{"ip":"154.16.44.117","exported_at":"2026-07-18T10:43:44+00:00","period_days":30,"metrics":{"events7d":25,"distinct_ports":25,"distinct_classifications":2,"max_severity":10,"last_sensor_id":"paris-1","max_waf_score":37,"max_risk_score":64,"attack_stage":"exploit_attempt","attack_chain_stage":"exploitation","threat_family":["path_traversal"],"recommended_action":"investigate","confidence":0.59,"risk_breakdown":{"waf":100,"classification":78,"behavior":0,"geo":0,"protocol":25,"novelty":15},"mitre_tactics":["TA0001","TA0002"],"mitre_technique":"TA0001","top_mitre_technique":"TA0001","top_mitre_count":29,"executive_one_liner_fr":"Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP","campaign_hint_fr":null,"confidence_breakdown":{"waf":100,"classification":78,"behavior":0,"geo":0,"protocol":25,"novelty":15,"risk_score":54},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":59,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["CRS-930100-sub"],"tags_summary":["CRS-930100-sub"],"attack_vector":"lfi path traversal \u00b7 via HTTP:28396 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse","protocol_details":{"http_method":"GET","http_path":"\/sse","request_line":"GET \/sse HTTP\/1.1","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","port":28396,"service":"http","service_label_fr":"HTTP"},"protocol_summary_fr":"GET \/sse \u00b7 UA Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https\u2026 \u00b7 HTTP:28396","evidence_snippet":"GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:28396\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:","target_port_label":"28396 \u00b7 HTTP","emulator_service":"http","confidence_reason":"Confiance 59 % \u2014 4 tag(s) WAF","classification_reason":"Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%","classification_reason_label_fr":"Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%","confidence_factors_fr":"Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF","payload_preview":"GET \/sse HTTP\/1.1\r\nHost: 62.3.50.33:28396\r\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\r\nAccept:"},"events":[{"id":12712715,"ip":"154.16.44.117","ts":"2026-07-18 02:34:01.000000","proto":"tcp","src_port":1662,"dst_port":28396,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/sse","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022698d885882cb8af3058cc3fadf046b87762dfe86\u0022, \u0022http_target_hash\u0022: \u0022a86b90c44ea188f3d86201cc14f47bf56d184d49\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 191, \u0022payload_entropy\u0022: 5.1834266028895755, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 28396, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 54, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223db54ae9602c85cfceb6d4bf8213ac470fda8cca\u0022, \u0022event_fingerprint\u0022: \u00228db0402151016430f36ae3bbaf3d278df6139691\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022146f11002ee8ddb81458db944e58cb3c\u0022, \u0022path_pattern_hash\u0022: \u00229c55a765acd7167a274de1a30a6df566\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 28396, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 54}, \u0022payload_preview\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28396\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28396\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28396\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28396\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28396\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a7e2fd434ea6c8b14f248e5f66afab81dbb93463\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 28396, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28396\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:28396 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022target_port_label\u0022: \u002228396 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 54\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 54}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 54, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 28396, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 28396, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:28396 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28396\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022target_port_label\u0022: \u002228396 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002228396\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:28396","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":191},{"id":12679267,"ip":"154.16.44.117","ts":"2026-07-17 17:59:23.000000","proto":"tcp","src_port":12748,"dst_port":28571,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/sse","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022d23b0a2e3a24a05a7fcd8a2faf0c3aa26fed141d\u0022, \u0022http_target_hash\u0022: \u0022a86b90c44ea188f3d86201cc14f47bf56d184d49\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 191, \u0022payload_entropy\u0022: 5.1794743123023315, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 28571, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 57, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022affc75b493ca702f14fa41408c403df2a0af07fa\u0022, \u0022event_fingerprint\u0022: \u00223ede46d9a34740a71dc7d4cda1082a10747c43a0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 57, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u00223ca55e2baf4c2131fc7b9827a5e15bf3\u0022, \u0022path_pattern_hash\u0022: \u00229c55a765acd7167a274de1a30a6df566\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 28571, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 57}, \u0022payload_preview\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28571\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28571\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28571\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28571\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28571\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227ef211e4c79d1bb696d8ba9aa1b90439cecb895d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 28571, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28571\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:28571 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022target_port_label\u0022: \u002228571 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (154.16.44.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 57, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 57, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 28571, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 28571, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:28571 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28571\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022target_port_label\u0022: \u002228571 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (154.16.44.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002228571\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u0022154.16.44.0\/24\u0022, \u0022coordinated_ip_count\u0022: 4, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:28571","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":191},{"id":12672102,"ip":"154.16.44.117","ts":"2026-07-17 16:16:28.000000","proto":"tcp","src_port":2882,"dst_port":9203,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/sse","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022e92b718328952eaf8116e79ea0ca2c3046d5ed14\u0022, \u0022http_target_hash\u0022: \u0022a86b90c44ea188f3d86201cc14f47bf56d184d49\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 190, \u0022payload_entropy\u0022: 5.156700147800657, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 9203, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 58, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002223f318eb465da02a4e6530dd78d4818aa01adf59\u0022, \u0022event_fingerprint\u0022: \u00228491f1b65428615cede3e6b908de5948bbfc19cf\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 58, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u00224014aa468127fcfe7a76c27f7f526329\u0022, \u0022path_pattern_hash\u0022: \u00229c55a765acd7167a274de1a30a6df566\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9203, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 58}, \u0022payload_preview\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: t\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: t\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: t\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c2d153c4d52a8d469b0015f55ef526bd21587d94\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 9203, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: t\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:9203 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022target_port_label\u0022: \u00229203 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (154.16.44.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 58, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 58, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 9203, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 9203, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:9203 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:9203\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: t\u0022, \u0022target_port_label\u0022: \u00229203 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (154.16.44.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229203\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u0022154.16.44.0\/24\u0022, \u0022coordinated_ip_count\u0022: 3, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:9203","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":190},{"id":12656896,"ip":"154.16.44.117","ts":"2026-07-17 12:03:05.000000","proto":"tcp","src_port":15120,"dst_port":19389,"service":"http","classification":"lfi_path_traversal","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u00225b15832022fe7ec344e8cb954f01a9622f3e5f4a\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 174, \u0022payload_entropy\u0022: 5.208890248325095, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 19389, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 57, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223e91f25c3eea04d1ff6a45536623a7934aa0c083\u0022, \u0022event_fingerprint\u0022: \u00228740c54ecf6aaa675223d287a50b97f485d03012\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 57}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u002241b6c83291ca198f22bc182df56b00d1\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 19389, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 57}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19389\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19389\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19389\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19389\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19389\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d80ce3b602f350196f2213c3ba5bf38d0f51974d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 19389, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19389\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:19389 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002219389 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 57}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 57, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 19389, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 19389, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:19389 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19389\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u002219389 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002219389\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:19389","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":174},{"id":12621177,"ip":"154.16.44.117","ts":"2026-07-17 05:46:22.000000","proto":"tcp","src_port":6152,"dst_port":16358,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u002207447d71addd09a28c0e8049a0fcbd8c347a9e99\u0022, \u0022http_target_hash\u0022: \u0022a40fba6620dee3abd15532f18848dacb6bb80f01\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 5.18314943513186, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 16358, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 57, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227ab16621c08c59ab0482a55eba0e7992f9ae0a41\u0022, \u0022event_fingerprint\u0022: \u0022963288c212fd1e8e9418234e0f87d8b08f701c54\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence\u0022: 0.5, \u0022classification_confidence\u0022: 0.5, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 57}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022dc802deb7922af062da0b9c0fb3088f6\u0022, \u0022path_pattern_hash\u0022: \u0022b18036488649e7cc8a55b0a02c8b737a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 16358, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 57}, \u0022payload_preview\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:16358\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:16358\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:16358\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:16358\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:16358\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227ae59c52c6afd6e82799cbaa4add6f75c0879061\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 16358, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:16358\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:16358 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/favicon.ico\u0022, \u0022target_port_label\u0022: \u002216358 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 57}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 57, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 16358, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 16358, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:16358 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/favicon.ico\u0022, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:16358\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022target_port_label\u0022: \u002216358 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002216358\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:16358","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":185},{"id":12620971,"ip":"154.16.44.117","ts":"2026-07-17 05:42:09.000000","proto":"tcp","src_port":3746,"dst_port":14150,"service":"http","classification":"http_smuggling_probe","waf_score":34,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"POST","http_target":"\/mcp","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u002237743a5859b73b38dfa168364ca429480cafbf45\u0022, \u0022http_target_hash\u0022: \u0022b6dd5207698ea0722ea3c46de82524f56e66f110\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 448, \u0022payload_entropy\u0022: 5.205235299318527, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 14150, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002234ad521626c4f5d8ed4123cd510459655e2b8755\u0022, \u0022event_fingerprint\u0022: \u0022dd5912a6f581c203a79ef37e2431b843ac646998\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 61, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022cf7344d3bd446c08e6308b5745297641\u0022, \u0022path_pattern_hash\u0022: \u002288fe637beab867e285c088d60d6cc3b3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 14150, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 61}, \u0022payload_preview\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:14150\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:14150\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versi\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:14150\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:14150\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versi\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:14150\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224cdbd654e310695b72a4f3c7d250f4d53e2df069\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 14150, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:14150\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:14150 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022target_port_label\u0022: \u002214150 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (154.16.44.0\/24)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 61, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 61, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 14150, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 14150, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:14150 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:14150\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022target_port_label\u0022: \u002214150 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (154.16.44.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002214150\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u0022154.16.44.0\/24\u0022, \u0022coordinated_ip_count\u0022: 3, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:14150","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":448},{"id":12612596,"ip":"154.16.44.117","ts":"2026-07-17 02:03:25.000000","proto":"tcp","src_port":2018,"dst_port":4467,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/sse","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022c3474d126f168e4d121abb8602e25b9458488025\u0022, \u0022http_target_hash\u0022: \u0022a86b90c44ea188f3d86201cc14f47bf56d184d49\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 190, \u0022payload_entropy\u0022: 5.180332910935778, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 4467, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 1.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022438261e8b192dbeca94c91f16d3e8fc496d084ae\u0022, \u0022event_fingerprint\u0022: \u0022639fd5f9ca3aa9da13fa0a23ea2d100536d7b326\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u00220b235c174b42a04c89df006464b411ba\u0022, \u0022path_pattern_hash\u0022: \u00229c55a765acd7167a274de1a30a6df566\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 4467, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:4467\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: t\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:4467\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:4467\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: t\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:4467\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:4467\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: t\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022811cbeae530db133736fc8de50c7eb00f8948d66\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 4467, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:4467\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: t\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:4467 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022target_port_label\u0022: \u00224467 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (154.16.44.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 4467, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 4467, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:4467 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:4467\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: t\u0022, \u0022target_port_label\u0022: \u00224467 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (154.16.44.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00224467\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u0022154.16.44.0\/24\u0022, \u0022coordinated_ip_count\u0022: 3, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:4467","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":190},{"id":12608483,"ip":"154.16.44.117","ts":"2026-07-17 00:14:39.000000","proto":"tcp","src_port":13762,"dst_port":1416,"service":"http","classification":"lfi_path_traversal","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022de024e0c551275f7e2073faad987d044a1e86c2e\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 173, \u0022payload_entropy\u0022: 5.185554279395616, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 1416, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 58, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002226661c82b4817262532a9abf169e01fdf0666216\u0022, \u0022event_fingerprint\u0022: \u0022cedabd57fec1d408b5da1ccdd07bce501c76e2e1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 58, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022cd74031c3e5f1f6358ed47fe1f2be9ac\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 1416, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 58}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1416\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1416\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1416\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1416\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1416\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f32beac6daf92db14926a3559bdd8f2fa5cdac29\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 1416, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1416\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:1416 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00221416 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 58\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (154.16.44.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 58, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 58, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 1416, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 1416, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:1416 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:1416\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u00221416 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (154.16.44.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00221416\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u0022154.16.44.0\/24\u0022, \u0022coordinated_ip_count\u0022: 5, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:1416","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":173},{"id":12512001,"ip":"154.16.44.117","ts":"2026-07-16 13:00:59.000000","proto":"tcp","src_port":9428,"dst_port":32040,"service":"http","classification":"http_smuggling_probe","waf_score":34,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"POST","http_target":"\/mcp","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022d0cff0eae6fd882c193c0fa58458892b78e4a1f1\u0022, \u0022http_target_hash\u0022: \u0022b6dd5207698ea0722ea3c46de82524f56e66f110\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 448, \u0022payload_entropy\u0022: 5.203285373261732, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 32040, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c0b8416a51a3f8de679bb7ddc31376dc86733d27\u0022, \u0022event_fingerprint\u0022: \u0022a1402f8ccb29602522efdcaa83e363fcc2aaaae2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u002211054abcb39313ea41387779a31b61a6\u0022, \u0022path_pattern_hash\u0022: \u002288fe637beab867e285c088d60d6cc3b3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 32040, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 62}, \u0022payload_preview\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:32040\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:32040\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versi\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:32040\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:32040\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versi\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:32040\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221b144d221eba7073a954c6c537563c18e0a041bb\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 32040, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:32040\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:32040 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022target_port_label\u0022: \u002232040 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (154.16.44.0\/24)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 62, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 32040, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 32040, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:32040 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:32040\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022target_port_label\u0022: \u002232040 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (154.16.44.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002232040\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u0022154.16.44.0\/24\u0022, \u0022coordinated_ip_count\u0022: 6, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:32040","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":448},{"id":12452862,"ip":"154.16.44.117","ts":"2026-07-16 09:34:39.000000","proto":"tcp","src_port":10420,"dst_port":19609,"service":"http","classification":"http_smuggling_probe","waf_score":37,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"POST","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u00228e110798e55f0ffadf44aefa31ea878dffac4f1c\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 445, \u0022payload_entropy\u0022: 5.21177087715404, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 19609, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022fd65110a589eca3eb146d337d5ac11241165f09b\u0022, \u0022event_fingerprint\u0022: \u0022c679e46fe1a3a5eaf4736bd0a4c3745db2655b4b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u00221b15ef7ac7465862d35bec60d77c47f1\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 19609, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 62}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19609\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19609\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Version:\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19609\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19609\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Version:\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19609\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002258e3b7dca8dcc441ab42c0257962230ebd717263\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 19609, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19609\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:19609 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002219609 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 62, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 19609, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 19609, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:19609 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:19609\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022target_port_label\u0022: \u002219609 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002219609\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:19609","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":445},{"id":12400660,"ip":"154.16.44.117","ts":"2026-07-16 06:01:44.000000","proto":"tcp","src_port":4488,"dst_port":13553,"service":"http","classification":"http_smuggling_probe","waf_score":37,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"POST","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u00226315065764cbbfd532bfda9092833075525cab54\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 445, \u0022payload_entropy\u0022: 5.197953754623246, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 13553, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 61, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224e463a9d0841da7cd4110c060f8b5491ec897bc4\u0022, \u0022event_fingerprint\u0022: \u00221bbbc98ca1b9130b0582ba603c1b72be8df83305\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 61, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u002296683a39aef3019f962e112b646aa015\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 13553, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 61}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:13553\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:13553\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Version:\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:13553\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:13553\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Version:\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:13553\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002255b8ad0c068c882ced4d34f423ad45f7a63b17bb\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 13553, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:13553\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:13553 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002213553 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 61\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (154.16.44.0\/24)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 61, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 61, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 13553, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 13553, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:13553 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:13553\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022target_port_label\u0022: \u002213553 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (154.16.44.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002213553\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u0022154.16.44.0\/24\u0022, \u0022coordinated_ip_count\u0022: 4, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:13553","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":445},{"id":12316277,"ip":"154.16.44.117","ts":"2026-07-16 00:35:53.000000","proto":"tcp","src_port":8910,"dst_port":13847,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u002281d78d67fddf16a17dcdaa4fea711e0fb6788e86\u0022, \u0022http_target_hash\u0022: \u0022a40fba6620dee3abd15532f18848dacb6bb80f01\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 5.208851529738149, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 13847, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 57, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00225ceee8a5ebc29199f4a1517ef67eb74ca3fbbae1\u0022, \u0022event_fingerprint\u0022: \u00224f02e715b2f9cd3b344fd54e400648121999c97b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence\u0022: 0.6, \u0022classification_confidence\u0022: 0.6, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 57, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022ed510abbc53ce1996ef66651813bf911\u0022, \u0022path_pattern_hash\u0022: \u0022b18036488649e7cc8a55b0a02c8b737a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 13847, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 57}, \u0022payload_preview\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:13847\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:13847\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:13847\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:13847\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:13847\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022975d836f09421f8ad98408aa5cd5d6e2c1e4c811\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 13847, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:13847\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:13847 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/favicon.ico\u0022, \u0022target_port_label\u0022: \u002213847 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 60 % \u2014 via HTTP \u2014 campagne \/24 (154.16.44.0\/24)\u0022, \u0022confidence_pct\u0022: 60, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 57, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 57, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 13847, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 13847, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:13847 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/favicon.ico\u0022, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:13847\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022target_port_label\u0022: \u002213847 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 60 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (154.16.44.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002213847\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u0022154.16.44.0\/24\u0022, \u0022coordinated_ip_count\u0022: 3, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:13847","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":185},{"id":12176124,"ip":"154.16.44.117","ts":"2026-07-15 09:01:40.000000","proto":"tcp","src_port":11354,"dst_port":24725,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/sse","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022b29a5b5159a31e1cd97c2bd4449c76eeddc1c948\u0022, \u0022http_target_hash\u0022: \u0022a86b90c44ea188f3d86201cc14f47bf56d184d49\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 191, \u0022payload_entropy\u0022: 5.182040935316326, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 24725, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 57, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022923d7f062566477dab9965400c33aec21f99e4c9\u0022, \u0022event_fingerprint\u0022: \u0022c4f2cfde386c08e222412dd65ee9588c74cc14be\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 57, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022f12337121d01a913112ee0c8f1ffa58e\u0022, \u0022path_pattern_hash\u0022: \u00229c55a765acd7167a274de1a30a6df566\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 24725, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 57}, \u0022payload_preview\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:24725\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:24725\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:24725\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:24725\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:24725\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022bdac05255257d9eb4ee4fdb858494393bb941cfa\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 24725, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:24725\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:24725 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022target_port_label\u0022: \u002224725 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 57\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (154.16.44.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 57, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 57, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 24725, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 24725, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:24725 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:24725\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022target_port_label\u0022: \u002224725 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (154.16.44.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002224725\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u0022154.16.44.0\/24\u0022, \u0022coordinated_ip_count\u0022: 8, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:24725","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":191},{"id":12092698,"ip":"154.16.44.117","ts":"2026-07-15 05:31:43.000000","proto":"tcp","src_port":13976,"dst_port":20334,"service":"http","classification":"http_smuggling_probe","waf_score":37,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"POST","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u00227eff9ffbceacb828dfbe6f368b78d4f0bedd533f\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 445, \u0022payload_entropy\u0022: 5.204615041097783, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 20334, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a77b8249a4a29125c4234952787304110c1abd39\u0022, \u0022event_fingerprint\u0022: \u002248caca6a431ac232e34ae32c53bd81e4035d1293\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 64, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022b0abf266f3092a68f58a5679fb6af6aa\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 20334, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:20334\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:20334\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Version:\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:20334\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:20334\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Version:\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:20334\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f3475c12825e542e7ed070e9dd73daf3d8a6c93a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 20334, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:20334\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:20334 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002220334 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (154.16.44.0\/24)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 64, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 20334, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 20334, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:20334 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:20334\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022target_port_label\u0022: \u002220334 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (154.16.44.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002220334\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u0022154.16.44.0\/24\u0022, \u0022coordinated_ip_count\u0022: 4, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:20334","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":445},{"id":12089193,"ip":"154.16.44.117","ts":"2026-07-15 05:18:52.000000","proto":"tcp","src_port":11358,"dst_port":19369,"service":"http","classification":"http_smuggling_probe","waf_score":34,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"POST","http_target":"\/mcp","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u00229904dd4495ea13a1b1f5066a688925ed246fc534\u0022, \u0022http_target_hash\u0022: \u0022b6dd5207698ea0722ea3c46de82524f56e66f110\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 448, \u0022payload_entropy\u0022: 5.213702618478467, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 19369, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 63, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002208c328a6962ca74a6049ed84859cfc03282625ac\u0022, \u0022event_fingerprint\u0022: \u0022ad74b25049ce561dc041ecbcb744b2203a9b5029\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 63}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022c9199cc0ef119a763e19f5ea38f17d3b\u0022, \u0022path_pattern_hash\u0022: \u002288fe637beab867e285c088d60d6cc3b3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 19369, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 63}, \u0022payload_preview\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:19369\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:19369\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versi\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:19369\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:19369\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versi\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:19369\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002227ea822ac85db4766bbbb21deb03db8683395cb3\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 19369, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:19369\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:19369 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022target_port_label\u0022: \u002219369 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 63}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 63, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 19369, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 19369, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:19369 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:19369\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022target_port_label\u0022: \u002219369 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002219369\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:19369","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":448},{"id":12079952,"ip":"154.16.44.117","ts":"2026-07-15 04:56:41.000000","proto":"tcp","src_port":3064,"dst_port":28563,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/sse","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022c573a97de971120b2e2a818e58342ba2cf480da8\u0022, \u0022http_target_hash\u0022: \u0022a86b90c44ea188f3d86201cc14f47bf56d184d49\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 191, \u0022payload_entropy\u0022: 5.16900310811385, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 28563, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.3, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022ef1feec8e6f440a1fa74cb97df12e102ec88d074\u0022, \u0022event_fingerprint\u0022: \u0022f2a2eeeeacb18355854a650a7760a24723d1f86a\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 56}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022223280347eaedb2f19021dc8346615c4\u0022, \u0022path_pattern_hash\u0022: \u00229c55a765acd7167a274de1a30a6df566\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 28563, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28563\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28563\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28563\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28563\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28563\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b753bd5245e90e414633ed04ca80d0d05db675ba\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 28563, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28563\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:28563 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022target_port_label\u0022: \u002228563 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 56}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 56, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 28563, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 28563, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:28563 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:28563\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022target_port_label\u0022: \u002228563 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002228563\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:28563","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":191},{"id":12040954,"ip":"154.16.44.117","ts":"2026-07-15 02:16:18.000000","proto":"tcp","src_port":5192,"dst_port":28300,"service":"http","classification":"http_smuggling_probe","waf_score":37,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"POST","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u002222a6efe94893f5899f7bd9b857bbf9fc286b9ffe\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 445, \u0022payload_entropy\u0022: 5.203058282881917, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 28300, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00227448e5bd610f27e6901b723f534f55b3939d7b20\u0022, \u0022event_fingerprint\u0022: \u002286431ce0095aabba1c5f2cba945d4bf0c9b40a4c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022404f0590aea446a012632c83f33ec5f6\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 28300, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:28300\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:28300\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Version:\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:28300\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:28300\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Version:\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:28300\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226a46fea887ac0d8bb2630b6e66169fc1a18be1c6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 28300, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:28300\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:28300 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002228300 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 28300, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 28300, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:28300 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:28300\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Le\u0022, \u0022target_port_label\u0022: \u002228300 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002228300\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:28300","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":445},{"id":12006034,"ip":"154.16.44.117","ts":"2026-07-15 00:07:56.000000","proto":"tcp","src_port":4714,"dst_port":21274,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/sse","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u00222bdafd3ce8ad1b7bb2b19cf1e196ab8101e17e3a\u0022, \u0022http_target_hash\u0022: \u0022a86b90c44ea188f3d86201cc14f47bf56d184d49\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 191, \u0022payload_entropy\u0022: 5.1794743123023315, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 21274, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022a736757d97a721e052b15d35941b6c42acaa34dd\u0022, \u0022event_fingerprint\u0022: \u00222678eca7e35a2380d2c743cdbc7fa6fe2820aee8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u002214893e6f43ae87db0aed449abcd8f993\u0022, \u0022path_pattern_hash\u0022: \u00229c55a765acd7167a274de1a30a6df566\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 21274, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:21274\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: \u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:21274\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:21274\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/sse\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:21274\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: text\/event-stream\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:21274\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227e2859fe472acd70e220f992fe513a43266d9a64\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 21274, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:21274\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:21274 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022target_port_label\u0022: \u002221274 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (154.16.44.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 55, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 21274, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/sse\u0022, \u0022request_line\u0022: \u0022GET \/sse HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 21274, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:21274 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/sse\u0022, \u0022evidence_snippet\u0022: \u0022GET \/sse HTTP\/1.1\\r\\nHost: 62.3.50.33:21274\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept:\u0022, \u0022target_port_label\u0022: \u002221274 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (154.16.44.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002221274\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u0022154.16.44.0\/24\u0022, \u0022coordinated_ip_count\u0022: 5, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:21274","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":191},{"id":12005888,"ip":"154.16.44.117","ts":"2026-07-15 00:03:41.000000","proto":"tcp","src_port":5670,"dst_port":24179,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u002225d8d0cb80397f2c995623639b671e8bdb17b1e9\u0022, \u0022http_target_hash\u0022: \u0022a40fba6620dee3abd15532f18848dacb6bb80f01\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 185, \u0022payload_entropy\u0022: 5.215581867564292, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 24179, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d18f19efd9a0da2062dd8f2ba897d51dd7cfa088\u0022, \u0022event_fingerprint\u0022: \u00221ce0adc14aff4150ef1ac7512e2f97711e846385\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence\u0022: 0.5, \u0022classification_confidence\u0022: 0.5, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u00220a218708ff38c6dc77167b883241ce1b\u0022, \u0022path_pattern_hash\u0022: \u0022b18036488649e7cc8a55b0a02c8b737a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 24179, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:24179\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\n\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:24179\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:24179\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:24179\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:24179\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a0fa2e3486d6880fd3eb456eb3877580c6845461\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 24179, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:24179\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:24179 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/favicon.ico\u0022, \u0022target_port_label\u0022: \u002224179 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 24179, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 24179, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:24179 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/favicon.ico\u0022, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:24179\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022target_port_label\u0022: \u002224179 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002224179\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:24179","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":185},{"id":11998723,"ip":"154.16.44.117","ts":"2026-07-14 22:13:16.000000","proto":"tcp","src_port":5410,"dst_port":2628,"service":"http","classification":"http_smuggling_probe","waf_score":34,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"POST","http_target":"\/mcp","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u00227bfe5d2aede5ff05f1a5927f4b6c6eb42899b7bd\u0022, \u0022http_target_hash\u0022: \u0022b6dd5207698ea0722ea3c46de82524f56e66f110\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 447, \u0022payload_entropy\u0022: 5.204279412744034, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 2628, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.6, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 63, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00221f5d320f12cfcfad1827e6da1fd5e34b65358aa0\u0022, \u0022event_fingerprint\u0022: \u0022c5726d033696ab027fccfc308c943ef98a2cca75\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 63, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u00225908364f5616d4632fbb6d75e5657dc6\u0022, \u0022path_pattern_hash\u0022: \u002288fe637beab867e285c088d60d6cc3b3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 2628, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 63}, \u0022payload_preview\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versio\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versio\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c96cf7bde89cf64476bc55ed7bb91a4c4f8807cf\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 2628, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:2628 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022target_port_label\u0022: \u00222628 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 63\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (154.16.44.0\/24)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 63, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 63, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 2628, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 2628, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:2628 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:2628\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022target_port_label\u0022: \u00222628 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (154.16.44.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00222628\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u0022154.16.44.0\/24\u0022, \u0022coordinated_ip_count\u0022: 4, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:2628","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":447},{"id":11538894,"ip":"154.16.44.117","ts":"2026-07-13 01:35:52.000000","proto":"tcp","src_port":5202,"dst_port":5857,"service":"http","classification":"http_smuggling_probe","waf_score":34,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"POST","http_target":"\/mcp","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022b92b9e09cfa12aecd8b060509871055cf30bd0dc\u0022, \u0022http_target_hash\u0022: \u0022b6dd5207698ea0722ea3c46de82524f56e66f110\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 447, \u0022payload_entropy\u0022: 5.214173259425786, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 5857, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 6.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 64, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022e791db41abe3b49fce436d3b6f40c81c9030a5dd\u0022, \u0022event_fingerprint\u0022: \u0022e5bb2418151d5b48c5f7427c8108a993f43e43c3\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 64}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u00226b60460a9017dba62650feb447b759ec\u0022, \u0022path_pattern_hash\u0022: \u002288fe637beab867e285c088d60d6cc3b3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5857, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 64}, \u0022payload_preview\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:5857\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:5857\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versio\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:5857\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:5857\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versio\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:5857\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00221518b23a5bb3b2be2d5906cf424255b574d9d325\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 5857, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:5857\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:5857 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022target_port_label\u0022: \u00225857 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 64\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 64}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 64, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 5857, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 5857, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:5857 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:5857\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-\u0022, \u0022target_port_label\u0022: \u00225857 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225857\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:5857","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":447},{"id":11480435,"ip":"154.16.44.117","ts":"2026-07-12 20:27:14.000000","proto":"tcp","src_port":12678,"dst_port":3066,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022d858b9f15bc01e1f2666a48d7b0ce4e9d139215f\u0022, \u0022http_target_hash\u0022: \u0022a40fba6620dee3abd15532f18848dacb6bb80f01\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 184, \u0022payload_entropy\u0022: 5.162567800099822, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 3066, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022d97fa6c42afd81e02a7b3daed303f822ce61005d\u0022, \u0022event_fingerprint\u0022: \u0022667198ba07e7c9bb5619b07a479c898d6292f54b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence\u0022: 0.5, \u0022classification_confidence\u0022: 0.5, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 59}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022668fdab5d9a8013f927a49061ed77882\u0022, \u0022path_pattern_hash\u0022: \u0022b18036488649e7cc8a55b0a02c8b737a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 3066, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:3066\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nA\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:3066\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:3066\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nA\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:3066\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:3066\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nA\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022182eb07e5dc0ef4910e020b72872b7f2149f9716\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 3066, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:3066\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nA\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:3066 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/favicon.ico\u0022, \u0022target_port_label\u0022: \u00223066 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 50 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 59}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 3066, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 3066, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:3066 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/favicon.ico\u0022, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:3066\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nA\u0022, \u0022target_port_label\u0022: \u00223066 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 100 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00223066\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:3066","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":184},{"id":11279140,"ip":"154.16.44.117","ts":"2026-07-12 01:49:26.000000","proto":"tcp","src_port":13098,"dst_port":10194,"service":"http","classification":"lfi_path_traversal","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022cd38330630fe93bc9fd5de79a023ea8f02b647bb\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 174, \u0022payload_entropy\u0022: 5.199639441000746, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 10194, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 5.9, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 59, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022b4ca2e75bcb2a51fe974c9aa265bcd2cb253b536\u0022, \u0022event_fingerprint\u0022: \u0022c5993c844f0728e0e1b14aba813963b3c2707ce8\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.69, \u0022classification_confidence\u0022: 0.69, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u002276f95385d2350d38f6754044deab44d7\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 10194, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 59}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10194\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10194\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10194\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10194\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10194\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002212a708bef0f65669a7c94304b574f1cf6721d64d\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 10194, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10194\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:10194 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002210194 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 59\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 69 % \u2014 via HTTP \u2014 campagne \/24 (154.16.44.0\/24)\u0022, \u0022confidence_pct\u0022: 69, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 59, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 59, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 10194, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 10194, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:10194 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:10194\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u002210194 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 69 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (154.16.44.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002210194\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u0022154.16.44.0\/24\u0022, \u0022coordinated_ip_count\u0022: 6, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:10194","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":174},{"id":11216255,"ip":"154.16.44.117","ts":"2026-07-11 19:25:49.000000","proto":"tcp","src_port":5460,"dst_port":694,"service":"http","classification":"http_smuggling_probe","waf_score":37,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"POST","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u00221d6a0e0574c9a74176ec19065d274e8a2e232b50\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 443, \u0022payload_entropy\u0022: 5.213533829220017, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 694, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.0, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022c4db602c3e7cd02e6ae37fffa476ce3d2d62d788\u0022, \u0022event_fingerprint\u0022: \u00223e0a78d75cc14b8959f52f81264da5c047c4fd2b\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u00229443562db388d440b30ce55236a6d317\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 694, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 62}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:694\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Leng\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:694\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Version: 2\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:694\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Leng\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:694\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Version: 2\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:694\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Leng\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222a931c2a892ef85eec9683db61dbd33c1e42c44e\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 694, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:694\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Leng\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:694 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u0022694 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 62, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 694, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 694, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:694 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:694\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Leng\u0022, \u0022target_port_label\u0022: \u0022694 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022694\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:694","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":443},{"id":11150602,"ip":"154.16.44.117","ts":"2026-07-11 16:15:37.000000","proto":"tcp","src_port":11868,"dst_port":7732,"service":"http","classification":"lfi_path_traversal","waf_score":27,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"GET","http_target":"\/favicon.ico","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: \u0022ico\u0022, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u002273e501931e6061f217f3dd5a680df13f3a87cf79\u0022, \u0022http_target_hash\u0022: \u0022a40fba6620dee3abd15532f18848dacb6bb80f01\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 184, \u0022payload_entropy\u0022: 5.184306930534604, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 7732, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 56, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00220e07d986c09af08b6f0dfb98454ff60eeaf5aa46\u0022, \u0022event_fingerprint\u0022: \u00222db2900301f7449a7d761faeefd68baa123b6d4f\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence\u0022: 0.6, \u0022classification_confidence\u0022: 0.6, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 56, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022af683fed8509ffc1fa1b1feb39ae2e10\u0022, \u0022path_pattern_hash\u0022: \u0022b18036488649e7cc8a55b0a02c8b737a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 7732, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 56}, \u0022payload_preview\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:7732\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nA\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:7732\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:7732\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nA\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/favicon.ico\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:7732\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:7732\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nA\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022db15bf0f9ddae158d2138392ce2d1e425f45b8f6\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 7732, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:7732\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nA\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:7732 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/favicon.ico\u0022, \u0022target_port_label\u0022: \u00227732 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 56\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 60 % \u2014 via HTTP \u2014 campagne \/24 (154.16.44.0\/24)\u0022, \u0022confidence_pct\u0022: 60, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 56, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 56, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 7732, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/favicon.ico\u0022, \u0022request_line\u0022: \u0022GET \/favicon.ico HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 7732, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:7732 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/favicon.ico\u0022, \u0022evidence_snippet\u0022: \u0022GET \/favicon.ico HTTP\/1.1\\r\\nHost: 62.3.50.33:7732\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nA\u0022, \u0022target_port_label\u0022: \u00227732 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 4 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 60 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 4 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (154.16.44.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00227732\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u0022154.16.44.0\/24\u0022, \u0022coordinated_ip_count\u0022: 6, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:7732","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":184},{"id":10971316,"ip":"154.16.44.117","ts":"2026-07-11 04:46:56.000000","proto":"tcp","src_port":14932,"dst_port":420,"service":"http","classification":"http_smuggling_probe","waf_score":37,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"POST","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u00227baa4d59420cf3be4066f9cd09809168b6eb04ce\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 443, \u0022payload_entropy\u0022: 5.2000481216556, \u0022port_category\u0022: \u0022well_known\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 420, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 4.8, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 62, \u0022tag_count\u0022: 6, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00223d0bb610e4621b5f5fd2086bd7bf02ebdff33ee7\u0022, \u0022event_fingerprint\u0022: \u0022d0db642bcbc7050c5a566001aa7bbb562c2dd7f2\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62, \u0022correlation_boost\u0022: 10}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u002265afec33d5db5ffec37f633d3647e080\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 420, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 62}, \u0022payload_preview\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:420\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Leng\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:420\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Version: 2\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:420\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Leng\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:420\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Version: 2\u0022, \u0022payload_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:420\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Leng\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f3b01d33b01ee8fe6212f7275d9d985d0f27b709\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 420, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:420\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Leng\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:420 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u0022420 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 62\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 100 % \u2014 via HTTP \u2014 campagne \/24 (154.16.44.0\/24)\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 62, \u0022correlation_boost\u0022: 10}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Reconnaissance\u0022, \u0022risk_score\u0022: 62, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 420, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: [\u0022scan_coordonn\u00e9\u0022], \u0022correlation_flags_labels_fr\u0022: [\u0022Scan coordonn\u00e9\u0022], \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Corr\u00e9lation +10\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022POST \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 420, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:420 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022POST \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:420\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Leng\u0022, \u0022target_port_label\u0022: \u0022420 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 6 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 100 \u00b7 Bonus corr\u00e9lation +10 \u00b7 6 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: \u0022Campagne de scan \u2014 plusieurs IP du m\u00eame \/24 (154.16.44.0\/24, \u22653 pairs)\u0022, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022reconnaissance\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u0022420\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022coordinated_scan\u0022: true, \u0022coordinated_subnet\u0022: \u0022154.16.44.0\/24\u0022, \u0022coordinated_ip_count\u0022: 3, \u0022behavior_alerts\u0022: [\u0022coordinated_scan\u0022], \u0022correlation_confidence_boost\u0022: 10, \u0022attack_chain_stage\u0022: \u0022reconnaissance\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:420","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":443},{"id":10971086,"ip":"154.16.44.117","ts":"2026-07-11 04:43:11.000000","proto":"tcp","src_port":12856,"dst_port":15658,"service":"http","classification":"lfi_path_traversal","waf_score":30,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","http_method":"GET","http_target":"\/","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 5, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 0, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022fd3c92d4e8ddbffcbecc9d3bedfc67d6cccd9b3c\u0022, \u0022http_target_hash\u0022: \u002242099b4af021e53fd8fd4e056c2568d7c2e3ffa8\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022GET\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 174, \u0022payload_entropy\u0022: 5.193057561531052, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 15658, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 78.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.2, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 55, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022f966ac19e44d418befd39764e432d9a7342fb5d0\u0022, \u0022event_fingerprint\u0022: \u0022e23e4000dc1669a5b7520cfd836f6efb85246b35\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022CRS-930100-sub\u0022], \u0022kb_rule_ids\u0022: [\u0022CRS-930100-sub\u0022], \u0022matched_patterns\u0022: [\u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 55}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022path_traversal\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u0022a73e9d70dfd9c70433d8d1fb9cb14eb3\u0022, \u0022path_pattern_hash\u0022: \u00228a5edab282632443219e051e4ade2d1d\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 15658, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 55}, \u0022payload_preview\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:15658\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:15658\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:15658\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022GET\u0022, \u0022path\u0022: \u0022\/\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022, \u0022sap-sapcontrol-path\u0022], \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:15658\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\\r\\nConnection: close\\r\\nAccept-Encoding: gzip\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:15658\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022path_traversal\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b46d2d0ecbd8fc231f3a03e8ae0e7c62f7936726\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 15658, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:15658\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:15658 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u002215658 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab lfi_path_traversal \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 55\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 78.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 55}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 55, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 15658, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022CRS-930100-sub\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022CRS-930100-sub\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022GET\u0022, \u0022http_path\u0022: \u0022\/\u0022, \u0022request_line\u0022: \u0022GET \/ HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 15658, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022lfi path traversal \u00b7 via HTTP:15658 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022GET \/ HTTP\/1.1\\r\\nHost: 62.3.50.33:15658\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nAccept: *\/*\u0022, \u0022target_port_label\u0022: \u002215658 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002215658\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:15658","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022, \u0022950734:sap-sapcontrol-path\u0022]","anomalies":"[]","severity":10,"bytes_in":174},{"id":10967896,"ip":"154.16.44.117","ts":"2026-07-11 03:48:58.000000","proto":"tcp","src_port":21853,"dst_port":5060,"service":"sip","classification":"http_smuggling_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u00225349502f322e3020323030204f4b0d0a5669613a205349502f322e302f55445020686f6e6579706f740d0a46726f6d3a203c7369703a686f6e6579706f74406c6f63616c3e3b7461673d6870310d0a546f3a203c7369703a70726f6265406c6f63616c3e3b7461673d6870320d0a43616c6c2d49443a20686f6e6579706f742d\u0022, \u0022emulator_response_len\u0022: 215, \u0022bytes_in\u0022: 224, \u0022payload_entropy\u0022: 5.26328987918105, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022sip\u0022, \u0022app_proto\u0022: \u0022sip\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 5060, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.5, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 52, \u0022tag_count\u0022: 4, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00229d47a028d45c994ea562e4af4fb360bfaa9c2d49\u0022, \u0022event_fingerprint\u0022: \u00223fcb8baeea4f587fed31373e40a068a2b2c72324\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022, \u0022pat-0420\u0022, \u0022pat-0535\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022SIP protocol\u0022, \u0022HTTP OPTIONS method\u0022, \u0022SIP OPTIONS\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0384\u0022, \u0022pat-0420\u0022, \u0022pat-0535\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222d212347768522c1c677ccad83532571\u0022, \u0022path_pattern_hash\u0022: \u002206b55a159b5d265fc8976ebb0a005f8a\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022risk_score\u0022: 52}, \u0022payload_preview\u0022: \u0022OPTIONS sip:62.3.50.33:5060 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 62.3.50.33:5060;branch=z9hG4bK-scan\\r\\nFrom: \u003Csip:62.3.50.33:5060\u003E;tag=1\\r\\nTo\u0022, \u0022request_sample\u0022: \u0022OPTIONS sip:62.3.50.33:5060 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 62.3.50.33:5060;branch=z9hG4bK-scan\\r\\nFrom: \u003Csip:62.3.50.33:5060\u003E;tag=1\\r\\nTo: \u003Csip:62.3.50.33:5060\u003E\\r\\nCall-ID: scan\\r\\nCSeq: 1 OPTIONS\\r\\nMax-Forwards: 70\\r\\nContent-Length: 0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS sip:62.3.50.33:5060 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 62.3.50.33:5060;branch=z9hG4bK-scan\\r\\nFrom: \u003Csip:62.3.50.33:5060\u003E;tag=1\\r\\nTo\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022OPTIONS sip:62.3.50.33:5060 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 62.3.50.33:5060;branch=z9hG4bK-scan\\r\\nFrom: \u003Csip:62.3.50.33:5060\u003E;tag=1\\r\\nTo: \u003Csip:62.3.50.33:5060\u003E\\r\\nCall-ID: scan\\r\\nCSeq: 1 OPTIONS\\r\\nMax-Forwards: 70\\r\\nContent-Length: 0\\r\\n\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022OPTIONS sip:62.3.50.33:5060 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 62.3.50.33:5060;branch=z9hG4bK-scan\\r\\nFrom: \u003Csip:62.3.50.33:5060\u003E;tag=1\\r\\nTo\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225b07e2c695d9f74264b5bdba86ffe0d1f3cd1e14\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS sip:62.3.50.33:5060 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 62.3.50.33:5060;branch=z9hG4bK-scan\\r\\nFrom: \u003Csip:62.3.50.33:5060\u003E;tag=1\\r\\nTo\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022evidence_snippet\u0022: \u0022OPTIONS sip:62.3.50.33:5060 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 62.3.50.33:5060;branch=z9hG4bK-scan\\r\\nFrom: \u003Csip:62.3.50.33:5060\u003E;tag=1\\r\\nTo\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via SIP:5060 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 52\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via SIP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 52}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 52, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022, \u0022dst_port\u0022: 5060, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-sip\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022OPTIONS sip:62.3.50.33:5060 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 62.3.50.33:5060;branch=z9hG4bK-scan\\r\\nFrom: \u003Csip:62.3.50.33:5060\u003E;tag=1\\r\\nTo\u0022, \u0022port\u0022: 5060, \u0022service\u0022: \u0022sip\u0022, \u0022service_label_fr\u0022: \u0022SIP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via SIP:5060 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022OPTIONS sip:62.3.50.33:5060 SIP\/2.0\\r\\nVia: SIP\/2.0\/TCP 62.3.50.33:5060;branch=z9hG4bK-scan\\r\\nFrom: \u003Csip:62.3.50.33:5060\u003E;tag=1\\r\\nTo\u0022, \u0022target_port_label\u0022: \u00225060 \u00b7 SIP\u0022, \u0022emulator_service\u0022: \u0022sip\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022sip\u0022, \u0022service_banner\u0022: \u0022honeypot-sip\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00225060\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_sip_voip_probe\u0022, \u0022sip_emulated\u0022, \u0022sip_payload\u0022, \u0022sip_voip_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":224},{"id":10880823,"ip":"154.16.44.117","ts":"2026-07-10 17:13:08.000000","proto":"tcp","src_port":14514,"dst_port":11629,"service":"http","classification":"http_smuggling_probe","waf_score":34,"waf_tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","http_method":"POST","http_target":"\/mcp","sensor_id":"paris-1","meta":"{\u0022http_header_count\u0022: 8, \u0022http_query_params\u0022: 0, \u0022http_path_depth\u0022: 1, \u0022http_path_ext\u0022: null, \u0022http_ua_hash\u0022: \u0022d21c1bafc58d16443d9ec66887a72f8ca1f87ea1\u0022, \u0022http_host_hash\u0022: \u0022fa481ac8b01c2ed5fd69297955ccfcf5c690626e\u0022, \u0022http_target_hash\u0022: \u0022b6dd5207698ea0722ea3c46de82524f56e66f110\u0022, \u0022http_referer_hash\u0022: null, \u0022http_method\u0022: \u0022POST\u0022, \u0022http_ua_is_cli\u0022: false, \u0022http_ua_is_browser\u0022: true, \u0022bytes_in\u0022: 448, \u0022payload_entropy\u0022: 5.207055953235861, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022service\u0022: \u0022http\u0022, \u0022app_proto\u0022: \u0022http\u0022, \u0022asn\u0022: 25369, \u0022country\u0022: \u0022GB\u0022, \u0022dst_port\u0022: 11629, \u0022risk_waf\u0022: 100.0, \u0022risk_classification\u0022: 85.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 25.0, \u0022risk_novelty\u0022: 25.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0}, \u0022risk_score\u0022: 60, \u0022tag_count\u0022: 5, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002216250aee197e4512939342f771fae9d2c63c44a1\u0022, \u0022event_fingerprint\u0022: \u00225de220ef600ebe22cd9b41ee7c489a40e64228b6\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022confidence\u0022: 0.95, \u0022classification_confidence\u0022: 0.95, \u0022precision_score\u0022: 84, \u0022precision_signals\u0022: [\u0022pat-0842\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0842\u0022], \u0022matched_patterns\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 921130 duplicate CL\u0022, \u0022LFI Double-dot bypass\u0022], \u0022pattern_ids\u0022: [\u0022pat-0842\u0022, \u0022pat-0103\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 60}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_confidence_factor\u0022: 95.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022GB\u0022, \u0022asn\u0022: 25369, \u0022org\u0022: \u0022Hydra Communications Ltd\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022http_ua_hash\u0022: \u0022d74db3be8cf3d2c61a6ebef42022c154\u0022, \u0022payload_hash\u0022: \u00221b2ca5f0e5c7de5120fbe9b8efb57266\u0022, \u0022path_pattern_hash\u0022: \u002288fe637beab867e285c088d60d6cc3b3\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 11629, \u0022service\u0022: \u0022http\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022risk_score\u0022: 60}, \u0022payload_preview\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:11629\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:11629\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versi\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:11629\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022evidence\u0022: {\u0022method\u0022: \u0022POST\u0022, \u0022path\u0022: \u0022\/mcp\u0022, \u0022user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022waf_tags\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022], \u0022waf_rule_names\u0022: [\u0022lfi-14\u0022, \u0022rce-0\u0022, \u0022rce-14\u0022, \u0022ssrf-3\u0022, \u0022nosqli-3\u0022], \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022request_sample\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:11629\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent-Length: 151\\r\\nAccept: application\/json, text\/event-stream\\r\\nConnection: close\\r\\nContent-Type: application\/json\\r\\nMcp-Protocol-Versi\u0022, \u0022payload_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:11629\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022web_injection\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ad33afe9efe2a9b43cb124ff5b9bfd8addb07c1a\u0022, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 11629, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:11629\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:11629 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022target_port_label\u0022: \u002211629 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab http_smuggling_probe \u00bb (signaux protocolaires) \u00b7 confiance 95%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 60\/100 (Moyen) \u2014 MITRE TA0001 \u2014 confiance 95 % \u2014 via HTTP\u0022, \u0022confidence_pct\u0022: 95, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 100.0, \u0022classification\u0022: 85.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 25.0, \u0022novelty\u0022: 25.0, \u0022risk_score\u0022: 60}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 60, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022, \u0022dst_port\u0022: 11629, \u0022protocol_emulated\u0022: null, \u0022tags_summary\u0022: [\u0022pat-0842\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0842\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-http\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022http_method\u0022: \u0022POST\u0022, \u0022http_path\u0022: \u0022\/mcp\u0022, \u0022request_line\u0022: \u0022POST \/mcp HTTP\/1.1\u0022, \u0022http_user_agent\u0022: \u0022Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\u0022, \u0022port\u0022: 11629, \u0022service\u0022: \u0022http\u0022, \u0022service_label_fr\u0022: \u0022HTTP\u0022}, \u0022attack_vector\u0022: \u0022http smuggling probe \u00b7 via HTTP:11629 \u00b7 (tentative d\u0027exploit) \u00b7 \u2192 \/mcp\u0022, \u0022evidence_snippet\u0022: \u0022POST \/mcp HTTP\/1.1\\r\\nHost: 62.3.50.33:11629\\r\\nUser-Agent: Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)\\r\\nContent\u0022, \u0022target_port_label\u0022: \u002211629 \u00b7 HTTP\u0022, \u0022emulator_service\u0022: \u0022http\u0022, \u0022confidence_reason\u0022: \u0022Confiance 95 % \u2014 Motif catalogue confirm\u00e9 \u00b7 5 tag(s) WAF\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 95 % \u2014 Score WAF 100 \u00b7 5 tag(s) WAF\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022http\u0022, \u0022service_banner\u0022: \u0022honeypot-http\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u002211629\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":"HTTP\/1.1","http_host":"62.3.50.33:11629","http_user_agent":"Mozilla\/5.0 (compatible; Infrawatch\/1.0; +https:\/\/infrawat.ch\/)","http_referer":null,"tags":"[\u0022950318:lfi-14\u0022, \u0022950326:rce-0\u0022, \u0022950383:rce-14\u0022, \u0022950406:ssrf-3\u0022, \u0022950470:nosqli-3\u0022]","anomalies":"[]","severity":10,"bytes_in":448}],"total_events":29}