|
|
TCP |
5079
|
—
|
Sonde port
Sonde port · port 5079 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5079
Chemin / cible
—
Payload
t3 12.1.2 AS:2048 HL:19
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
t3 12.1.2
AS:2048
HL:19
Meta JSON brut
{
"bytes_in": 25,
"payload_entropy": 3.7834651896016456,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": null,
"app_proto": null,
"asn": 135377,
"country": "US",
"dst_port": 5079,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4d394310f926f336b96b8ba6d8bfc9c1c5a19c5f",
"event_fingerprint": "979544bf933b35d9c03158485d2dc714b3751024",
"classification_confidence": 0.58,
"confidence": 0.58,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44,
"correlation_boost": 8
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "588580493dbf1d2ca7cd7f2cd09ed672",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 5079,
"risk_score": 44
},
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"payload_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"evidence": {
"request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"payload_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "0dbf73bb23dc786eb0597c89e9d8194eef7603fb",
"protocol_details": {
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19",
"port": 5079
},
"evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"attack_vector": "Sonde port \u00b7 port 5079 \u00b7 (sonde \/ probe)",
"target_port_label": "5079",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 5079,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19",
"port": 5079
},
"attack_vector": "Sonde port \u00b7 port 5079 \u00b7 (sonde \/ probe)",
"evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"target_port_label": "5079",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "5079"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:5079",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
5079 · HTTP
|
http
|
Sonde port 5079/TCP
port 5079 tcp · via HTTP:5079 · (sonde / probe)
|
Élevée
|
Moyen · 42
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
GET / UA curl/7.29.0
Émulateur
HTTP
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
botnet_http_ua_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5079
Chemin / cible
/
Preuve honeypot — Sonde port 5079/TCP
Connexion détectée sur le port 5079 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_5079_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
63%
Corrélation +8
Risque capteur
Moyen
· 42
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.29.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: 62.3.50.33
Accept: */*
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0315d257123246273ce1f3edb87d478f00f3fce8",
"http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 74,
"payload_entropy": 4.819344967782759,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "http",
"app_proto": "http",
"asn": 135377,
"country": "US",
"dst_port": 5079,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 42,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "4e2f6bc215cc301311fecbe0952068db8246cbca",
"event_fingerprint": "7dbbefad1d3bcdd59cb076f04b00bcfb0227a802",
"classification_reason": "Type \u00ab port_5079_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.63,
"classification_confidence": 0.63,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 42,
"correlation_boost": 8
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a6744e3c06a59e753fc74a2c54c4a161",
"payload_hash": "99559ea3a5e9ac33c4b35f9a75d06c9c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 5079,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.29.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.29.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"classification_reason": "Type \u00ab port_5079_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4685f9935bde90a22c639e8eb8f3d655dff7287d",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.29.0",
"port": 5079,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"attack_vector": "port 5079 tcp \u00b7 via HTTP:5079 \u00b7 (sonde \/ probe)",
"target_port_label": "5079 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_5079_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_5079_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100",
"confidence_pct": 63,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 42,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 5079,
"protocol_emulated": null,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.29.0",
"port": 5079,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port 5079 tcp \u00b7 via HTTP:5079 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"target_port_label": "5079 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "5079"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"port:5079"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"botnet_http_ua_host",
"http_ua_suspicious",
"scanner-ua"
],
"behavior_alert_count": 2,
"behavior_priority": 84
}
|
|
|
TCP |
5079 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:5079 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 9460af62ae0af667
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5079
Chemin / cible
—
Service
TLS
Payload
������������-�����fM��]1��c�����/E2g� y.�d� ɑk�/8 ��)�H��&��;g���%w��$'����&�+�/�,�0̨̩� ��� �������/�5��� ���������� ������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
������������-�����fM��]1��c�����/E2g�
y.�d� ɑk�/8
��)�H��&��;g���%w��$'����&�+�/�,�0̨̩� ���
�������/�5���
�����������������
Requête brute (extrait)
������������-�����fM��]1��c�����/E2g� y.�d� ɑk�/8 ��)�H��&��;g���%w��$'����&�+�/�,�0̨̩� ��� �������/�5��� ���������� ��������������������������� � ����������� �����������������������������+� ����������3�&�$��� �Z��n6��x�����积G!�1��J7I����U
Meta JSON brut
{
"tls_ja3_hash": "9460af62ae0af667130bf0d36514f084",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 247,
"payload_entropy": 5.826926289071551,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "tls",
"app_proto": "tls",
"asn": 135377,
"country": "US",
"dst_port": 5079,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "70fff03a982b6b0ab21c126f6f658096431c674c",
"event_fingerprint": "4e9ad55f152ca7acc1529cd3fab2f1be8f32a071",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "9460af62ae0af667130bf0d36514f084",
"payload_hash": "26c64334e619329bf63a33f2cd15e29b",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "9d78dfefabcee3ee16297d72e4cafc86",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0",
"tls_ja4_hash": "9d78dfefabcee3ee16297d72e4cafc86",
"tls_ja4": "t13d0119_e060b20e9557_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 5079,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd-\ufffd\u001f\ufffd\ufffd\ufffdfM\ufffd\ufffd]1\ufffd\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\/E2g\ufffd\ny.\ufffdd\ufffd \u0251k\ufffd\/8\r\u0014\ufffd)\ufffdH\ufffd\ufffd&\ufffd\ufffd;g\ufffd\ufffd\ufffd%w\ufffd\ufffd$'\ufffd\ufffd\u0019\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd-\ufffd\u001f\ufffd\ufffd\ufffdfM\ufffd\ufffd]1\ufffd\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\/E2g\ufffd\ny.\ufffdd\ufffd \u0251k\ufffd\/8\r\u0014\ufffd)\ufffdH\ufffd\ufffd&\ufffd\ufffd;g\ufffd\ufffd\ufffd%w\ufffd\ufffd$'\ufffd\ufffd\u0019\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdZ\ufffd\ufffdn6\ufffd\ufffdx\u001b\b\ufffd\ufffd\u0001\u79efG!\ufffd1\ufffd\ufffdJ7I\ufffd\ufffd\ufffd\u0002U",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd-\ufffd\u001f\ufffd\ufffd\ufffdfM\ufffd\ufffd]1\ufffd\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\/E2g\ufffd\ny.\ufffdd\ufffd \u0251k\ufffd\/8\r\u0014\ufffd)\ufffdH\ufffd\ufffd&\ufffd\ufffd;g\ufffd\ufffd\ufffd%w\ufffd\ufffd$'\ufffd\ufffd\u0019\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "4569dd7796574eeeb508808e19cd2759da17e884",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd-\ufffd\u001f\ufffd\ufffd\ufffdfM\ufffd\ufffd]1\ufffd\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\/E2g\ufffd\ny.\ufffdd\ufffd \u0251k\ufffd\/8\r\u0014\ufffd)\ufffdH\ufffd\ufffd&\ufffd\ufffd;g\ufffd\ufffd\ufffd%w\ufffd\ufffd$'\ufffd\ufffd\u0019\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"tls_ja3": "9460af62ae0af667130bf0d36514f084",
"tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86",
"port": 5079,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd-\ufffd\ufffd\ufffd\ufffdfM\ufffd\ufffd]1\ufffd\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\/E2g\ufffd\ny.\ufffdd\ufffd \u0251k\ufffd\/8\r\ufffd)\ufffdH\ufffd\ufffd&\ufffd\ufffd;g\ufffd\ufffd\ufffd%w\ufffd\ufffd$'\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:5079 \u00b7 (sonde \/ probe)",
"target_port_label": "5079 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 5079,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd-\ufffd\u001f\ufffd\ufffd\ufffdfM\ufffd\ufffd]1\ufffd\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\/E2g\ufffd\ny.\ufffdd\ufffd \u0251k\ufffd\/8\r\u0014\ufffd)\ufffdH\ufffd\ufffd&\ufffd\ufffd;g\ufffd\ufffd\ufffd%w\ufffd\ufffd$'\ufffd\ufffd\u0019\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"tls_ja3": "9460af62ae0af667130bf0d36514f084",
"tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86",
"port": 5079,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:5079 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd-\ufffd\ufffd\ufffd\ufffdfM\ufffd\ufffd]1\ufffd\ufffdc\ufffd\ufffd\ufffd\ufffd\ufffd\/E2g\ufffd\ny.\ufffdd\ufffd \u0251k\ufffd\/8\r\ufffd)\ufffdH\ufffd\ufffd&\ufffd\ufffd;g\ufffd\ufffd\ufffd%w\ufffd\ufffd$'\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "5079 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "5079"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:5079",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
5079
|
—
|
Sonde port
Sonde port · port 5079 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5079
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": null,
"app_proto": null,
"asn": 135377,
"country": "US",
"dst_port": 5079,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "4d394310f926f336b96b8ba6d8bfc9c1c5a19c5f",
"event_fingerprint": "979544bf933b35d9c03158485d2dc714b3751024",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 5079,
"risk_score": 44
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "043d0fd116cc27ae165b9ad7f8a8b2b2d60e8f6c",
"protocol_details": {
"port": 5079
},
"attack_vector": "Sonde port \u00b7 port 5079 \u00b7 (sonde \/ probe)",
"target_port_label": "5079",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 5079,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"port": 5079
},
"attack_vector": "Sonde port \u00b7 port 5079 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "5079",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "5079"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
2940
|
—
|
Sonde port
Sonde port · port 2940 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2940
Chemin / cible
—
Payload
t3 12.1.2 AS:2048 HL:19
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
t3 12.1.2
AS:2048
HL:19
Meta JSON brut
{
"bytes_in": 25,
"payload_entropy": 3.7834651896016456,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": null,
"app_proto": null,
"asn": 135377,
"country": "US",
"dst_port": 2940,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "e096e6747a0e6331a2cb2b2824d5bf0e705f085d",
"event_fingerprint": "1aa242334091699a7f656b09eab76616f7a36b63",
"classification_confidence": 0.58,
"confidence": 0.58,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44,
"correlation_boost": 8
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "588580493dbf1d2ca7cd7f2cd09ed672",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 2940,
"risk_score": 44
},
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"payload_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"evidence": {
"request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"payload_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ce484015023f3dda92562f89f08fe29c1a8f6d29",
"protocol_details": {
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19",
"port": 2940
},
"evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"attack_vector": "Sonde port \u00b7 port 2940 \u00b7 (sonde \/ probe)",
"target_port_label": "2940",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 2940,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19",
"port": 2940
},
"attack_vector": "Sonde port \u00b7 port 2940 \u00b7 (sonde \/ probe)",
"evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"target_port_label": "2940",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "2940"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:2940",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
2940 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:2940 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 9460af62ae0af667
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2940
Chemin / cible
—
Service
TLS
Payload
�������������vŨ�%˅�'\!���^b�����\g�r��ઈ �-RfD1׳/���U�s�I����*�dU�T������&�+�/�,�0̨̩� ��� �������/�5��� ���������� ������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������vŨ�%˅�'\!���^b�����\g�r��ઈ �-RfD1׳/���U�s�I����*�dU�T������&�+�/�,�0̨̩� ���
�������/�5���
�����������������
Requête brute (extrait)
�������������vŨ�%˅�'\!���^b�����\g�r��ઈ �-RfD1׳/���U�s�I����*�dU�T������&�+�/�,�0̨̩� ��� �������/�5��� ���������� ��������������������������� � ����������� �����������������������������+� ����������3�&�$��� ���z�q[5IQ^������ �0����M�)���_
Meta JSON brut
{
"tls_ja3_hash": "9460af62ae0af667130bf0d36514f084",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 247,
"payload_entropy": 5.798126582194556,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "tls",
"app_proto": "tls",
"asn": 135377,
"country": "US",
"dst_port": 2940,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 5.2,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "9342acd9701d6c1318054feef9549ceacbb9ddbb",
"event_fingerprint": "529a6a8fc9a9ebd4f931a129375b0f9b1604279c",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "9460af62ae0af667130bf0d36514f084",
"payload_hash": "ac259da36ae3410577482136133ac3f6",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "9d78dfefabcee3ee16297d72e4cafc86",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0",
"tls_ja4_hash": "9d78dfefabcee3ee16297d72e4cafc86",
"tls_ja4": "t13d0119_e060b20e9557_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 2940,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdv\u0168\u0002%\u02c5\ufffd'\\!\ufffd\ufffd\ufffd^b\ufffd\ufffd\ufffd\ufffd\ufffd\\g\u000er\ufffd\ufffd\u0a88 \ufffd-RfD1\u05f3\/\ufffd\u0007\ufffdU\ufffds\ufffdI\ufffd\ufffd\ufffd\ufffd*\ufffddU\ufffdT\u0007\ufffd\ufffd\b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdv\u0168\u0002%\u02c5\ufffd'\\!\ufffd\ufffd\ufffd^b\ufffd\ufffd\ufffd\ufffd\ufffd\\g\u000er\ufffd\ufffd\u0a88 \ufffd-RfD1\u05f3\/\ufffd\u0007\ufffdU\ufffds\ufffdI\ufffd\ufffd\ufffd\ufffd*\ufffddU\ufffdT\u0007\ufffd\ufffd\b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\ufffd\ufffdz\ufffdq[5IQ^\u0007\ufffd\ufffd\ufffd\u0014\ufffd\t\r\ufffd0\ufffd\ufffd\ufffd\ufffdM\ufffd)\ufffd\ufffd\ufffd_",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdv\u0168\u0002%\u02c5\ufffd'\\!\ufffd\ufffd\ufffd^b\ufffd\ufffd\ufffd\ufffd\ufffd\\g\u000er\ufffd\ufffd\u0a88 \ufffd-RfD1\u05f3\/\ufffd\u0007\ufffdU\ufffds\ufffdI\ufffd\ufffd\ufffd\ufffd*\ufffddU\ufffdT\u0007\ufffd\ufffd\b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ffe5b5a9ae15fb06b2d4bdef190fc83444b68dac",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdv\u0168\u0002%\u02c5\ufffd'\\!\ufffd\ufffd\ufffd^b\ufffd\ufffd\ufffd\ufffd\ufffd\\g\u000er\ufffd\ufffd\u0a88 \ufffd-RfD1\u05f3\/\ufffd\u0007\ufffdU\ufffds\ufffdI\ufffd\ufffd\ufffd\ufffd*\ufffddU\ufffdT\u0007\ufffd\ufffd\b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"tls_ja3": "9460af62ae0af667130bf0d36514f084",
"tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86",
"port": 2940,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdv\u0168%\u02c5\ufffd'\\!\ufffd\ufffd\ufffd^b\ufffd\ufffd\ufffd\ufffd\ufffd\\gr\ufffd\ufffd\u0a88 \ufffd-RfD1\u05f3\/\ufffd\ufffdU\ufffds\ufffdI\ufffd\ufffd\ufffd\ufffd*\ufffddU\ufffdT\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:2940 \u00b7 (sonde \/ probe)",
"target_port_label": "2940 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 2940,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffdv\u0168\u0002%\u02c5\ufffd'\\!\ufffd\ufffd\ufffd^b\ufffd\ufffd\ufffd\ufffd\ufffd\\g\u000er\ufffd\ufffd\u0a88 \ufffd-RfD1\u05f3\/\ufffd\u0007\ufffdU\ufffds\ufffdI\ufffd\ufffd\ufffd\ufffd*\ufffddU\ufffdT\u0007\ufffd\ufffd\b\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"tls_ja3": "9460af62ae0af667130bf0d36514f084",
"tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86",
"port": 2940,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:2940 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd\ufffd\ufffdv\u0168%\u02c5\ufffd'\\!\ufffd\ufffd\ufffd^b\ufffd\ufffd\ufffd\ufffd\ufffd\\gr\ufffd\ufffd\u0a88 \ufffd-RfD1\u05f3\/\ufffd\ufffdU\ufffds\ufffdI\ufffd\ufffd\ufffd\ufffd*\ufffddU\ufffdT\ufffd\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "2940 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "2940"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:2940",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
2940 · HTTP
|
http
|
Sonde port 2940/TCP
port 2940 tcp · via HTTP:2940 · (sonde / probe)
|
Élevée
|
Moyen · 42
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
GET / UA curl/7.29.0
Émulateur
HTTP
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
botnet_http_ua_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2940
Chemin / cible
/
Preuve honeypot — Sonde port 2940/TCP
Connexion détectée sur le port 2940 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_2940_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
63%
Corrélation +8
Risque capteur
Moyen
· 42
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.29.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: 62.3.50.33
Accept: */*
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0315d257123246273ce1f3edb87d478f00f3fce8",
"http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 74,
"payload_entropy": 4.819344967782759,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "http",
"app_proto": "http",
"asn": 135377,
"country": "US",
"dst_port": 2940,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 5.9,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 42,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "44fe3d5ec44fd0d941549f0c461c74144c4e962b",
"event_fingerprint": "0b98c897a71590044e19fe9a0f4b0ea2b116df4f",
"classification_reason": "Type \u00ab port_2940_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.63,
"classification_confidence": 0.63,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 42,
"correlation_boost": 8
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a6744e3c06a59e753fc74a2c54c4a161",
"payload_hash": "99559ea3a5e9ac33c4b35f9a75d06c9c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 2940,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.29.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.29.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"classification_reason": "Type \u00ab port_2940_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "17960084ce5c414f72c57c278694917484c57bbf",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.29.0",
"port": 2940,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"attack_vector": "port 2940 tcp \u00b7 via HTTP:2940 \u00b7 (sonde \/ probe)",
"target_port_label": "2940 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_2940_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_2940_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100",
"confidence_pct": 63,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 42,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 2940,
"protocol_emulated": null,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.29.0",
"port": 2940,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port 2940 tcp \u00b7 via HTTP:2940 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"target_port_label": "2940 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "2940"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"port:2940"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"botnet_http_ua_host",
"http_ua_suspicious",
"scanner-ua"
],
"behavior_alert_count": 1,
"behavior_priority": 84
}
|
|
|
TCP |
2940
|
—
|
Sonde port
Sonde port · port 2940 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2940
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": null,
"app_proto": null,
"asn": 135377,
"country": "US",
"dst_port": 2940,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.2,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "e096e6747a0e6331a2cb2b2824d5bf0e705f085d",
"event_fingerprint": "1aa242334091699a7f656b09eab76616f7a36b63",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 2940,
"risk_score": 44
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "70732f65dfc9a19af27a14a4fa3f68400e076e3e",
"protocol_details": {
"port": 2940
},
"attack_vector": "Sonde port \u00b7 port 2940 \u00b7 (sonde \/ probe)",
"target_port_label": "2940",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 2940,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"port": 2940
},
"attack_vector": "Sonde port \u00b7 port 2940 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "2940",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "2940"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
2339 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:2339 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 9460af62ae0af667
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2339
Chemin / cible
—
Service
TLS
Payload
�����������d ���<����2���m�9�<��!v9��a%�� �w�v����t�e"�~R���� -�D���C��w���&�+�/�,�0̨̩� ��� �������/�5��� ���������� ������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������d ���<����2���m�9�<��!v9��a%�� �w�v����t�e"�~R���� -�D���C��w���&�+�/�,�0̨̩� ���
�������/�5���
�����������������
Requête brute (extrait)
�����������d ���<����2���m�9�<��!v9��a%�� �w�v����t�e"�~R���� -�D���C��w���&�+�/�,�0̨̩� ��� �������/�5��� ���������� ��������������������������� � ����������� �����������������������������+� ����������3�&�$��� W�r�����t��B�z�#�)Þ��hXr{5�F�[
Meta JSON brut
{
"tls_ja3_hash": "9460af62ae0af667130bf0d36514f084",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 247,
"payload_entropy": 5.865866662825565,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "tls",
"app_proto": "tls",
"asn": 135377,
"country": "US",
"dst_port": 2339,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.3,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "93b1677f65ff6ac8d29cfdf9c3f075a8e8ffa57d",
"event_fingerprint": "2363c7726a613dab388b101e6a9dfe94df46d5c5",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "9460af62ae0af667130bf0d36514f084",
"payload_hash": "1f0a3b5290ac139b460a1151e0ca8dac",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "9d78dfefabcee3ee16297d72e4cafc86",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0",
"tls_ja4_hash": "9d78dfefabcee3ee16297d72e4cafc86",
"tls_ja4": "t13d0119_e060b20e9557_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 2339,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d \ufffd\ufffd\ufffd<\ufffd\ufffd\ufffd\ufffd2\ufffd\ufffd\ufffdm\u001f9\u0015<\ufffd\ufffd!v9\ufffd\ufffda%\ufffd\ufffd \ufffdw\ufffdv\ufffd\u0012\ufffd\ufffdt\u000ee\"\ufffd~R\u0010\ufffd\u0015\ufffd\t-\ufffdD\ufffd\ufffd\ufffdC\ufffd\ufffdw\u0016\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d \ufffd\ufffd\ufffd<\ufffd\ufffd\ufffd\ufffd2\ufffd\ufffd\ufffdm\u001f9\u0015<\ufffd\ufffd!v9\ufffd\ufffda%\ufffd\ufffd \ufffdw\ufffdv\ufffd\u0012\ufffd\ufffdt\u000ee\"\ufffd~R\u0010\ufffd\u0015\ufffd\t-\ufffdD\ufffd\ufffd\ufffdC\ufffd\ufffdw\u0016\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 W\ufffdr\u0006\ufffd\u0010\ufffd\ufffdt\ufffd\u0013B\u0007z\u001e#\ufffd)\u00de\u0002\ufffdhXr{5\ufffdF\ufffd[",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d \ufffd\ufffd\ufffd<\ufffd\ufffd\ufffd\ufffd2\ufffd\ufffd\ufffdm\u001f9\u0015<\ufffd\ufffd!v9\ufffd\ufffda%\ufffd\ufffd \ufffdw\ufffdv\ufffd\u0012\ufffd\ufffdt\u000ee\"\ufffd~R\u0010\ufffd\u0015\ufffd\t-\ufffdD\ufffd\ufffd\ufffdC\ufffd\ufffdw\u0016\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "21bc9209782cd05fca38ed8f0a29b4fb076066b6",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d \ufffd\ufffd\ufffd<\ufffd\ufffd\ufffd\ufffd2\ufffd\ufffd\ufffdm\u001f9\u0015<\ufffd\ufffd!v9\ufffd\ufffda%\ufffd\ufffd \ufffdw\ufffdv\ufffd\u0012\ufffd\ufffdt\u000ee\"\ufffd~R\u0010\ufffd\u0015\ufffd\t-\ufffdD\ufffd\ufffd\ufffdC\ufffd\ufffdw\u0016\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"tls_ja3": "9460af62ae0af667130bf0d36514f084",
"tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86",
"port": 2339,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdd \ufffd\ufffd\ufffd<\ufffd\ufffd\ufffd\ufffd2\ufffd\ufffd\ufffdm9<\ufffd\ufffd!v9\ufffd\ufffda%\ufffd\ufffd \ufffdw\ufffdv\ufffd\ufffd\ufffdte\"\ufffd~R\ufffd\ufffd\t-\ufffdD\ufffd\ufffd\ufffdC\ufffd\ufffdw\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:2339 \u00b7 (sonde \/ probe)",
"target_port_label": "2339 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 2339,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003d \ufffd\ufffd\ufffd<\ufffd\ufffd\ufffd\ufffd2\ufffd\ufffd\ufffdm\u001f9\u0015<\ufffd\ufffd!v9\ufffd\ufffda%\ufffd\ufffd \ufffdw\ufffdv\ufffd\u0012\ufffd\ufffdt\u000ee\"\ufffd~R\u0010\ufffd\u0015\ufffd\t-\ufffdD\ufffd\ufffd\ufffdC\ufffd\ufffdw\u0016\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"tls_ja3": "9460af62ae0af667130bf0d36514f084",
"tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86",
"port": 2339,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:2339 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdd \ufffd\ufffd\ufffd<\ufffd\ufffd\ufffd\ufffd2\ufffd\ufffd\ufffdm9<\ufffd\ufffd!v9\ufffd\ufffda%\ufffd\ufffd \ufffdw\ufffdv\ufffd\ufffd\ufffdte\"\ufffd~R\ufffd\ufffd\t-\ufffdD\ufffd\ufffd\ufffdC\ufffd\ufffdw\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "2339 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "2339"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:2339",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
2339
|
—
|
Sonde port
Sonde port · port 2339 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2339
Chemin / cible
—
Payload
t3 12.1.2 AS:2048 HL:19
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
t3 12.1.2
AS:2048
HL:19
Meta JSON brut
{
"bytes_in": 25,
"payload_entropy": 3.7834651896016456,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": null,
"app_proto": null,
"asn": 135377,
"country": "US",
"dst_port": 2339,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "94c4e8e0fa7c979f48f8603968fb82acf8147c0d",
"event_fingerprint": "460b42ae753c66d9385e43178d077639fa19bb9d",
"classification_confidence": 0.58,
"confidence": 0.58,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44,
"correlation_boost": 8
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "588580493dbf1d2ca7cd7f2cd09ed672",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 2339,
"risk_score": 44
},
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"payload_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"evidence": {
"request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"payload_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "e472c8c28fbb697622fa02f3b7df39e568260f59",
"protocol_details": {
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19",
"port": 2339
},
"evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"attack_vector": "Sonde port \u00b7 port 2339 \u00b7 (sonde \/ probe)",
"target_port_label": "2339",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 2339,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19",
"port": 2339
},
"attack_vector": "Sonde port \u00b7 port 2339 \u00b7 (sonde \/ probe)",
"evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"target_port_label": "2339",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "2339"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:2339",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
2339 · HTTP
|
http
|
Sonde port 2339/TCP
port 2339 tcp · via HTTP:2339 · (sonde / probe)
|
Élevée
|
Moyen · 42
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
GET / UA curl/7.29.0
Émulateur
HTTP
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
botnet_http_ua_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2339
Chemin / cible
/
Preuve honeypot — Sonde port 2339/TCP
Connexion détectée sur le port 2339 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_2339_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
63%
Corrélation +8
Risque capteur
Moyen
· 42
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.29.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: 62.3.50.33
Accept: */*
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0315d257123246273ce1f3edb87d478f00f3fce8",
"http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 74,
"payload_entropy": 4.819344967782759,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "http",
"app_proto": "http",
"asn": 135377,
"country": "US",
"dst_port": 2339,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 4,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 42,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "62cdbff4be0f9d994ee69bf558ec657a790e815d",
"event_fingerprint": "80d0c0734349891adba49b7abf4323c4eaefbacb",
"classification_reason": "Type \u00ab port_2339_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.63,
"classification_confidence": 0.63,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 42,
"correlation_boost": 8
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a6744e3c06a59e753fc74a2c54c4a161",
"payload_hash": "99559ea3a5e9ac33c4b35f9a75d06c9c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 2339,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.29.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.29.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"classification_reason": "Type \u00ab port_2339_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "53293eb06068ce32a7fc0bb71cad443901c34c49",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.29.0",
"port": 2339,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"attack_vector": "port 2339 tcp \u00b7 via HTTP:2339 \u00b7 (sonde \/ probe)",
"target_port_label": "2339 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_2339_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_2339_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100",
"confidence_pct": 63,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 42,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 2339,
"protocol_emulated": null,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.29.0",
"port": 2339,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port 2339 tcp \u00b7 via HTTP:2339 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"target_port_label": "2339 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "2339"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"port:2339"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"botnet_http_ua_host",
"http_ua_suspicious",
"scanner-ua"
],
"behavior_alert_count": 1,
"behavior_priority": 84
}
|
|
|
TCP |
2339
|
—
|
Sonde port
Sonde port · port 2339 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2339
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": null,
"app_proto": null,
"asn": 135377,
"country": "US",
"dst_port": 2339,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.2,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "94c4e8e0fa7c979f48f8603968fb82acf8147c0d",
"event_fingerprint": "460b42ae753c66d9385e43178d077639fa19bb9d",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 2339,
"risk_score": 44
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "650c4028a21ab58e3625e5b665b0f122a62737dd",
"protocol_details": {
"port": 2339
},
"attack_vector": "Sonde port \u00b7 port 2339 \u00b7 (sonde \/ probe)",
"target_port_label": "2339",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 2339,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"port": 2339
},
"attack_vector": "Sonde port \u00b7 port 2339 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "2339",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "2339"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
383 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:383 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 9460af62ae0af667
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
383
Chemin / cible
—
Service
TLS
Payload
�����������P�8� ;�T#���%��ou��,V��b%�l��Hv F�9um">(b�!�[ Q�U�W�J����� �Y�&�+�/�,�0̨̩� ��� �������/�5��� ���������� ������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������P�8� ;�T#���%��ou��,V��b%�l��Hv F�9um">(b�!�[
Q�U�W�J�������Y�&�+�/�,�0̨̩� ���
�������/�5���
�����������������
Requête brute (extrait)
�����������P�8� ;�T#���%��ou��,V��b%�l��Hv F�9um">(b�!�[ Q�U�W�J����� �Y�&�+�/�,�0̨̩� ��� �������/�5��� ���������� ��������������������������� � ����������� �����������������������������+� ����������3�&�$��� �z��P�kTcp��7�l������#�� NU��͌*
Meta JSON brut
{
"tls_ja3_hash": "9460af62ae0af667130bf0d36514f084",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 247,
"payload_entropy": 5.835847010637315,
"port_category": "well_known",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "tls",
"app_proto": "tls",
"asn": 135377,
"country": "US",
"dst_port": 383,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.8,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "e808a225b6e23e4eba6ae8756cb67282df1e09f5",
"event_fingerprint": "aace3b606448f151b56112755ec0a74d60e41ace",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "9460af62ae0af667130bf0d36514f084",
"payload_hash": "1399d84ee9187fe02729c4b4a140eaf2",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "9d78dfefabcee3ee16297d72e4cafc86",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0",
"tls_ja4_hash": "9d78dfefabcee3ee16297d72e4cafc86",
"tls_ja4": "t13d0119_e060b20e9557_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 383,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003P\ufffd8\ufffd ;\ufffdT#\ufffd\ufffd\ufffd%\ufffd\ufffdou\ufffd\ufffd,V\ufffd\ufffdb%\ufffdl\ufffd\ufffdHv F\ufffd9um\">\u074b(b\ufffd!\ufffd[\nQ\ufffdU\ufffdW\ufffdJ\u001a\ufffd\u0012\u0000\ufffd\f\ufffdY\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003P\ufffd8\ufffd ;\ufffdT#\ufffd\ufffd\ufffd%\ufffd\ufffdou\ufffd\ufffd,V\ufffd\ufffdb%\ufffdl\ufffd\ufffdHv F\ufffd9um\">\u074b(b\ufffd!\ufffd[\nQ\ufffdU\ufffdW\ufffdJ\u001a\ufffd\u0012\u0000\ufffd\f\ufffdY\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffdz\ufffd\u0004P\ufffdkTcp\u0011\ufffd7\ufffdl\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd#\ufffd\ufffd\fNU\ufffd\u000f\u034c*",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003P\ufffd8\ufffd ;\ufffdT#\ufffd\ufffd\ufffd%\ufffd\ufffdou\ufffd\ufffd,V\ufffd\ufffdb%\ufffdl\ufffd\ufffdHv F\ufffd9um\">\u074b(b\ufffd!\ufffd[\nQ\ufffdU\ufffdW\ufffdJ\u001a\ufffd\u0012\u0000\ufffd\f\ufffdY\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "777277135fe1253aea2196ca36050f9da4c9c531",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003P\ufffd8\ufffd ;\ufffdT#\ufffd\ufffd\ufffd%\ufffd\ufffdou\ufffd\ufffd,V\ufffd\ufffdb%\ufffdl\ufffd\ufffdHv F\ufffd9um\">\u074b(b\ufffd!\ufffd[\nQ\ufffdU\ufffdW\ufffdJ\u001a\ufffd\u0012\u0000\ufffd\f\ufffdY\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"tls_ja3": "9460af62ae0af667130bf0d36514f084",
"tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86",
"port": 383,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffdP\ufffd8\ufffd ;\ufffdT#\ufffd\ufffd\ufffd%\ufffd\ufffdou\ufffd\ufffd,V\ufffd\ufffdb%\ufffdl\ufffd\ufffdHv F\ufffd9um\">\u074b(b\ufffd!\ufffd[\nQ\ufffdU\ufffdW\ufffdJ\ufffd\ufffd\ufffdY&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:383 \u00b7 (sonde \/ probe)",
"target_port_label": "383 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 383,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003P\ufffd8\ufffd ;\ufffdT#\ufffd\ufffd\ufffd%\ufffd\ufffdou\ufffd\ufffd,V\ufffd\ufffdb%\ufffdl\ufffd\ufffdHv F\ufffd9um\">\u074b(b\ufffd!\ufffd[\nQ\ufffdU\ufffdW\ufffdJ\u001a\ufffd\u0012\u0000\ufffd\f\ufffdY\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"tls_ja3": "9460af62ae0af667130bf0d36514f084",
"tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86",
"port": 383,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:383 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffdP\ufffd8\ufffd ;\ufffdT#\ufffd\ufffd\ufffd%\ufffd\ufffdou\ufffd\ufffd,V\ufffd\ufffdb%\ufffdl\ufffd\ufffdHv F\ufffd9um\">\u074b(b\ufffd!\ufffd[\nQ\ufffdU\ufffdW\ufffdJ\ufffd\ufffd\ufffdY&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "383 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "383"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:383",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
383
|
—
|
Sonde port
Sonde port · port 383 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
383
Chemin / cible
—
Payload
t3 12.1.2 AS:2048 HL:19
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
t3 12.1.2
AS:2048
HL:19
Meta JSON brut
{
"bytes_in": 25,
"payload_entropy": 3.7834651896016456,
"port_category": "well_known",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": null,
"app_proto": null,
"asn": 135377,
"country": "US",
"dst_port": 383,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "cd8529c5303bc14a61af544caaa5b1884310f2e3",
"event_fingerprint": "9d2a73b974edca0dd4efbf1e2fc24eebbbb05b4e",
"classification_confidence": 0.58,
"confidence": 0.58,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44,
"correlation_boost": 8
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "588580493dbf1d2ca7cd7f2cd09ed672",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 383,
"risk_score": 44
},
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"payload_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"evidence": {
"request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"payload_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "be22f846e37d587e433058c0a670c8b85d22418e",
"protocol_details": {
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19",
"port": 383
},
"evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"attack_vector": "Sonde port \u00b7 port 383 \u00b7 (sonde \/ probe)",
"target_port_label": "383",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 383,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19",
"port": 383
},
"attack_vector": "Sonde port \u00b7 port 383 \u00b7 (sonde \/ probe)",
"evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"target_port_label": "383",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "383"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:383",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
383 · HTTP
|
http
|
Sonde port 383/TCP
port 383 tcp · via HTTP:383 · (sonde / probe)
|
Élevée
|
Moyen · 42
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
GET / UA curl/7.29.0
Émulateur
HTTP
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
botnet_http_ua_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
383
Chemin / cible
/
Preuve honeypot — Sonde port 383/TCP
Connexion détectée sur le port 383 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_383_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
63%
Corrélation +8
Risque capteur
Moyen
· 42
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.29.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: 62.3.50.33
Accept: */*
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0315d257123246273ce1f3edb87d478f00f3fce8",
"http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 74,
"payload_entropy": 4.819344967782759,
"port_category": "well_known",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "http",
"app_proto": "http",
"asn": 135377,
"country": "US",
"dst_port": 383,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 3.5,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 42,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "4bc711dbd176652842363d8183db7466a17a8a1e",
"event_fingerprint": "05e25c565d19248c0c8f7c3dc72a014c110e6a0b",
"classification_reason": "Type \u00ab port_383_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.63,
"classification_confidence": 0.63,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 42,
"correlation_boost": 8
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a6744e3c06a59e753fc74a2c54c4a161",
"payload_hash": "99559ea3a5e9ac33c4b35f9a75d06c9c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 383,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.29.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.29.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"classification_reason": "Type \u00ab port_383_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f41806181655cad601c5eadb5d9b950542b91510",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.29.0",
"port": 383,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"attack_vector": "port 383 tcp \u00b7 via HTTP:383 \u00b7 (sonde \/ probe)",
"target_port_label": "383 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_383_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_383_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100",
"confidence_pct": 63,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 42,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 383,
"protocol_emulated": null,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.29.0",
"port": 383,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port 383 tcp \u00b7 via HTTP:383 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"target_port_label": "383 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "383"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"port:383"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"botnet_http_ua_host",
"http_ua_suspicious",
"scanner-ua"
],
"behavior_alert_count": 1,
"behavior_priority": 84
}
|
|
|
TCP |
383
|
—
|
Sonde port
Sonde port · port 383 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
383
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": null,
"app_proto": null,
"asn": 135377,
"country": "US",
"dst_port": 383,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.8,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "cd8529c5303bc14a61af544caaa5b1884310f2e3",
"event_fingerprint": "9d2a73b974edca0dd4efbf1e2fc24eebbbb05b4e",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 383,
"risk_score": 44
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a6a93336d147041f26d85a29d4534fbf5ce70911",
"protocol_details": {
"port": 383
},
"attack_vector": "Sonde port \u00b7 port 383 \u00b7 (sonde \/ probe)",
"target_port_label": "383",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 383,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"port": 383
},
"attack_vector": "Sonde port \u00b7 port 383 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "383",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "383"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
1839
|
—
|
Sonde port
Sonde port · port 1839 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
1839
Chemin / cible
—
Payload
t3 12.1.2 AS:2048 HL:19
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
t3 12.1.2
AS:2048
HL:19
Meta JSON brut
{
"bytes_in": 25,
"payload_entropy": 3.7834651896016456,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": null,
"app_proto": null,
"asn": 135377,
"country": "US",
"dst_port": 1839,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.6,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "18462f63f9120b3e517f555c1bb4958c74da2268",
"event_fingerprint": "05fb29c0c79a4df7f2225a5d9dbc34469888d7ad",
"classification_confidence": 0.58,
"confidence": 0.58,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44,
"correlation_boost": 8
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "588580493dbf1d2ca7cd7f2cd09ed672",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 1839,
"risk_score": 44
},
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"payload_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"evidence": {
"request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"payload_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "65d3d59c3c14b82b080c22adffdeff6fa2209670",
"protocol_details": {
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19",
"port": 1839
},
"evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"attack_vector": "Sonde port \u00b7 port 1839 \u00b7 (sonde \/ probe)",
"target_port_label": "1839",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 1839,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19",
"port": 1839
},
"attack_vector": "Sonde port \u00b7 port 1839 \u00b7 (sonde \/ probe)",
"evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"target_port_label": "1839",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "1839"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:1839",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
1839 · HTTP
|
http
|
Sonde port 1839/TCP
port 1839 tcp · via HTTP:1839 · (sonde / probe)
|
Élevée
|
Moyen · 42
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
GET / UA curl/7.29.0
Émulateur
HTTP
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
botnet_http_ua_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
1839
Chemin / cible
/
Preuve honeypot — Sonde port 1839/TCP
Connexion détectée sur le port 1839 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_1839_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
63%
Corrélation +8
Risque capteur
Moyen
· 42
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.29.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: 62.3.50.33
Accept: */*
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0315d257123246273ce1f3edb87d478f00f3fce8",
"http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 74,
"payload_entropy": 4.819344967782759,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "http",
"app_proto": "http",
"asn": 135377,
"country": "US",
"dst_port": 1839,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 42,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "4900920450cb8ccd186d69d25a6b1febfa9f33c5",
"event_fingerprint": "6bb8092e766a6c3343fd9056f4a72944710f539b",
"classification_reason": "Type \u00ab port_1839_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.63,
"classification_confidence": 0.63,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 42,
"correlation_boost": 8
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a6744e3c06a59e753fc74a2c54c4a161",
"payload_hash": "99559ea3a5e9ac33c4b35f9a75d06c9c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 1839,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.29.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.29.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"classification_reason": "Type \u00ab port_1839_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f8f5efa485dbe3c57832b4e74698dce9a3ce84bc",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.29.0",
"port": 1839,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"attack_vector": "port 1839 tcp \u00b7 via HTTP:1839 \u00b7 (sonde \/ probe)",
"target_port_label": "1839 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_1839_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_1839_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100",
"confidence_pct": 63,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 42,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 1839,
"protocol_emulated": null,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.29.0",
"port": 1839,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port 1839 tcp \u00b7 via HTTP:1839 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"target_port_label": "1839 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "1839"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"port:1839"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"botnet_http_ua_host",
"http_ua_suspicious",
"scanner-ua"
],
"behavior_alert_count": 1,
"behavior_priority": 84
}
|
|
|
TCP |
1839 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:1839 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 9460af62ae0af667
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
1839
Chemin / cible
—
Service
TLS
Payload
�����������0߽�(�̷'�&������8����r������F{2 f�S���畷�H^P�fN ��2=�H���0�-z���&�+�/�,�0̨̩� ��� �������/�5��� ���������� ������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������0߽�(�̷'�&������8����r������F{2 f�S���畷�H^P�fN
��2=�H���0�-z���&�+�/�,�0̨̩� ���
�������/�5���
�����������������
Requête brute (extrait)
�����������0߽�(�̷'�&������8����r������F{2 f�S���畷�H^P�fN ��2=�H���0�-z���&�+�/�,�0̨̩� ��� �������/�5��� ���������� ��������������������������� � ����������� �����������������������������+� ����������3�&�$��� K �kϋ�� ��9̷:nW�����I���07���
Meta JSON brut
{
"tls_ja3_hash": "9460af62ae0af667130bf0d36514f084",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 247,
"payload_entropy": 5.644618481856216,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "tls",
"app_proto": "tls",
"asn": 135377,
"country": "US",
"dst_port": 1839,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.6,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "aa38ccf42b5c33ed136600e4dd4c12ebe68378a9",
"event_fingerprint": "f63cab68b872f5d8cec628b0db63966675ef31b8",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "9460af62ae0af667130bf0d36514f084",
"payload_hash": "d35a0ddfdd2ccb97a3211763d241099e",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "9d78dfefabcee3ee16297d72e4cafc86",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0",
"tls_ja4_hash": "9d78dfefabcee3ee16297d72e4cafc86",
"tls_ja4": "t13d0119_e060b20e9557_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 1839,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030\u07fd\ufffd(\ufffd\u0337'\ufffd&\ufffd\u0000\u0017\ufffd\ufffd\u00068\ufffd\ufffd\ufffd\u0000r\ufffd\ufffd\u001b\ufffd\ufffd\ufffdF{2 f\ufffdS\ufffd\u001c\ufffd\u7577\ufffdH^P\ufffdfN\n\ufffd\u00172=\ufffdH\u0001\u0016\ufffd0\ufffd-z\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030\u07fd\ufffd(\ufffd\u0337'\ufffd&\ufffd\u0000\u0017\ufffd\ufffd\u00068\ufffd\ufffd\ufffd\u0000r\ufffd\ufffd\u001b\ufffd\ufffd\ufffdF{2 f\ufffdS\ufffd\u001c\ufffd\u7577\ufffdH^P\ufffdfN\n\ufffd\u00172=\ufffdH\u0001\u0016\ufffd0\ufffd-z\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 K\t\ufffdk\u03cb\u0012\u0002\t\u0002\ufffd9\u0337:nW\ufffd\u0019\u000e\ufffd\ufffdI\ufffd\ufffd\ufffd07\u0017\u0000\u0018",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030\u07fd\ufffd(\ufffd\u0337'\ufffd&\ufffd\u0000\u0017\ufffd\ufffd\u00068\ufffd\ufffd\ufffd\u0000r\ufffd\ufffd\u001b\ufffd\ufffd\ufffdF{2 f\ufffdS\ufffd\u001c\ufffd\u7577\ufffdH^P\ufffdfN\n\ufffd\u00172=\ufffdH\u0001\u0016\ufffd0\ufffd-z\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "ae659f48af71887e074ce72274429f13d5c528da",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030\u07fd\ufffd(\ufffd\u0337'\ufffd&\ufffd\u0000\u0017\ufffd\ufffd\u00068\ufffd\ufffd\ufffd\u0000r\ufffd\ufffd\u001b\ufffd\ufffd\ufffdF{2 f\ufffdS\ufffd\u001c\ufffd\u7577\ufffdH^P\ufffdfN\n\ufffd\u00172=\ufffdH\u0001\u0016\ufffd0\ufffd-z\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"tls_ja3": "9460af62ae0af667130bf0d36514f084",
"tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86",
"port": 1839,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd0\u07fd\ufffd(\ufffd\u0337'\ufffd&\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffd\ufffdF{2 f\ufffdS\ufffd\ufffd\u7577\ufffdH^P\ufffdfN\n\ufffd2=\ufffdH\ufffd0\ufffd-z\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:1839 \u00b7 (sonde \/ probe)",
"target_port_label": "1839 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 1839,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u00030\u07fd\ufffd(\ufffd\u0337'\ufffd&\ufffd\u0000\u0017\ufffd\ufffd\u00068\ufffd\ufffd\ufffd\u0000r\ufffd\ufffd\u001b\ufffd\ufffd\ufffdF{2 f\ufffdS\ufffd\u001c\ufffd\u7577\ufffdH^P\ufffdfN\n\ufffd\u00172=\ufffdH\u0001\u0016\ufffd0\ufffd-z\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"tls_ja3": "9460af62ae0af667130bf0d36514f084",
"tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86",
"port": 1839,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:1839 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd0\u07fd\ufffd(\ufffd\u0337'\ufffd&\ufffd\ufffd\ufffd8\ufffd\ufffd\ufffdr\ufffd\ufffd\ufffd\ufffd\ufffdF{2 f\ufffdS\ufffd\ufffd\u7577\ufffdH^P\ufffdfN\n\ufffd2=\ufffdH\ufffd0\ufffd-z\ufffd\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "1839 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"meta_truncated": true,
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "1839"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:1839",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
1839
|
—
|
Sonde port
Sonde port · port 1839 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
1839
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": null,
"app_proto": null,
"asn": 135377,
"country": "US",
"dst_port": 1839,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.6,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "18462f63f9120b3e517f555c1bb4958c74da2268",
"event_fingerprint": "05fb29c0c79a4df7f2225a5d9dbc34469888d7ad",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 1839,
"risk_score": 44
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "80ee41212299924597cdd83ae59d02363c53f16d",
"protocol_details": {
"port": 1839
},
"attack_vector": "Sonde port \u00b7 port 1839 \u00b7 (sonde \/ probe)",
"target_port_label": "1839",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 1839,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"port": 1839
},
"attack_vector": "Sonde port \u00b7 port 1839 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "1839",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "1839"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
10801
|
—
|
Sonde port
Sonde port · port 10801 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
10801
Chemin / cible
—
Payload
t3 12.1.2 AS:2048 HL:19
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
58%
Corrélation +8
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
t3 12.1.2
AS:2048
HL:19
Meta JSON brut
{
"bytes_in": 25,
"payload_entropy": 3.7834651896016456,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": null,
"app_proto": null,
"asn": 135377,
"country": "US",
"dst_port": 10801,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.1,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "d8247c0f5f2ef4dad5703ec3692ffd6292b3e142",
"event_fingerprint": "290fa1ab0da146c3d2a84f56b131b68c7a3a7e77",
"classification_confidence": 0.58,
"confidence": 0.58,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44,
"correlation_boost": 8
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "588580493dbf1d2ca7cd7f2cd09ed672",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 10801,
"risk_score": 44
},
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"payload_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"evidence": {
"request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"payload_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "f2fcc269b00fa6131817bdeb43d6bd132422507f",
"protocol_details": {
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19",
"port": 10801
},
"evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"attack_vector": "Sonde port \u00b7 port 10801 \u00b7 (sonde \/ probe)",
"target_port_label": "10801",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 58,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 10801,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19",
"port": 10801
},
"attack_vector": "Sonde port \u00b7 port 10801 \u00b7 (sonde \/ probe)",
"evidence_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"target_port_label": "10801",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 58 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "10801"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:10801",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
10801 · TLS
|
tls
|
Sonde PostgreSQL
postgres probe · via TLS:10801 · (sonde / probe)
|
Élevée
|
Faible · 35
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
JA3 9460af62ae0af667
Émulateur
TLS
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
10801
Chemin / cible
—
Service
TLS
Payload
�����������-*���*g��y�`����Wg˦r�V�s9[B�G9= T��#���!A�Y8��e�bi�������M.?��3��&�+�/�,�0̨̩� ��� �������/�5��� ���������� ������
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
57%
Corrélation +8
Risque capteur
Faible
· 35
Confiance : Confiance 49 % — Motif catalogue confirmé
Signaux
pat-0369
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
STUN binding
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������-*���*g��y�`����Wg˦r�V�s9[B�G9= T��#���!A�Y8��e�bi�������M.?��3��&�+�/�,�0̨̩� ���
�������/�5���
�����������������
Requête brute (extrait)
�����������-*���*g��y�`����Wg˦r�V�s9[B�G9= T��#���!A�Y8��e�bi�������M.?��3��&�+�/�,�0̨̩� ��� �������/�5��� ���������� ��������������������������� � ����������� �����������������������������+� ����������3�&�$��� Hib�pr�F����K|t ���ٰ�p����J&PF6
Meta JSON brut
{
"tls_ja3_hash": "9460af62ae0af667130bf0d36514f084",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 247,
"payload_entropy": 5.857171467616011,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "tls",
"app_proto": "tls",
"asn": 135377,
"country": "US",
"dst_port": 10801,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 3.1,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 35,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "81e5d85d51d0f92d5ac941a905f44ed4783fbb99",
"event_fingerprint": "ebf48ce92a9d5525862d36f69cb3203db6164be7",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.57,
"classification_confidence": 0.57,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"STUN binding",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0771",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"named_classification_skipped": false,
"service_name": "tls",
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "9460af62ae0af667130bf0d36514f084",
"payload_hash": "3947eb1a60fd1ee82539ed1d89afc6f4",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5",
"ja4": "9d78dfefabcee3ee16297d72e4cafc86",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner"
},
"tls_ja3": "771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,11-65281-23-18-5-10-13-43-51,29-23-24-25,0",
"tls_ja4_hash": "9d78dfefabcee3ee16297d72e4cafc86",
"tls_ja4": "t13d0119_e060b20e9557_cc710080a5f9",
"tls_version": "0x0303",
"tls_cipher_count": 19,
"ja3_client_category": "nmap_scanner",
"target_context": {
"dst_port": 10801,
"service": "tls",
"service_name": "tls",
"risk_score": 35
},
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-*\ufffd\ufffd\ufffd*g\ufffd\ufffdy\u0000`\ufffd\ufffd\ufffd\ufffdWg\u02e6r\ufffdV\ufffds9[B\ufffdG9= T\ufffd\ufffd#\ufffd\u0001\ufffd!A\ufffdY8\ufffd\u0012e\u001ebi\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffdM.?\ufffd\ufffd3\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-*\ufffd\ufffd\ufffd*g\ufffd\ufffdy\u0000`\ufffd\ufffd\ufffd\ufffdWg\u02e6r\ufffdV\ufffds9[B\ufffdG9= T\ufffd\ufffd#\ufffd\u0001\ufffd!A\ufffdY8\ufffd\u0012e\u001ebi\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffdM.?\ufffd\ufffd3\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 Hib\u001bpr\ufffdF\ufffd\ufffd\u0019\ufffdK|t\t\ufffd\ufffd\ufffd\u0670\ufffdp\ufffd\u001a\ufffd\ufffdJ&PF6",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-*\ufffd\ufffd\ufffd*g\ufffd\ufffdy\u0000`\ufffd\ufffd\ufffd\ufffdWg\u02e6r\ufffdV\ufffds9[B\ufffdG9= T\ufffd\ufffd#\ufffd\u0001\ufffd!A\ufffdY8\ufffd\u0012e\u001ebi\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffdM.?\ufffd\ufffd3\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "75e7f755f9541523ed6d295e4e9bc54d44964d41",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-*\ufffd\ufffd\ufffd*g\ufffd\ufffdy\u0000`\ufffd\ufffd\ufffd\ufffdWg\u02e6r\ufffdV\ufffds9[B\ufffdG9= T\ufffd\ufffd#\ufffd\u0001\ufffd!A\ufffdY8\ufffd\u0012e\u001ebi\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffdM.?\ufffd\ufffd3\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"tls_ja3": "9460af62ae0af667130bf0d36514f084",
"tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86",
"port": 10801,
"service": "tls",
"service_label_fr": "TLS"
},
"evidence_snippet": "\ufffd\ufffd-*\ufffd\ufffd\ufffd*g\ufffd\ufffdy`\ufffd\ufffd\ufffd\ufffdWg\u02e6r\ufffdV\ufffds9[B\ufffdG9= T\ufffd\ufffd#\ufffd\ufffd!A\ufffdY8\ufffdebi\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdM.?\ufffd\ufffd3\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd",
"attack_vector": "postgres probe \u00b7 via TLS:10801 \u00b7 (sonde \/ probe)",
"target_port_label": "10801 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"classification_reason_label_fr": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 35\/100",
"confidence_pct": 57,
"confidence_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15,
"risk_score": 35,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 35,
"risk_label": "Faible",
"service_name": "tls",
"service_label_fr": "TLS",
"dst_port": 10801,
"protocol_emulated": null,
"tags_summary": [
"pat-0369"
],
"tags_summary_labels_fr": [
"pat-0369"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-tls",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003-*\ufffd\ufffd\ufffd*g\ufffd\ufffdy\u0000`\ufffd\ufffd\ufffd\ufffdWg\u02e6r\ufffdV\ufffds9[B\ufffdG9= T\ufffd\ufffd#\ufffd\u0001\ufffd!A\ufffdY8\ufffd\u0012e\u001ebi\ufffd\ufffd\ufffd\u001a\ufffd\ufffd\ufffdM.?\ufffd\ufffd3\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"tls_ja3": "9460af62ae0af667130bf0d36514f084",
"tls_ja4": "9d78dfefabcee3ee16297d72e4cafc86",
"port": 10801,
"service": "tls",
"service_label_fr": "TLS"
},
"attack_vector": "postgres probe \u00b7 via TLS:10801 \u00b7 (sonde \/ probe)",
"evidence_snippet": "\ufffd\ufffd-*\ufffd\ufffd\ufffd*g\ufffd\ufffdy`\ufffd\ufffd\ufffd\ufffdWg\u02e6r\ufffdV\ufffds9[B\ufffdG9= T\ufffd\ufffd#\ufffd\ufffd!A\ufffdY8\ufffdebi\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdM.?\ufffd\ufffd3\ufffd&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\ufffd\n\ufffd\ufffd\ufffd\/5\ufffd\n\ufffd",
"target_port_label": "10801 \u00b7 TLS",
"emulator_service": "tls",
"confidence_reason": "Confiance 49 % \u2014 Motif catalogue confirm\u00e9",
"confidence_factors_fr": "Confiance 57 % \u2014 Score WAF 8 \u00b7 Bonus corr\u00e9lation +8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "tls",
"service_banner": "honeypot-tls",
"service_os": "linux",
"dst_port": "10801"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 3,
"multi_protocol_sample": [
"http",
"port:10801",
"tls"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
10801 · HTTP
|
http
|
Sonde port 10801/TCP
port 10801 tcp · via HTTP:10801 · (sonde / probe)
|
Élevée
|
Moyen · 42
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
Corrélations
Multi-protocole corrélé (5 min)
MITRE
TA0007
TA0007
TA0001
Protocole
GET / UA curl/7.29.0
Émulateur
HTTP
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
botnet_http_ua_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
10801
Chemin / cible
/
Preuve honeypot — Sonde port 10801/TCP
Connexion détectée sur le port 10801 (TCP) du capteur simulé.
Pourquoi cette classification : Type « port_10801_tcp » (signaux protocolaires) · confiance 55%
Confiance classification
63%
Corrélation +8
Risque capteur
Moyen
· 42
Confiance : Confiance 55 % — Classification nommée non retenue — preuves insuffisantes · 2 tag(s) WAF
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.29.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: 62.3.50.33
Accept: */*
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0315d257123246273ce1f3edb87d478f00f3fce8",
"http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 74,
"payload_entropy": 4.819344967782759,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "http",
"app_proto": "http",
"asn": 135377,
"country": "US",
"dst_port": 10801,
"risk_waf": 32,
"risk_classification": 38,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 3.8,
"risk_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 42,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "bc97b52d1731e8015a6e62e3ddedd80c88468368",
"event_fingerprint": "f7200693845504ef424d007e288b9b3fea5135e1",
"classification_reason": "Type \u00ab port_10801_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"confidence": 0.63,
"classification_confidence": 0.63,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 42,
"correlation_boost": 8
},
"named_classification_skipped": true,
"named_candidate": "web_scanner",
"service_name": "http",
"risk_confidence_factor": 55,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a6744e3c06a59e753fc74a2c54c4a161",
"payload_hash": "99559ea3a5e9ac33c4b35f9a75d06c9c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 10801,
"service": "http",
"service_name": "http",
"risk_score": 42
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.29.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.29.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"classification_reason": "Type \u00ab port_10801_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "cd139dd9b1f7288525e1122f71ba5e2290a5dd6b",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.29.0",
"port": 10801,
"service": "http",
"service_label_fr": "HTTP"
},
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"attack_vector": "port 10801 tcp \u00b7 via HTTP:10801 \u00b7 (sonde \/ probe)",
"target_port_label": "10801 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_10801_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"classification_reason_label_fr": "Type \u00ab port_10801_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 42\/100",
"confidence_pct": 63,
"confidence_breakdown": {
"waf": 32,
"classification": 38,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30,
"risk_score": 42,
"correlation_boost": 8
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 42,
"risk_label": "Moyen",
"service_name": "http",
"service_label_fr": "HTTP",
"dst_port": 10801,
"protocol_emulated": null,
"tags_summary": null,
"tags_summary_labels_fr": null,
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot-http",
"correlation_flags": [
"multi_protocol_correlation"
],
"correlation_flags_labels_fr": [
"Multi-protocole corr\u00e9l\u00e9 (5 min)"
],
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Corr\u00e9lation +8",
"protocol_details": {
"http_method": "GET",
"http_path": "\/",
"request_line": "GET \/ HTTP\/1.1",
"http_user_agent": "curl\/7.29.0",
"port": 10801,
"service": "http",
"service_label_fr": "HTTP"
},
"attack_vector": "port 10801 tcp \u00b7 via HTTP:10801 \u00b7 (sonde \/ probe)",
"evidence_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"target_port_label": "10801 \u00b7 HTTP",
"emulator_service": "http",
"confidence_reason": "Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes \u00b7 2 tag(s) WAF",
"confidence_factors_fr": "Confiance 63 % \u2014 Score WAF 32 \u00b7 Bonus corr\u00e9lation +8 \u00b7 2 tag(s) WAF",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "http",
"service_banner": "honeypot-http",
"service_os": "linux",
"dst_port": "10801"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"multi_protocol_correlation": true,
"multi_protocol_count": 2,
"multi_protocol_sample": [
"http",
"port:10801"
],
"multi_protocol_window_s": 300,
"behavior_alerts": [
"multi_protocol_correlation"
],
"correlation_confidence_boost": 8,
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"botnet_http_ua_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
10801
|
—
|
Sonde port
Sonde port · port 10801 · (sonde / probe)
|
Faible
|
Moyen · 44
|
|
Étape
Sonde / probe
Chaîne
Découverte
Persona
mail.sensor-1.internal
Rôle capteur
Renseignement menaces
MITRE
TA0007
TA0007
TA0001
Protocole
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
10801
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Confiance modérée — signal unique
Risque capteur
Moyen
· 44
Confiance : Confiance modérée (50 %) — signal principal unique
Signaux
Fp Port Probe Noise
Single Port
Technique MITRE
TA0007
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": null,
"app_proto": null,
"asn": 135377,
"country": "US",
"dst_port": 10801,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 2.1,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 44,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "d8247c0f5f2ef4dad5703ec3692ffd6292b3e142",
"event_fingerprint": "290fa1ab0da146c3d2a84f56b131b68c7a3a7e77",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 10801,
"risk_score": 44
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"mitre": "TA0007",
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a1d5cf99b53939cc31781c9e163b8a8043da8ecc",
"protocol_details": {
"port": 10801
},
"attack_vector": "Sonde port \u00b7 port 10801 \u00b7 (sonde \/ probe)",
"target_port_label": "10801",
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"site_display": {
"classification": null,
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"classification_reason_label_fr": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"executive_one_liner_fr": "Activit\u00e9 suspecte \u00b7 risque 44\/100",
"confidence_pct": 50,
"confidence_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0,
"risk_score": 44
},
"attack_stage": "probe",
"attack_stage_label": "Sonde \/ probe",
"attack_chain_stage": "discovery",
"attack_chain_stage_label_fr": "D\u00e9couverte",
"risk_score": 44,
"risk_label": "Moyen",
"service_name": null,
"service_label_fr": null,
"dst_port": 10801,
"protocol_emulated": null,
"tags_summary": [
"INT-FP-port-probe-noise",
"INT-single-port"
],
"tags_summary_labels_fr": [
"Fp Port Probe Noise",
"Single Port"
],
"recommended_action": "monitor",
"recommended_action_label": "Surveiller",
"mitre": "TA0007",
"mitre_technique": "TA0007",
"persona_hostname": "mail.sensor-1.internal",
"persona_service_banner": "honeypot",
"correlation_flags": null,
"correlation_flags_labels_fr": null,
"sensor_role": "threat_intelligence",
"sensor_role_label_fr": "Renseignement menaces",
"confidence_hint_fr": "Confiance mod\u00e9r\u00e9e \u2014 signal unique",
"protocol_details": {
"port": 10801
},
"attack_vector": "Sonde port \u00b7 port 10801 \u00b7 (sonde \/ probe)",
"evidence_snippet": null,
"target_port_label": "10801",
"emulator_service": null,
"confidence_reason": "Confiance mod\u00e9r\u00e9e (50 %) \u2014 signal principal unique",
"confidence_factors_fr": "Confiance 50 % \u2014 Score WAF 8",
"campaign_hint_fr": null,
"attack_phases_timeline_fr": [
{
"key": "recon",
"label_fr": "Reconnaissance",
"active": false,
"kind": "stage"
},
{
"key": "probe",
"label_fr": "Sonde \/ probe",
"active": true,
"kind": "stage"
},
{
"key": "exploit_attempt",
"label_fr": "Tentative d'exploit",
"active": false,
"kind": "stage"
},
{
"key": "post_exploit",
"label_fr": "Post-exploitation",
"active": false,
"kind": "stage"
},
{
"key": "c2",
"label_fr": "Commande & contr\u00f4le",
"active": false,
"kind": "stage"
},
{
"key": "discovery",
"label_fr": "D\u00e9couverte",
"active": true,
"kind": "chain",
"hint_fr": null
}
]
},
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "generic",
"service_banner": "honeypot",
"service_os": "linux",
"dst_port": "10801"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "discovery",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
554 · RTSP
|
rtsp
|
Sonde RTSP
|
Élevée
|
Moyen · 47
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
net_rtsp_probe
rtsp_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
554
Chemin / cible
—
Pourquoi cette classification : Type « rtsp_probe » (signaux protocolaires) · confiance 95%
Confiance classification
95%
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
LFI Double-dot bypass
RTSP protocol
HTTP OPTIONS method
User-Agent
—
Règles WAF
—
Payload (extrait)
OPTIONS rtsp://62.3.50.33:554 RTSP/1.0
CSeq: 2
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a",
"emulator_response_len": 63,
"bytes_in": 51,
"payload_entropy": 4.573619459279188,
"port_category": "well_known",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "rtsp",
"app_proto": "rtsp",
"asn": 135377,
"country": "US",
"dst_port": 554,
"risk_waf": 8,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 30,
"risk_novelty": 15,
"risk_boost": 0,
"risk_granularity": 5,
"risk_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15
},
"risk_score": 47,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "c612347518e049ce96c448df76dc171f725494ef",
"event_fingerprint": "ce3db5ba4bd31f163b31f656bd467795f2c32ce9",
"classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%",
"confidence": 0.95,
"classification_confidence": 0.95,
"precision_score": 83,
"precision_signals": [
"pat-0382",
"INT-upstream"
],
"kb_rule_ids": [
"pat-0382",
"INT-upstream"
],
"matched_patterns": [
"pat-0103",
"pat-0382",
"pat-0420"
],
"matched_pattern_names": [
"LFI Double-dot bypass",
"RTSP protocol",
"HTTP OPTIONS method"
],
"pattern_ids": [
"pat-0103",
"pat-0382",
"pat-0420"
],
"confidence_breakdown": {
"waf": 8,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 30,
"novelty": 15,
"risk_score": 47
},
"named_classification_skipped": false,
"service_name": "rtsp",
"risk_confidence_factor": 95,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "c52e000efaf457b9b64d4869c7c7a71c",
"path_pattern_hash": "b1dd2a100b4c2489a836875293183168"
},
"target_context": {
"dst_port": 554,
"service": "rtsp",
"service_name": "rtsp",
"risk_score": 47
},
"payload_preview": "OPTIONS rtsp:\/\/62.3.50.33:554 RTSP\/1.0\r\nCSeq: 2\r\n\r\n",
"request_sample": "OPTIONS rtsp:\/\/62.3.50.33:554 RTSP\/1.0\r\nCSeq: 2\r\n\r\n",
"payload_snippet": "OPTIONS rtsp:\/\/62.3.50.33:554 RTSP\/1.0\r\nCSeq: 2",
"evidence": {
"request_sample": "OPTIONS rtsp:\/\/62.3.50.33:554 RTSP\/1.0\r\nCSeq: 2\r\n\r\n",
"payload_snippet": "OPTIONS rtsp:\/\/62.3.50.33:554 RTSP\/1.0\r\nCSeq: 2",
"classification_reason": "Type \u00ab rtsp_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "a5b9553bcee2bc84240e1a0170fabe4e677b89bd",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "rtsp",
"service_banner": "honeypot-rtsp",
"service_os": "linux",
"dst_port": "554"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "probe",
"ban_policy": "advisory_monitor",
"tags_list": [
"net_rtsp_probe",
"rtsp_probe"
]
}
|
|
|
TCP |
554 · RTSP
|
rtsp
|
rtsp
|
Faible
|
Faible · 0
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
554
Chemin / cible
—
Pourquoi cette classification : Type « rtsp » (signaux protocolaires) · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"protocol_emulated": true,
"emulator_response": "525453502f312e3020323030204f4b0d0a435365713a20310d0a5075626c69633a2044455343524942452c2053455455502c2054454152444f574e0d0a0d0a",
"emulator_response_len": 63,
"port_inferred_service": true,
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "well_known",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "rtsp",
"app_proto": "rtsp",
"asn": 135377,
"country": "US",
"dst_port": 554,
"risk_waf": 8,
"risk_classification": 0,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 22,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.3,
"risk_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0
},
"risk_score": 0,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "8e3f9e48f39b04739815fd1693b1af90d71a227f",
"event_fingerprint": "f089fe7be3f172bb5e3847a38a4c2e2a5878053f",
"classification_reason": "Type \u00ab rtsp \u00bb (signaux protocolaires) \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"confidence_breakdown": {
"waf": 8,
"classification": 0,
"behavior": 0,
"geo": 0,
"protocol": 22,
"novelty": 0,
"risk_score": 0
},
"named_classification_skipped": false,
"service_name": "rtsp",
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "6fb9e4f877fce8e8134bd958993fdfda"
},
"target_context": {
"dst_port": 554,
"service": "rtsp",
"service_name": "rtsp",
"risk_score": 0
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"unknown"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "cc4a69e3fd4749e6222d364c76dd8683de330cb8",
"honeypot_persona": {
"sensor_id": "sensor-1",
"hostname": "mail.sensor-1.internal",
"mail_host": "mail.sensor-1.internal",
"ldap_dc": "dc.sensor-1.internal",
"k8s_cluster": "hp-sensor-1",
"domain": "sensor-1.internal",
"service_role": "rtsp",
"service_banner": "honeypot-rtsp",
"service_os": "linux",
"dst_port": "554"
},
"hostname": "mail.sensor-1.internal",
"sensor_id": "sensor-1",
"attack_chain_stage": "probe",
"matched_patterns": [],
"ban_policy": "advisory_monitor",
"behavior_alert_count": 2,
"behavior_priority": 84
}
|
|
|
TCP |
9837
|
tls
|
Sonde PostgreSQL
|
Élevée
|
Faible · 21
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9837
Chemin / cible
—
Pourquoi cette classification : Type « postgres_probe » (signaux protocolaires) · confiance 49%
Confiance classification
49%
Tactiques MITRE
TA0007
TA0001
Motifs de détection (base)
PostgreSQL startup
Minecraft varint handshake
SOCKS5 greeting
SIP TLS ClientHello
TFTP RRQ
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������?��X
�U�o}6�FA�q q���?`1�S���p� A��2�}F���ˉ��������k�m����;�����&�+�/�,�0̨̩� ���
�������/�5���
�����������������
Requête brute (extrait)
�����������?��X �U�o}6�FA�q q���?`1�S���p� A��2�}F���ˉ��������k�m����;�����&�+�/�,�0̨̩� ��� �������/�5��� ���������� ��������������������������� � ����������� �����������������������������+� ����������3�&�$��� � -J����鉁V]�{��@�%�C�sT��dI�6o
Meta JSON brut
{
"tls_ja3_hash": "9460af62ae0af667130bf0d36514f084",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 247,
"payload_entropy": 5.805988843368065,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "tls",
"app_proto": "tls",
"asn": 135377,
"country": "US",
"dst_port": 9837,
"risk_waf": 8,
"risk_classification": 32,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 43,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 2.6,
"risk_breakdown": {
"waf": 8,
"classification": 32,
"behavior": 0,
"geo": 0,
"protocol": 43,
"novelty": 15
},
"risk_score": 21,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "7d36b51c7321d4232a2886aa0fc67de90edaedbd",
"event_fingerprint": "aff3dd0d43dea7b0dbc1b580a1d86cdd75047dae",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%",
"confidence": 0.49,
"classification_confidence": 0.49,
"precision_score": 58,
"precision_signals": [
"pat-0369"
],
"kb_rule_ids": [
"pat-0369"
],
"matched_patterns": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"matched_pattern_names": [
"PostgreSQL startup",
"Minecraft varint handshake",
"SOCKS5 greeting",
"SIP TLS ClientHello",
"TFTP RRQ"
],
"pattern_ids": [
"pat-0369",
"pat-0554",
"pat-0567",
"pat-0578",
"pat-0536"
],
"risk_confidence_factor": 49,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "9460af62ae0af667130bf0d36514f084",
"payload_hash": "201252b0cd9862032f05f0f223b6ddd1",
"path_pattern_hash": "80f3c71fe26f36a0a9399108643f66c5"
},
"target_context": {
"dst_port": 9837,
"service": "tls"
},
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003?\b\ufffdX\n\ufffdU\ufffdo}6\ufffdFA\u001bq\tq\ufffd\ufffd\ufffd?`1\u0014S\ufffd\u0002\ufffdp\ufffd A\b\ufffd2\ufffd}F\ufffd\ufffd\ufffd\u02c9\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\ufffdk\ufffdm\ufffd\ufffd\ufffd\ufffd;\ufffd\ufffd\ufffd\u0016\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003?\b\ufffdX\n\ufffdU\ufffdo}6\ufffdFA\u001bq\tq\ufffd\ufffd\ufffd?`1\u0014S\ufffd\u0002\ufffdp\ufffd A\b\ufffd2\ufffd}F\ufffd\ufffd\ufffd\u02c9\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\ufffdk\ufffdm\ufffd\ufffd\ufffd\ufffd;\ufffd\ufffd\ufffd\u0016\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\t-J\ufffd\ufffd\ufffd\u0013\u9241V]\ufffd{\ufffd\u0018@\ufffd%\ufffdC\u0014sT\ufffd\u0014dI\ufffd6o",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003?\b\ufffdX\n\ufffdU\ufffdo}6\ufffdFA\u001bq\tq\ufffd\ufffd\ufffd?`1\u0014S\ufffd\u0002\ufffdp\ufffd A\b\ufffd2\ufffd}F\ufffd\ufffd\ufffd\u02c9\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\ufffdk\ufffdm\ufffd\ufffd\ufffd\ufffd;\ufffd\ufffd\ufffd\u0016\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"evidence": {
"request_sample": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003?\b\ufffdX\n\ufffdU\ufffdo}6\ufffdFA\u001bq\tq\ufffd\ufffd\ufffd?`1\u0014S\ufffd\u0002\ufffdp\ufffd A\b\ufffd2\ufffd}F\ufffd\ufffd\ufffd\u02c9\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\ufffdk\ufffdm\ufffd\ufffd\ufffd\ufffd;\ufffd\ufffd\ufffd\u0016\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001\u0000\u0001\u0000\u0000\u0017\u0000\u0000\u0000\u0012\u0000\u0000\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\n\u0000\b\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u0019\u0000\r\u0000\u001a\u0000\u0018\b\u0004\u0004\u0003\b\u0007\b\u0005\b\u0006\u0004\u0001\u0005\u0001\u0006\u0001\u0005\u0003\u0006\u0003\u0002\u0001\u0002\u0003\u0000+\u0000\t\b\u0003\u0004\u0003\u0003\u0003\u0002\u0003\u0001\u00003\u0000&\u0000$\u0000\u001d\u0000 \ufffd\t-J\ufffd\ufffd\ufffd\u0013\u9241V]\ufffd{\ufffd\u0018@\ufffd%\ufffdC\u0014sT\ufffd\u0014dI\ufffd6o",
"payload_snippet": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003?\b\ufffdX\n\ufffdU\ufffdo}6\ufffdFA\u001bq\tq\ufffd\ufffd\ufffd?`1\u0014S\ufffd\u0002\ufffdp\ufffd A\b\ufffd2\ufffd}F\ufffd\ufffd\ufffd\u02c9\ufffd\ufffd\u0012\ufffd\ufffd\ufffd\ufffd\ufffdk\ufffdm\ufffd\ufffd\ufffd\ufffd;\ufffd\ufffd\ufffd\u0016\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"classification_reason": "Type \u00ab postgres_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "9946772c34d966006361cf77042d08e12ec07ac9",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
9837
|
—
|
Sonde port
|
Faible
|
Faible · 16
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9837
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
t3 12.1.2
AS:2048
HL:19
Meta JSON brut
{
"bytes_in": 25,
"payload_entropy": 3.7834651896016456,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": null,
"app_proto": null,
"asn": 135377,
"country": "US",
"dst_port": 9837,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.6,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 16,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "a24fc6535fe91d3f7513f4a24f239d4ec43bc026",
"event_fingerprint": "398ad32a2ea98415e82220ed892613237d85ce5a",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-single-port"
],
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "588580493dbf1d2ca7cd7f2cd09ed672",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 9837
},
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"payload_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"evidence": {
"request_sample": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"payload_snippet": "t3 12.1.2\nAS:2048\nHL:19",
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%"
},
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "befcbfef90e2a28d1459991ea38852aa9c99bc50",
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
9837
|
http
|
Scanner web
|
Élevée
|
Faible · 15
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
botnet_http_ua_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
9837
Chemin / cible
/
Pourquoi cette classification : Règle WAF « scanner-ua » · confiance 0%
Confiance classification
0%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.29.0
Règles WAF
sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: 62.3.50.33
Accept: */*
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0315d257123246273ce1f3edb87d478f00f3fce8",
"http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 74,
"payload_entropy": 4.819344967782759,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "http",
"app_proto": "http",
"asn": 135377,
"country": "US",
"dst_port": 9837,
"risk_waf": 32,
"risk_classification": 42,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 3.4,
"risk_breakdown": {
"waf": 32,
"classification": 42,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 15,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "ccc70748e089313762990aef3d6b45091a44d97e",
"event_fingerprint": "458b21cbdaa02000e3c9b64abea549e62c04ce9e",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%",
"confidence": 0,
"classification_confidence": 0,
"precision_score": 0,
"precision_signals": [],
"kb_rule_ids": [],
"risk_confidence_factor": 0,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a6744e3c06a59e753fc74a2c54c4a161",
"payload_hash": "99559ea3a5e9ac33c4b35f9a75d06c9c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 9837,
"service": "http"
},
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.29.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"evidence": {
"method": "GET",
"path": "\/",
"user_agent": "curl\/7.29.0",
"waf_tags": [
"950734:sap-sapcontrol-path",
"scanner-ua"
],
"waf_rule_names": [
"sap-sapcontrol-path",
"scanner-ua"
],
"request_line": "GET \/ HTTP\/1.1",
"request_sample": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"payload_snippet": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*",
"classification_reason": "R\u00e8gle WAF \u00ab scanner-ua \u00bb \u00b7 confiance 0%"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"disclosed_scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "7d5e32152f71669b66ca3920de7a8dd841c9aad1",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"botnet_http_ua_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
9837
|
—
|
Sonde port
|
Faible
|
Faible · 16
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
9837
Chemin / cible
—
Pourquoi cette classification : Type « port_probe » (signaux protocolaires) · confiance 50%
Confiance classification
50%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Meta JSON brut
{
"bytes_in": 0,
"payload_entropy": 0,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": null,
"app_proto": null,
"asn": 135377,
"country": "US",
"dst_port": 9837,
"risk_waf": 8,
"risk_classification": 48,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 1.6,
"risk_breakdown": {
"waf": 8,
"classification": 48,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 16,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "a24fc6535fe91d3f7513f4a24f239d4ec43bc026",
"event_fingerprint": "398ad32a2ea98415e82220ed892613237d85ce5a",
"classification_confidence": 0.5,
"confidence": 0.5,
"precision_signals": [
"INT-single-port"
],
"risk_confidence_factor": 50,
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 9837
},
"classification_reason": "Type \u00ab port_probe \u00bb (signaux protocolaires) \u00b7 confiance 50%",
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"event_signature": "368ddea359c5b629ac6a3db94f48ae512103f9ff",
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
11613
|
—
|
Sonde port
|
Faible
|
Faible · 13
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
11613
Chemin / cible
—
Confiance classification
55%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
t3 12.1.2
AS:2048
HL:19
Meta JSON brut
{
"bytes_in": 25,
"payload_entropy": 3.7834651896016456,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": null,
"app_proto": null,
"asn": 135377,
"country": "US",
"dst_port": 11613,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 3,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 13,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "fdcbe2321209fdd44984c107d56adaef18dc2c5a",
"event_fingerprint": "71948e00516ce1f08d33fdbbe2901ac55d8525d2",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "588580493dbf1d2ca7cd7f2cd09ed672",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 11613
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.55,
"classification_confidence": 0.55,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"event_signature": "96066c1760e898a5a79074a651bcc62aa510ecae",
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
11613
|
tls
|
Sonde TLS
|
Élevée
|
Faible · 21
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
11613
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
������������G��������*h��0�Ƀ����u��R�h�= �����Y9�j.�� ���
�����ϐ[��������&�+�/�,�0̨̩� ���
�������/�5���
�����������������
Meta JSON brut
{
"tls_ja3_hash": "9460af62ae0af667130bf0d36514f084",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 247,
"payload_entropy": 5.8257851465102215,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "tls",
"app_proto": "tls",
"asn": 135377,
"country": "US",
"dst_port": 11613,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 4.1,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 15
},
"risk_score": 21,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "846f02948e303bf49c5a8170b34b56c00d0f5b98",
"event_fingerprint": "eee817bc820ad4901ea1efc10af96fd31465a6eb",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "9460af62ae0af667130bf0d36514f084",
"payload_hash": "717aa1046bfd7e1cf33f2e107a3e1cdb",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 11613,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffdG\ufffd\ufffd\u0018\ufffd\ufffd\ufffd\u0016\ufffd*h\ufffd\ufffd0\ufffd\u0243\u001e\ufffd\ufffd\ufffdu\ufffd\ufffdR\ufffdh\ufffd= \ufffd\ufffd\ufffd\ufffd\ufffdY9\u0002j.\ufffd\ufffd \ufffd\u0006\u000b\r\u001d\ufffd\ufffd\ufffd\ufffd\u03d0[\ufffd\ufffd\ufffd\u0010\ufffd\ufffd\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"event_signature": "ce961746fcf63512824e329a7cd0fc5f9bb729bc",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
11613
|
http
|
Sonde HTTP
|
Élevée
|
Faible · 24
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
botnet_http_ua_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
11613
Chemin / cible
/
Confiance classification
80%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.29.0
Règles WAF
950734:sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: 62.3.50.33
Accept: */*
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0315d257123246273ce1f3edb87d478f00f3fce8",
"http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 74,
"payload_entropy": 4.819344967782759,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "http",
"app_proto": "http",
"asn": 135377,
"country": "US",
"dst_port": 11613,
"risk_waf": 32,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 4.8,
"risk_breakdown": {
"waf": 32,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 24,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "22aa78bd207d0afbc4a24159aa872bc6f3d977d2",
"event_fingerprint": "002ea1638ca43a844e87f75a71e06d9c7e55207d",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a6744e3c06a59e753fc74a2c54c4a161",
"payload_hash": "99559ea3a5e9ac33c4b35f9a75d06c9c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 11613,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.8,
"classification_confidence": 0.8,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"event_signature": "5628aa2dd3b72aa801ffb464dc0e5e7f2d9922d8",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"botnet_http_ua_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
11613
|
—
|
Sonde port
|
Faible
|
Faible · 13
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
5176
|
tls
|
Sonde TLS
|
Élevée
|
Faible · 23
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5176
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�������������+�m�x�*������.|
���RA�I`��9��� }�����q�g�p�f��Q�� qp�Q����#�&��&�+�/�,�0̨̩� ���
�������/�5���
�����������������
Meta JSON brut
{
"tls_ja3_hash": "9460af62ae0af667130bf0d36514f084",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 247,
"payload_entropy": 5.780961034955973,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "tls",
"app_proto": "tls",
"asn": 135377,
"country": "US",
"dst_port": 5176,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_granularity": 5.8,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 15
},
"risk_score": 23,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "7c7ec9c3fbb869ec49edf9752f9fc07d3b03ec73",
"event_fingerprint": "9ddb7d5d09c74d6edf0cf9de99c040295cce636e",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "9460af62ae0af667130bf0d36514f084",
"payload_hash": "51eceb97f4dbadf06e4a811b7b1ae6ae",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 5176,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\ufffd\ufffd+\ufffdm\u0012x\ufffd*\u0001\ufffd\ufffd\ufffd\u0006\ufffd.|\n\ufffd\u000b\ufffdRA\ufffdI`\ufffd\ufffd9\ufffd\ufffd\u0014 }\ufffd\ufffd\u0002\ufffd\ufffdq\u0015g\ufffdp\ufffdf\ufffd\ufffdQ\ufffd\ufffd qp\ufffdQ\u0015\ufffd\u001a\ufffd#\ufffd&\ufffd\u0000&\ufffd+\ufffd\/\ufffd,\ufffd0\u0329\u0328\ufffd\t\ufffd\u0013\ufffd\n\ufffd\u0014\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0002\u0013\u0003\u0001\u0000\u0000\u0000\u000b\u0000\u0002\u0001\u0000\ufffd\u0001",
"event_signature": "f923b63e4da1946cef910c07fa2c896064f45781",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
5176
|
—
|
Sonde port
|
Faible
|
Faible · 15
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
5176
Chemin / cible
—
Confiance classification
55%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
t3 12.1.2
AS:2048
HL:19
Meta JSON brut
{
"bytes_in": 25,
"payload_entropy": 3.7834651896016456,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": null,
"app_proto": null,
"asn": 135377,
"country": "US",
"dst_port": 5176,
"risk_waf": 8,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_granularity": 4.8,
"risk_breakdown": {
"waf": 8,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 15,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "ac3b73f5d561ce5f0f5fb6b16cc2e91e06635987",
"event_fingerprint": "276ee128db1d2c18b85bf7d93076fbe30c39f7ff",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "588580493dbf1d2ca7cd7f2cd09ed672",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 5176
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.55,
"classification_confidence": 0.55,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "t3 12.1.2\nAS:2048\nHL:19\n\n",
"event_signature": "47190caae1e6d662efc881dac39a7b93de7d99e4",
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
5176
|
http
|
Sonde HTTP
|
Élevée
|
Faible · 26
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
botnet_http_ua_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
5176
Chemin / cible
/
Confiance classification
80%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.29.0
Règles WAF
950734:sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: 62.3.50.33
Accept: */*
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0315d257123246273ce1f3edb87d478f00f3fce8",
"http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 74,
"payload_entropy": 4.819344967782759,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "http",
"app_proto": "http",
"asn": 135377,
"country": "US",
"dst_port": 5176,
"risk_waf": 32,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_granularity": 6.5,
"risk_breakdown": {
"waf": 32,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 26,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "ca91a3fd9e0cbf6e6217501c34b4890b86f71306",
"event_fingerprint": "355f2df13bf36b52909c602460896b37e87d43ba",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a6744e3c06a59e753fc74a2c54c4a161",
"payload_hash": "99559ea3a5e9ac33c4b35f9a75d06c9c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 5176,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.8,
"classification_confidence": 0.8,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"event_signature": "4957d880ee6e82be276191fa492dc4de347598e1",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"botnet_http_ua_host",
"http_ua_suspicious",
"scanner-ua"
]
}
|
|
|
TCP |
5176
|
—
|
Sonde port
|
Faible
|
Faible · 15
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
2525
|
http
|
http
|
Faible
|
Faible · 7
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
3
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
http_no_ua
Cible HTTP
OPTIONS
/
TLS SNI
—
Capteur
paris-1
|
Méthode
OPTIONS
Port
2525
Chemin / cible
/
Confiance classification
61%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
OPTIONS / HTTP/1.1
User-Agent
—
Règles WAF
950734:sap-sapcontrol-path
Payload (extrait)
OPTIONS / HTTP/1.0
Meta JSON brut
{
"http_header_count": 0,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "OPTIONS",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 22,
"payload_entropy": 3.697845823084412,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "http",
"app_proto": "http",
"asn": 135377,
"country": "US",
"risk_waf": 15,
"risk_classification": 8,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 0,
"risk_boost": 0,
"risk_breakdown": {
"waf": 15,
"classification": 8,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 0
},
"risk_score": 7,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "9bad5db7d6f6ca5dc27bf440a2dfe72bc9b1aad5",
"event_fingerprint": "224255ac3f3848360884dfc23d9470cc2fb7576b",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "76336738f875e41be8e6c44e3126e069",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 2525,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"unknown"
],
"confidence": 0.61,
"classification_confidence": 0.61,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "OPTIONS \/ HTTP\/1.0\r\n\r\n",
"event_signature": "bd1d668d92abdb2e2ed8449c6766f3b87e909dab",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"http_no_ua"
],
"behavior_alert_count": 1,
"behavior_priority": 72
}
|
|
|
TCP |
2525
|
http
|
http
|
Faible
|
Faible · 7
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
3
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
http_no_ua
Cible HTTP
OPTIONS
/
TLS SNI
—
Capteur
paris-1
|
Méthode
OPTIONS
Port
2525
Chemin / cible
/
Confiance classification
61%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
OPTIONS / HTTP/1.1
User-Agent
—
Règles WAF
950734:sap-sapcontrol-path
Payload (extrait)
OPTIONS / RTSP/1.0
Meta JSON brut
{
"http_header_count": 0,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": null,
"http_host_hash": null,
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "OPTIONS",
"http_ua_is_cli": false,
"http_ua_is_browser": false,
"bytes_in": 22,
"payload_entropy": 3.73215889136457,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "http",
"app_proto": "http",
"asn": 135377,
"country": "US",
"risk_waf": 15,
"risk_classification": 8,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 0,
"risk_boost": 0,
"risk_breakdown": {
"waf": 15,
"classification": 8,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 0
},
"risk_score": 7,
"tag_count": 2,
"anomaly_count": 0,
"campaign_key": "9bad5db7d6f6ca5dc27bf440a2dfe72bc9b1aad5",
"event_fingerprint": "224255ac3f3848360884dfc23d9470cc2fb7576b",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "b9373ea592d67ff8b93af91f8352abc2",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 2525,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"unknown"
],
"confidence": 0.61,
"classification_confidence": 0.61,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "OPTIONS \/ RTSP\/1.0\r\n\r\n",
"event_signature": "fb174700d64a4191b7188c2c4b117697e79db091",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"http_no_ua"
]
}
|
|
|
TCP |
2525
|
—
|
Sonde MongoDB
|
Élevée
|
Faible · 8
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
mongodb_probe
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2525
Chemin / cible
—
Confiance classification
68%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
���(r������������������|
Meta JSON brut
{
"bytes_in": 44,
"payload_entropy": 1.9235205817738175,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": null,
"app_proto": null,
"asn": 135377,
"country": "US",
"risk_waf": 0,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_breakdown": {
"waf": 0,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 8,
"tag_count": 1,
"anomaly_count": 0,
"campaign_key": "0e93993a135e0c3e37ea01dc7e6f2d9c0153a689",
"event_fingerprint": "092334c7ba99e72d2e60e7c8567462081943cfe6",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "2a177602bee0d039f41fbd6da5240e04",
"path_pattern_hash": "64fbc3aee24db4a0fc1ea9e5fbb0e29c"
},
"target_context": {
"dst_port": 2525
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.68,
"classification_confidence": 0.68,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\ufffd\u0000\u0000(r\ufffd\u001d\u0013\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000\u0001\ufffd\ufffd\u0000\u0001\ufffd|\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"event_signature": "17ff097120af9f7d726b987a90af3fccdd621c30",
"ban_policy": "advisory_monitor",
"tags_list": [
"mongodb_probe"
]
}
|
|
|
TCP |
2525
|
—
|
Sonde port
|
Faible
|
Faible · 8
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2525
Chemin / cible
—
Confiance classification
55%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������version�bind�����
Meta JSON brut
{
"bytes_in": 32,
"payload_entropy": 3.309196364505181,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": null,
"app_proto": null,
"asn": 135377,
"country": "US",
"risk_waf": 0,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_breakdown": {
"waf": 0,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 8,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "b157ff94b9794cdf7ef00aaad662b251d46ab5f9",
"event_fingerprint": "4ece93042d685bbb452e61158f09d59e09b7f05e",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "f373b5f5cafd9af5e2c2fd8ac069ea6c",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 2525
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.55,
"classification_confidence": 0.55,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0000\u001e\u0000\u0006\u0001\u0000\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u0007version\u0004bind\u0000\u0000\u0010\u0000\u0003",
"event_signature": "2b0e9fe8f9b0882713be037fab71fa39c2a0a6f4",
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
2525
|
—
|
Sonde port
|
Faible
|
Faible · 8
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2525
Chemin / cible
—
Confiance classification
55%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
*(�� ���������www�baidu�com�������)�
Meta JSON brut
{
"bytes_in": 44,
"payload_entropy": 3.2077236474548347,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": null,
"app_proto": null,
"asn": 135377,
"country": "US",
"risk_waf": 0,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 0,
"risk_novelty": 0,
"risk_boost": 0,
"risk_breakdown": {
"waf": 0,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 0,
"novelty": 0
},
"risk_score": 8,
"tag_count": 0,
"anomaly_count": 0,
"campaign_key": "b157ff94b9794cdf7ef00aaad662b251d46ab5f9",
"event_fingerprint": "4ece93042d685bbb452e61158f09d59e09b7f05e",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"payload_hash": "5957bf123ea572b8556804c26a460597",
"path_pattern_hash": "49ebffbc8eed300cf9429db1ba4cf66d"
},
"target_context": {
"dst_port": 2525
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.55,
"classification_confidence": 0.55,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0000*(\ufffd\u0001 \u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0001\u0003www\u0005baidu\u0003com\u0000\u0000\u0001\u0000\u0001\u0000\u0000)\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"event_signature": "ec855268933825f537fdfd2b81a8a144f45dd2a3",
"ban_policy": "advisory_monitor"
}
|
|
|
TCP |
2525
|
—
|
Sonde port
|
Faible
|
Faible · 8
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
2525
|
tls
|
Sonde TLS
|
Élevée
|
Faible · 14
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2525
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
�����������e���G���]������������W@��������
��*�,�+�0�/�����$�#�(�'�
� ���������=�<�5�/�
���U����������
�����������������
�������
Meta JSON brut
{
"tls_ja3_hash": "e62a5f4d538cbf169c2af71bec2399b4",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 5,
"tls_alpn": [
"http\/1.1"
],
"bytes_in": 177,
"payload_entropy": 4.9288190944639485,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "tls",
"app_proto": "tls",
"asn": 135377,
"country": "US",
"risk_waf": 0,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_breakdown": {
"waf": 0,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 15
},
"risk_score": 14,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "70836d31869a19f9ea12fae07404daf9d0307458",
"event_fingerprint": "274806059e8a03437268f4991b8c7bd5d7d38d15",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "e62a5f4d538cbf169c2af71bec2399b4",
"payload_hash": "0f3a5ab5f3715aac51ed427c0c6890d4",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 2525,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0003\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003e\ufffd\ufffd\ufffdG\u0011\ufffd\ufffd]\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0001\ufffd\ufffd\ufffd\u0005\bW@\ufffd\ufffd\ufffd\ufffd\u001d\u001d\ufffd\u0010\r\u0000\u0000*\ufffd,\ufffd+\ufffd0\ufffd\/\u0000\ufffd\u0000\ufffd\ufffd$\ufffd#\ufffd(\ufffd'\ufffd\n\ufffd\t\ufffd\u0014\ufffd\u0013\u0000\ufffd\u0000\ufffd\u0000=\u0000<\u00005\u0000\/\u0000\n\u0001\u0000\u0000U\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000\u0000\u0000\n\u0000\b\u0000\u0006\u0000\u001d\u0000\u0017\u0000\u0018\u0000\u000b\u0000\u0002\u0001\u0000\u0000\r\u0000\u001a\u0000\u0018\b\u0004\b",
"event_signature": "607a460add916a4af9774927ee3085de698f59b2",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
2525
|
http
|
Sonde HTTP
|
Élevée
|
Faible · 18
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
6
Recommandation
Surveiller
Tags
950734:sap-sapcontrol-path
scanner-ua
anomaly:scanner-ua
botnet_http_ua_host
Cible HTTP
GET
/
TLS SNI
—
Capteur
paris-1
|
Méthode
GET
Port
2525
Chemin / cible
/
Confiance classification
80%
Tactiques MITRE
TA0007
TA0001
Ligne de requête
GET / HTTP/1.1
User-Agent
curl/7.29.0
Règles WAF
950734:sap-sapcontrol-path
scanner-ua
Payload (extrait)
GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: 62.3.50.33
Accept: */*
Meta JSON brut
{
"http_header_count": 3,
"http_query_params": 0,
"http_path_depth": 0,
"http_path_ext": null,
"http_ua_hash": "0315d257123246273ce1f3edb87d478f00f3fce8",
"http_host_hash": "0991dad1e85d945fa26d249d6238901b89cb8349",
"http_target_hash": "42099b4af021e53fd8fd4e056c2568d7c2e3ffa8",
"http_referer_hash": null,
"http_method": "GET",
"http_ua_is_cli": true,
"http_ua_is_browser": false,
"bytes_in": 74,
"payload_entropy": 4.819344967782759,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "http",
"app_proto": "http",
"asn": 135377,
"country": "US",
"risk_waf": 30,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 30,
"risk_boost": 0,
"risk_breakdown": {
"waf": 30,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 30
},
"risk_score": 18,
"tag_count": 5,
"anomaly_count": 1,
"campaign_key": "7967e2a0521085906c51ff2f3c352ce6e81591e8",
"event_fingerprint": "1deb1ca3ff08e669a31868f67b5c6e884f2e10ad",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"http_ua_hash": "a6744e3c06a59e753fc74a2c54c4a161",
"payload_hash": "99559ea3a5e9ac33c4b35f9a75d06c9c",
"path_pattern_hash": "8a5edab282632443219e051e4ade2d1d"
},
"target_context": {
"dst_port": 2525,
"service": "http"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.8,
"classification_confidence": 0.8,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "GET \/ HTTP\/1.1\r\nUser-Agent: curl\/7.29.0\r\nHost: 62.3.50.33\r\nAccept: *\/*\r\n\r\n",
"event_signature": "51d78b28b17dcda8828583f1dc31ac0613218052",
"ban_policy": "advisory_monitor",
"tags_list": [
"950734:sap-sapcontrol-path",
"anomaly:scanner-ua",
"botnet_http_ua_host",
"http_ua_suspicious",
"scanner-ua"
],
"behavior_alert_count": 1,
"behavior_priority": 84
}
|
|
|
TCP |
2525
|
—
|
Sonde port
|
Faible
|
Faible · 8
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
2525
|
tls
|
Sonde TLS
|
Élevée
|
Faible · 14
|
|
Étape
Sonde / probe
MITRE
TA0007
TA0001
WAF
—
Recommandation
Surveiller
Tags
tls_ja3
tls_no_sni
tls_weak_cipher
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
Méthode
—
Port
2525
Chemin / cible
—
Confiance classification
74%
Tactiques MITRE
TA0007
TA0001
User-Agent
—
Règles WAF
—
Payload (extrait)
��������������;�`���XlF�9>#'����������7��� E�RɴX���_Bk?T|��Ӧ��:�+8
��>��&�/�0�+�,̨̩��� ���
�����/�5���
���������{�����
Meta JSON brut
{
"tls_ja3_hash": "89be98bbd4f065fe510fca4893cf8d9b",
"tls_sni": null,
"tls_weak_cipher": true,
"tls_weak_cipher_count": 4,
"bytes_in": 243,
"payload_entropy": 5.853115496905228,
"port_category": "registered",
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"service": "tls",
"app_proto": "tls",
"asn": 135377,
"country": "US",
"risk_waf": 0,
"risk_classification": 30,
"risk_behavior": 0,
"risk_geo": 0,
"risk_protocol": 35,
"risk_novelty": 15,
"risk_boost": 6,
"risk_breakdown": {
"waf": 0,
"classification": 30,
"behavior": 0,
"geo": 0,
"protocol": 35,
"novelty": 15
},
"risk_score": 14,
"tag_count": 3,
"anomaly_count": 0,
"campaign_key": "70836d31869a19f9ea12fae07404daf9d0307458",
"event_fingerprint": "79032e8edf1d0d6a90cb5b0e699d3ef7b155190c",
"city": null,
"is_datacenter": false,
"is_tor_hint": false,
"geo": {
"country": "US",
"asn": 135377,
"org": "UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED",
"is_datacenter": false,
"is_tor_hint": false
},
"fingerprint": {
"ja3": "89be98bbd4f065fe510fca4893cf8d9b",
"payload_hash": "50fa3da97f288586c76973e8d7548c55",
"path_pattern_hash": "8792d2cfdc5028123bfb8f159de8656c"
},
"target_context": {
"dst_port": 2525,
"service": "tls"
},
"attack_stage": "probe",
"mitre_tactics": [
"TA0007",
"TA0001"
],
"threat_family": [
"scanner"
],
"confidence": 0.74,
"classification_confidence": 0.74,
"recommended_client_action": "monitor",
"policy_mode": "intelligence",
"sensor_role": "threat_intelligence",
"payload_preview": "\u0016\u0003\u0001\u0000\ufffd\u0001\u0000\u0000\ufffd\u0003\u0003\u0010\ufffd\u0000;\ufffd`\ufffd\ufffd\ufffdXlF\ufffd9>#'\u001f\ufffd\ufffd\ufffd\u000f\u001f\ufffd\ufffd\ufffd\ufffd7\ufffd\ufffd\ufffd E\ufffdR\u0274X\ufffd\ufffd\u0018_Bk?T|\b\ufffd\u04e6\ufffd\ufffd:\u0015+8\r\r\u001e\ufffd>\ufffd\u0000&\ufffd\/\ufffd0\ufffd+\ufffd,\u0328\u0329\ufffd\u0013\ufffd\t\ufffd\u0014\ufffd\n\u0000\ufffd\u0000\ufffd\u0000\/\u00005\ufffd\u0012\u0000\n\u0013\u0001\u0013\u0003\u0013\u0002\u0001\u0000\u0000{\u0000\u0005\u0000\u0005\u0001\u0000\u0000\u0000",
"event_signature": "94b6ee765cdfaf6d84aa9b4d8270980db81147dd",
"ban_policy": "advisory_monitor",
"tags_list": [
"tls_ja3",
"tls_no_sni",
"tls_weak_cipher"
]
}
|
|
|
TCP |
2669
|
tls
|
Sonde TLS
|
Moyenne
|
Faible · 33
|
|
Étape
—
WAF
—
Recommandation
—
Tags
tls_ja3
tls_no_sni
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|
|
|
TCP |
2669
|
—
|
Sonde port
|
Faible
|
Faible · 0
|
|
Étape
—
WAF
—
Recommandation
—
Tags
—
Cible HTTP
—
TLS SNI
—
Capteur
paris-1
|