patterns": [ "pat-0357", "pat-0554", "pat-0536" ], "matched_pattern_names": [ "Modbus TCP header", "Minecraft varint handshake", "TFTP RRQ" ], "pattern_ids": [ "pat-0357", "pat-0554", "pat-0536" ], "risk_confidence_factor": 49, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "98cb3978bd8d0583d0e6d69919db9eca", "path_pattern_hash": "8ae4962b81dca47862d9dd3befc69030" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\ufffd\ufffd\ufffd\ufffdversion\u0000\u0000\u0000\u0000\u0000f\u0000\u0000\u0000GH\ufffd\u0013\u0011\u0001\u0000\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\t=Z\u0000\u0000\u0000\u0000\t\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffdYKI\u000b \ufffd\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0123A\ufffd\u0004\ufffd\ufffd\u0010\/Satoshi:0.15.1\/\u0000\u0000\u0000\u0000\u0001", "request_sample": "\ufffd\ufffd\ufffd\ufffdversion\u0000\u0000\u0000\u0000\u0000f\u0000\u0000\u0000GH\ufffd\u0013\u0011\u0001\u0000\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\t=Z\u0000\u0000\u0000\u0000\t\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffdYKI\u000b \ufffd\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0123A\ufffd\u0004\ufffd\ufffd\u0010\/Satoshi:0.15.1\/\u0000\u0000\u0000\u0000\u0001", "payload_snippet": "\ufffd\ufffd\ufffd\ufffdversion\u0000\u0000\u0000\u0000\u0000f\u0000\u0000\u0000GH\ufffd\u0013\u0011\u0001\u0000\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\t=Z\u0000\u0000\u0000\u0000\t\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffdYKI\u000b \ufffd\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0123A\ufffd\u0004\ufffd\ufffd\u0010\/Satoshi:0.15.1\/\u0000\u0000\u0000\u0000\u0001", "evidence": { "request_sample": "\ufffd\ufffd\ufffd\ufffdversion\u0000\u0000\u0000\u0000\u0000f\u0000\u0000\u0000GH\ufffd\u0013\u0011\u0001\u0000\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\t=Z\u0000\u0000\u0000\u0000\t\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffdYKI\u000b \ufffd\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0123A\ufffd\u0004\ufffd\ufffd\u0010\/Satoshi:0.15.1\/\u0000\u0000\u0000\u0000\u0001", "payload_snippet": "\ufffd\ufffd\ufffd\ufffdversion\u0000\u0000\u0000\u0000\u0000f\u0000\u0000\u0000GH\ufffd\u0013\u0011\u0001\u0000\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0006\t=Z\u0000\u0000\u0000\u0000\t\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\ufffdYKI\u000b \ufffd\r\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0123A\ufffd\u0004\ufffd\ufffd\u0010\/Satoshi:0.15.1\/\u0000\u0000\u0000\u0000\u0001", "classification_reason": "Type \u00ab modbus_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "ics_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "cb991803b5093001594a43df6ebdad3419e883e4", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:35:59 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) default Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 9, "payload_entropy": 3.169925001442312, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0577" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "39b37e76df338b7381ea8bb116701c98", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "\u0001default\n", "request_sample": "\u0001default\n", "payload_snippet": "\u0001default", "evidence": { "request_sample": "\u0001default\n", "payload_snippet": "\u0001default", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "e364f0bc6438d420c04a27677354f0ef64721baf", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:35:56 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 12
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags http_get_probe net_sap_diag_probe sap_diag_emulated sap_diag_payload Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 0% Confiance classification 0% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) GET /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0 Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 53, "payload_entropy": 4.704058897836964, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 48, "risk_novelty": 25, "risk_boost": 0, "risk_granularity": 3.4, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 48, "novelty": 25 }, "risk_score": 12, "tag_count": 5, "anomaly_count": 0, "campaign_key": "a973e824fa9df4603990ea7dac77c741bc666bfc", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%", "confidence": 0, "classification_confidence": 0, "precision_score": 0, "precision_signals": [], "kb_rule_ids": [], "risk_confidence_factor": 0, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "08bd34a37b11f5c307f84418e0c2a579", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\r\n\r\n", "request_sample": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\r\n\r\n", "payload_snippet": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0", "evidence": { "request_sample": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0\r\n\r\n", "payload_snippet": "GET \/nice%20ports%2C\/Tri%6Eity.txt%2ebak HTTP\/1.0", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 0%" }, "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "94de4132fa15cf8eb4d6452494886105593fee8a", "ban_policy": "advisory_monitor", "tags_list": [ "http_get_probe", "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }
06/06/2026 02:35:53 UTC	TCP	3203	sap-diag	Sonde SAP Diag/GUI	Élevée	Faible · 22
Étape Sonde / probe MITRE TA0007 TA0001 WAF — Recommandation Surveiller Tags net_sap_diag_probe sap_diag_emulated sap_diag_payload sap_diag_probe Cible HTTP — TLS SNI — Capteur paris-1
Preuve / Evidence Méthode — Port 3203 Chemin / cible — Pourquoi cette classification : Type « sap_diag_probe » (signaux protocolaires) · confiance 50% Confiance classification 50% Tactiques MITRE TA0007 TA0001 User-Agent — Règles WAF — Payload (extrait) l Meta JSON brut { "protocol_emulated": true, "emulator_response": "00000000534150000000000000000000000000", "emulator_response_len": 19, "bytes_in": 12, "payload_entropy": 0.8166890883150209, "port_category": "registered", "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "service": "sap-diag", "app_proto": "sap-diag", "asn": 135377, "country": "US", "dst_port": 3203, "risk_waf": 8, "risk_classification": 62, "risk_behavior": 0, "risk_geo": 0, "risk_protocol": 38, "risk_novelty": 0, "risk_boost": 0, "risk_granularity": 3, "risk_breakdown": { "waf": 8, "classification": 62, "behavior": 0, "geo": 0, "protocol": 38, "novelty": 0 }, "risk_score": 22, "tag_count": 4, "anomaly_count": 0, "campaign_key": "629b88582a31d3e4ee1a55a3d274cfff4475e9b2", "event_fingerprint": "ebddcb1b301f5b1284784578a64684f24c533b49", "classification_confidence": 0.5, "confidence": 0.5, "precision_signals": [ "pat-0554" ], "risk_confidence_factor": 50, "city": null, "is_datacenter": false, "is_tor_hint": false, "geo": { "country": "US", "asn": 135377, "org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED", "is_datacenter": false, "is_tor_hint": false }, "fingerprint": { "payload_hash": "ad33d13d6bc3bd05c9957f130811a989", "path_pattern_hash": "b1c7373ffa4daadb6ab138f759082d87" }, "target_context": { "dst_port": 3203, "service": "sap-diag" }, "payload_preview": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "request_sample": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "evidence": { "request_sample": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "payload_snippet": "l\u0000\u000b\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000", "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%" }, "classification_reason": "Type \u00ab sap_diag_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%", "attack_stage": "probe", "mitre_tactics": [ "TA0007", "TA0001" ], "threat_family": [ "sap_probe" ], "recommended_client_action": "monitor", "policy_mode": "intelligence", "sensor_role": "threat_intelligence", "event_signature": "f85b1e68eb34ec2d31707f6c5b1dd2c2d158f63b", "ban_policy": "advisory_monitor", "tags_list": [ "net_sap_diag_probe", "sap_diag_emulated", "sap_diag_payload", "sap_diag_probe" ] }

152.32.182.165

Pourquoi listée

Comparaison ASN / FAI

IPs apparentées

Activité multi-protocole

Géolocalisation

FAI / réseau

Renseignement menaces

Décomposition confiance

Filtres

Timeline

Ports 24 h

Top ports

Top classifications

Heatmap attaques 7j

Chronologie des événements

Comparaison côte à côte

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence

Preuve / Evidence