{"ip":"158.106.204.166","exported_at":"2026-06-18T13:46:25+00:00","period_days":1,"metrics":{"events7d":636,"distinct_ports":4,"distinct_classifications":27,"max_severity":8,"last_sensor_id":"paris-1","max_waf_score":16,"max_risk_score":52,"attack_stage":"probe","attack_chain_stage":"discovery","threat_family":["database_scan"],"recommended_action":"monitor","confidence":1,"risk_breakdown":{"waf":8,"classification":58,"behavior":0,"geo":0,"protocol":30,"novelty":0},"mitre_tactics":["TA0007","TA0001"],"mitre_technique":"T1046","top_mitre_technique":"TA0007","top_mitre_count":507,"executive_one_liner_fr":"Activit\u00e9 suspecte \u00b7 risque 38\/100","campaign_hint_fr":null,"confidence_breakdown":{"waf":8,"classification":58,"behavior":0,"geo":0,"protocol":30,"novelty":0,"risk_score":38},"persona_hostname":"mail.sensor-1.internal","correlation_flags":[],"correlation_flags_labels_fr":[],"confidence_pct":100,"confidence_hint_fr":null,"sensor_role_label_fr":"Renseignement menaces","tags_summary_labels_fr":["pat-0363","pat-0364"],"tags_summary":["pat-0363","pat-0364"],"attack_vector":"mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)","protocol_details":{"payload_preview":"\ufffd\u0000\u0000\u0000!\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhelloOk\u0000\u0001\u0004compression\u0000\u0005\u0000\u0000\u0000\u0000\u0003client\u0000\ufffd\u0000\u0000\u0000\u0003driver\u00003\u0000\u0000\u0000\u0002name\u0000\u0010\u0000\u0000\u0000mongo-go-","port":9100,"service":"jetdirect","service_label_fr":"JETDIRECT"},"protocol_summary_fr":"Payload \ufffd\u0000\u0000\u0000!\u0000\u0000\u0000\u0000\u0000\u0000\u0000\ufffd\u0007\u0000\u0000\u0004\u0000\u0000\u0000admin.$cmd\u0000\u0000\u0000\u0000\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\u0000\u0000\u0000\u0010isMaster\u0000\u0001\u0000\u0000\u0000\bhello\u2026 \u00b7 JETDIRECT:9100","evidence_snippet":"\ufffd!\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-","target_port_label":"9100 \u00b7 JETDIRECT","emulator_service":"jetdirect","confidence_reason":"Confiance 100 % \u2014 Motif catalogue confirm\u00e9","classification_reason":"Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%","classification_reason_label_fr":"Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%","confidence_factors_fr":"Confiance 100 % \u2014 Score WAF 8","payload_preview":"\ufffd!\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-"},"events":[{"id":9522564,"ip":"158.106.204.166","ts":"2026-06-17 20:49:21.000000","proto":"tcp","src_port":55600,"dst_port":9100,"service":"jetdirect","classification":"mongodb_wire_protocol","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 231, \u0022payload_entropy\u0022: 4.369460772401425, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 58.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dc2ec784f9a815f823c3fd671e6643654e6864ac\u0022, \u0022event_fingerprint\u0022: \u0022c4ffac262af74aac6212858329eccfdbb04aa9c9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022matched_patterns\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Mongo isMaster legacy\u0022, \u0022Mongo ismaster command\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022mongodb_probe\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220b2e0c58f56e9ee8c23c01e1fef06198\u0022, \u0022path_pattern_hash\u0022: \u00229060bd55aeb34075959b54fecab264ea\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 38}, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-driver\\u0000\\u0002version\\u0000\\u0007\\u0000\\u0000\\u00001.17.4\\u0000\\u0000\\u0003os\\u0000.\\u0000\\u0000\\u0000\\u0002type\\u0000\\u0007\\u0000\\u0000\\u0000darwin\\u0000\\u0002architecture\\u0000\\u0006\\u0000\\u0000\\u0000arm64\\u0000\\u0000\\u0002platform\\u0000\\t\\u0000\\u0000\\u0000go1.26.1\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a374a2783fce737ae61755b8dced4a4b3d396ba4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u001f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":231},{"id":9522565,"ip":"158.106.204.166","ts":"2026-06-17 20:49:21.000000","proto":"tcp","src_port":55602,"dst_port":9100,"service":"jetdirect","classification":"mongodb_wire_protocol","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 231, \u0022payload_entropy\u0022: 4.369460772401425, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 58.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dc2ec784f9a815f823c3fd671e6643654e6864ac\u0022, \u0022event_fingerprint\u0022: \u0022c4ffac262af74aac6212858329eccfdbb04aa9c9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022matched_patterns\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Mongo isMaster legacy\u0022, \u0022Mongo ismaster command\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022mongodb_probe\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002250e624ea0d0076b318258113b57916dd\u0022, \u0022path_pattern_hash\u0022: \u00229060bd55aeb34075959b54fecab264ea\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 38}, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000!\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000\\u0000!\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-driver\\u0000\\u0002version\\u0000\\u0007\\u0000\\u0000\\u00001.17.4\\u0000\\u0000\\u0003os\\u0000.\\u0000\\u0000\\u0000\\u0002type\\u0000\\u0007\\u0000\\u0000\\u0000darwin\\u0000\\u0002architecture\\u0000\\u0006\\u0000\\u0000\\u0000arm64\\u0000\\u0000\\u0002platform\\u0000\\t\\u0000\\u0000\\u0000go1.26.1\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000!\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225ab5db9f2430bbb3ed592d9e7b75347aee366a03\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000!\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd!\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000!\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd!\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":231},{"id":9522557,"ip":"158.106.204.166","ts":"2026-06-17 20:49:20.000000","proto":"tcp","src_port":55591,"dst_port":9100,"service":"jetdirect","classification":"nfs_mount","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.6761360291184577, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226deae0c7c1a050bba0c537a2b25fc818a7da24b5\u0022, \u0022event_fingerprint\u0022: \u0022c4ffac262af74aac6212858329eccfdbb04aa9c9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab nfs_mount \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0379\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0379\u0022], \u0022matched_patterns\u0022: [\u0022pat-0379\u0022, \u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022NFS mount string\u0022, \u0022NFS RPC mount\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0379\u0022, \u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002261a5832a37fd30843e8cf24483a0605f\u0022, \u0022path_pattern_hash\u0022: \u002238dfb4397d753d5c3c57b50e7f57234c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(NFS0\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(NFS0\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(NFS0\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(NFS0\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(NFS0\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab nfs_mount \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d638bf77a0b34519812a54162ee0dd1911158cb4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(NFS0\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd(NFS0\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022nfs mount \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab nfs_mount \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab nfs_mount \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0379\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0379\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(NFS0\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022nfs mount \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd(NFS0\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_mongodb_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_mongodb_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":44},{"id":9522558,"ip":"158.106.204.166","ts":"2026-06-17 20:49:20.000000","proto":"tcp","src_port":55593,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 24, \u0022payload_entropy\u0022: 0.24988229283318544, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 6, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0768\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d98b4c95d89a83c72b8b3ef5e42fc38c\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 6}, \u0022payload_preview\u0022: \u0022c\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022c\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022c\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022c\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022c\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022046d5fe954241605691f465e310b5b1253832b1d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022c\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022c\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 6, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0768\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0768\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022c\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022c\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":24},{"id":9522559,"ip":"158.106.204.166","ts":"2026-06-17 20:49:20.000000","proto":"tcp","src_port":55594,"dst_port":9100,"service":"jetdirect","classification":"mongodb_wire_protocol","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 231, \u0022payload_entropy\u0022: 4.369460772401425, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 58.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dc2ec784f9a815f823c3fd671e6643654e6864ac\u0022, \u0022event_fingerprint\u0022: \u0022c4ffac262af74aac6212858329eccfdbb04aa9c9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022matched_patterns\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Mongo isMaster legacy\u0022, \u0022Mongo ismaster command\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022mongodb_probe\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a5041c4c237adb2767e90f123d0d04c9\u0022, \u0022path_pattern_hash\u0022: \u00229060bd55aeb34075959b54fecab264ea\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 38}, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u001b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u001b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-driver\\u0000\\u0002version\\u0000\\u0007\\u0000\\u0000\\u00001.17.4\\u0000\\u0000\\u0003os\\u0000.\\u0000\\u0000\\u0000\\u0002type\\u0000\\u0007\\u0000\\u0000\\u0000darwin\\u0000\\u0002architecture\\u0000\\u0006\\u0000\\u0000\\u0000arm64\\u0000\\u0000\\u0002platform\\u0000\\t\\u0000\\u0000\\u0000go1.26.1\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u001b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220abd23aaaa1b4e38da5206ba1755b4a501fea380\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u001b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u001b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":231},{"id":9522560,"ip":"158.106.204.166","ts":"2026-06-17 20:49:20.000000","proto":"tcp","src_port":55595,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 14, \u0022payload_entropy\u0022: 3.128085278891395, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022matched_patterns\u0022: [\u0022pat-0414\u0022], \u0022matched_pattern_names\u0022: [\u0022Redis PING RESP\u0022], \u0022pattern_ids\u0022: [\u0022pat-0414\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a43cb6a3b9d261112714d00e36b33106\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 0}, \u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nPING\\r\\n\u0022, \u0022request_sample\u0022: \u0022*1\\r\\n$4\\r\\nPING\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022*1\\r\\n$4\\r\\nPING\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222f6e02e9c4f142e27195a041b3011c0ddd6b0983\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022*1\\r\\n$4\\r\\nPING\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":14},{"id":9522561,"ip":"158.106.204.166","ts":"2026-06-17 20:49:20.000000","proto":"tcp","src_port":55596,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 14, \u0022payload_entropy\u0022: 3.128085278891395, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022matched_patterns\u0022: [\u0022pat-0411\u0022], \u0022matched_pattern_names\u0022: [\u0022Redis INFO\u0022], \u0022pattern_ids\u0022: [\u0022pat-0411\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f97ce549efeee853d655f0c9276962a8\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 0}, \u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nINFO\\r\\n\u0022, \u0022request_sample\u0022: \u0022*1\\r\\n$4\\r\\nINFO\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022*1\\r\\n$4\\r\\nINFO\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022*1\\r\\n$4\\r\\nINFO\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022*1\\r\\n$4\\r\\nINFO\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002290fdd532dd7199cacc76473c818b1adeb251b8f6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nINFO\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022*1\\r\\n$4\\r\\nINFO\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022*1\\r\\n$4\\r\\nINFO\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022*1\\r\\n$4\\r\\nINFO\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":14},{"id":9522562,"ip":"158.106.204.166","ts":"2026-06-17 20:49:20.000000","proto":"tcp","src_port":55597,"dst_port":9100,"service":"jetdirect","classification":"mongodb_wire_protocol","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 231, \u0022payload_entropy\u0022: 4.369460772401425, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 58.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dc2ec784f9a815f823c3fd671e6643654e6864ac\u0022, \u0022event_fingerprint\u0022: \u0022c4ffac262af74aac6212858329eccfdbb04aa9c9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022matched_patterns\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Mongo isMaster legacy\u0022, \u0022Mongo ismaster command\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022mongodb_probe\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220c02e500fca406a185fa2b1942359dc9\u0022, \u0022path_pattern_hash\u0022: \u00229060bd55aeb34075959b54fecab264ea\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 38}, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u001d\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u001d\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-driver\\u0000\\u0002version\\u0000\\u0007\\u0000\\u0000\\u00001.17.4\\u0000\\u0000\\u0003os\\u0000.\\u0000\\u0000\\u0000\\u0002type\\u0000\\u0007\\u0000\\u0000\\u0000darwin\\u0000\\u0002architecture\\u0000\\u0006\\u0000\\u0000\\u0000arm64\\u0000\\u0000\\u0002platform\\u0000\\t\\u0000\\u0000\\u0000go1.26.1\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u001d\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002284a721876a512c5ba6083148b0490195b5ff2e16\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u001d\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u001d\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":231},{"id":9522563,"ip":"158.106.204.166","ts":"2026-06-17 20:49:20.000000","proto":"tcp","src_port":55598,"dst_port":9100,"service":"jetdirect","classification":"port_9100_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 6, \u0022payload_entropy\u0022: 2.584962500721156, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 40, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002235e9e7d509f3f94125f208bbf1d8060d9d0f79ce\u0022, \u0022event_fingerprint\u0022: \u0022d4e30af239d63ea76bb2fd131a90c69dc07660a0\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022confidence\u0022: 0.55, \u0022classification_confidence\u0022: 0.55, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022redis_probe\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 55.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022dedee95a5c3354a76fa11ee26963cbe7\u0022, \u0022path_pattern_hash\u0022: \u00221144138c1a57dd6566e67742399f5aa8\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 40}, \u0022payload_preview\u0022: \u0022PING\\r\\n\u0022, \u0022request_sample\u0022: \u0022PING\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022PING\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022PING\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022PING\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00229fe81863755b987249169338e93006b9368df0ae\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022PING\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022PING\u0022, \u0022attack_vector\u0022: \u0022port 9100 tcp \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 55%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 40\/100\u0022, \u0022confidence_pct\u0022: 55, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 40}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 40, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022PING\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022port 9100 tcp \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022PING\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 55 % \u2014 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 55 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022net_redis_probe\u0022, \u0022redis_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022net_redis_probe\u0022, \u0022redis_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":6},{"id":9522566,"ip":"158.106.204.166","ts":"2026-06-17 20:49:20.000000","proto":"tcp","src_port":55592,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022port_inferred_service\u0022: true, \u0022bytes_in\u0022: 0, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002299a5882356b4d78fbb128d9a01d6cf13e652995b\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":0},{"id":9522547,"ip":"158.106.204.166","ts":"2026-06-17 20:49:19.000000","proto":"tcp","src_port":55578,"dst_port":9100,"service":"jetdirect","classification":"amqp_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 8, \u0022payload_entropy\u0022: 2.75, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 43.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 43.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 50, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224d3bf7d8f5641d79de81b5db16b03960d7757ef3\u0022, \u0022event_fingerprint\u0022: \u00221ad055820766351a2df61f205476b8da7cdaa169\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab amqp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 199, \u0022precision_signals\u0022: [\u0022INT-PROTO-amqp-auth\u0022, \u0022pat-0371\u0022, \u0022pat-0537\u0022, \u0022INT-upstream\u0022], \u0022kb_rule_ids\u0022: [\u0022INT-PROTO-amqp-auth\u0022, \u0022pat-0371\u0022, \u0022pat-0537\u0022, \u0022INT-upstream\u0022], \u0022matched_patterns\u0022: [\u0022pat-0371\u0022, \u0022pat-0537\u0022], \u0022matched_pattern_names\u0022: [\u0022AMQP protocol\u0022, \u0022AMQP protocol header\u0022], \u0022pattern_ids\u0022: [\u0022pat-0371\u0022, \u0022pat-0537\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 43.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022bc2f502576523902588d3c36f36ea5a1\u0022, \u0022path_pattern_hash\u0022: \u0022e0a8a2707ca9342b66a175c0e4383ba0\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 50}, \u0022payload_preview\u0022: \u0022AMQP\\u0000\\u0000\\t\\u0001\u0022, \u0022request_sample\u0022: \u0022AMQP\\u0000\\u0000\\t\\u0001\u0022, \u0022payload_snippet\u0022: \u0022AMQP\\u0000\\u0000\\t\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022AMQP\\u0000\\u0000\\t\\u0001\u0022, \u0022payload_snippet\u0022: \u0022AMQP\\u0000\\u0000\\t\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab amqp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022investigate\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e222789821bd5252c0211a51b1b3c125b3932209\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022AMQP\\u0000\\u0000\\t\\u0001\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022AMQP\u0022, \u0022attack_vector\u0022: \u0022amqp probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab amqp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab amqp_probe \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 50\/100 (Moyen) \u2014 MITRE T1046 \u2014 confiance 100 % \u2014 via JETDIRECT\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 43.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 50}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 50, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022INT-PROTO-amqp-auth\u0022, \u0022pat-0371\u0022, \u0022pat-0537\u0022, \u0022INT-upstream\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022Proto Amqp Auth\u0022, \u0022pat-0371\u0022, \u0022pat-0537\u0022, \u0022Upstream\u0022], \u0022recommended_action\u0022: \u0022investigate\u0022, \u0022recommended_action_label\u0022: \u0022Investiguer\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022AMQP\\u0000\\u0000\\t\\u0001\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022amqp probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022AMQP\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_investigate\u0022, \u0022tags_list\u0022: [\u0022amqp_handshake\u0022, \u0022net_amqp_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022amqp_handshake\u0022, \u0022net_amqp_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":8},{"id":9522548,"ip":"158.106.204.166","ts":"2026-06-17 20:49:19.000000","proto":"tcp","src_port":55579,"dst_port":9100,"service":"jetdirect","classification":"xss_attack","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 136, \u0022payload_entropy\u0022: 4.7035497892369795, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 68.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 15.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0}, \u0022risk_score\u0022: 39, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022confidence\u0022: 0.59, \u0022classification_confidence\u0022: 0.59, \u0022precision_score\u0022: 70, \u0022precision_signals\u0022: [\u0022pat-0284\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0284\u0022], \u0022matched_patterns\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022, \u0022pat-0530\u0022], \u0022matched_pattern_names\u0022: [\u0022CRS 941130\u0022, \u0022LFI Double-dot bypass\u0022, \u0022XMPP stream\u0022], \u0022pattern_ids\u0022: [\u0022pat-0284\u0022, \u0022pat-0103\u0022, \u0022pat-0530\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 39}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 59.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224c1af05024003e93f859eb8590dac59c\u0022, \u0022path_pattern_hash\u0022: \u0022e84c630ed8a3a6084c1b662f626e7300\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 39}, \u0022payload_preview\u0022: \u0022\u003C?xml version=\u00271.0\u0027?\u003E\u003Cstream:stream to=\u002762.3.50.33\u0027 xmlns=\u0027jabber:client\u0027 xmlns:stream=\u0027http:\/\/etherx.jabber.org\/streams\u0027 versio\u0022, \u0022request_sample\u0022: \u0022\u003C?xml version=\u00271.0\u0027?\u003E\u003Cstream:stream to=\u002762.3.50.33\u0027 xmlns=\u0027jabber:client\u0027 xmlns:stream=\u0027http:\/\/etherx.jabber.org\/streams\u0027 version=\u00271.0\u0027\u003E\u0022, \u0022payload_snippet\u0022: \u0022\u003C?xml version=\u00271.0\u0027?\u003E\u003Cstream:stream to=\u002762.3.50.33\u0027 xmlns=\u0027jabber:client\u0027 xmlns:stream=\u0027http:\/\/etherx.jabber.org\/streams\u0027 versio\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\u003C?xml version=\u00271.0\u0027?\u003E\u003Cstream:stream to=\u002762.3.50.33\u0027 xmlns=\u0027jabber:client\u0027 xmlns:stream=\u0027http:\/\/etherx.jabber.org\/streams\u0027 version=\u00271.0\u0027\u003E\u0022, \u0022payload_snippet\u0022: \u0022\u003C?xml version=\u00271.0\u0027?\u003E\u003Cstream:stream to=\u002762.3.50.33\u0027 xmlns=\u0027jabber:client\u0027 xmlns:stream=\u0027http:\/\/etherx.jabber.org\/streams\u0027 versio\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022mitre_tactics\u0022: [\u0022TA0001\u0022, \u0022TA0002\u0022], \u0022mitre\u0022: \u0022TA0001\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b91a353554f129c4743342cf12e6626a52c0a29e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\u003C?xml version=\u00271.0\u0027?\u003E\u003Cstream:stream to=\u002762.3.50.33\u0027 xmlns=\u0027jabber:client\u0027 xmlns:stream=\u0027http:\/\/etherx.jabber.org\/streams\u0027 versio\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022\u003C?xml version=\u00271.0\u0027?\u003E\u003Cstream:stream to=\u002762.3.50.33\u0027 xmlns=\u0027jabber:client\u0027 xmlns:stream=\u0027http:\/\/etherx.jabber.org\/streams\u0027 versio\u0022, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via JETDIRECT:9100 \u00b7 (tentative d\u0027exploit)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab xss_attack \u00bb (signaux protocolaires) \u00b7 confiance 59%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u2014 risque 39\/100 (Faible) \u2014 MITRE TA0001 \u2014 confiance 59 % \u2014 via JETDIRECT\u0022, \u0022confidence_pct\u0022: 59, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 68.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 15.0, \u0022risk_score\u0022: 39}, \u0022attack_stage\u0022: \u0022exploit_attempt\u0022, \u0022attack_stage_label\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022Exploitation\u0022, \u0022risk_score\u0022: 39, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0284\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0284\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0001\u0022, \u0022mitre_technique\u0022: \u0022TA0001\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\u003C?xml version=\u00271.0\u0027?\u003E\u003Cstream:stream to=\u002762.3.50.33\u0027 xmlns=\u0027jabber:client\u0027 xmlns:stream=\u0027http:\/\/etherx.jabber.org\/streams\u0027 versio\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022xss attack \u00b7 via JETDIRECT:9100 \u00b7 (tentative d\u0027exploit)\u0022, \u0022evidence_snippet\u0022: \u0022\u003C?xml version=\u00271.0\u0027?\u003E\u003Cstream:stream to=\u002762.3.50.33\u0027 xmlns=\u0027jabber:client\u0027 xmlns:stream=\u0027http:\/\/etherx.jabber.org\/streams\u0027 versio\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 59 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 59 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploitation\u0022, \u0022label_fr\u0022: \u0022Exploitation\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022exploitation\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022behavior_alert_count\u0022: 1, \u0022behavior_priority\u0022: 96}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":136},{"id":9522549,"ip":"158.106.204.166","ts":"2026-06-17 20:49:19.000000","proto":"tcp","src_port":55581,"dst_port":9100,"service":"jetdirect","classification":"mongodb_wire_protocol","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 231, \u0022payload_entropy\u0022: 4.369460772401425, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 58.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dc2ec784f9a815f823c3fd671e6643654e6864ac\u0022, \u0022event_fingerprint\u0022: \u0022c4ffac262af74aac6212858329eccfdbb04aa9c9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022matched_patterns\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Mongo isMaster legacy\u0022, \u0022Mongo ismaster command\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022mongodb_probe\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b01512d56868747ce8dc803ed3976d26\u0022, \u0022path_pattern_hash\u0022: \u00229060bd55aeb34075959b54fecab264ea\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 38}, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-driver\\u0000\\u0002version\\u0000\\u0007\\u0000\\u0000\\u00001.17.4\\u0000\\u0000\\u0003os\\u0000.\\u0000\\u0000\\u0000\\u0002type\\u0000\\u0007\\u0000\\u0000\\u0000darwin\\u0000\\u0002architecture\\u0000\\u0006\\u0000\\u0000\\u0000arm64\\u0000\\u0000\\u0002platform\\u0000\\t\\u0000\\u0000\\u0000go1.26.1\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002293641b07aab2f0a4e88b50b18917b0db5b6583f7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0017\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":231},{"id":9522550,"ip":"158.106.204.166","ts":"2026-06-17 20:49:19.000000","proto":"tcp","src_port":55582,"dst_port":9100,"service":"jetdirect","classification":"smb_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 28, \u0022payload_entropy\u0022: 1.5131168549735339, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0354\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0354\u0022], \u0022matched_patterns\u0022: [\u0022pat-0354\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022SMB negotiate\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0354\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e6fcd6c090da73956becab3e413ee257\u0022, \u0022path_pattern_hash\u0022: \u0022b6c073dc229e6284b4cae7886c46d504\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\u0001j3\\bX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\t\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000\\u0001j3\\bX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\t\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000\\u0001j3\\bX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\t\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000\\u0001j3\\bX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\t\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000\\u0001j3\\bX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\t\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022scanner\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224e7765638866a9f1f6e0225ac74849bd465aa3dc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\u0001j3\\bX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\t\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022j3X\u0022, \u0022attack_vector\u0022: \u0022smb probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab smb_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0354\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0354\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\u0001j3\\bX\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\t\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0004\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022smb probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022j3X\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":28},{"id":9522551,"ip":"158.106.204.166","ts":"2026-06-17 20:49:19.000000","proto":"tcp","src_port":55583,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 38, \u0022payload_entropy\u0022: 2.3985082772637103, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 6, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002221164128a00223274f8c6e16f6f9b38a\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 6}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000 \\u0000\\u0000\\u0000\u003E\\u00032!\\u0001\\u0001\\u0010\u0027\\u0001\\u0001\\u0001\\u0001\\u0001\\u0001\ufffd\ufffd\\u0001\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000 \\u0000\\u0000\\u0000\u003E\\u00032!\\u0001\\u0001\\u0010\u0027\\u0001\\u0001\\u0001\\u0001\\u0001\\u0001\ufffd\ufffd\\u0001\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000 \\u0000\\u0000\\u0000\u003E\\u00032!\\u0001\\u0001\\u0010\u0027\\u0001\\u0001\\u0001\\u0001\\u0001\\u0001\ufffd\ufffd\\u0001\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000 \\u0000\\u0000\\u0000\u003E\\u00032!\\u0001\\u0001\\u0010\u0027\\u0001\\u0001\\u0001\\u0001\\u0001\\u0001\ufffd\ufffd\\u0001\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000 \\u0000\\u0000\\u0000\u003E\\u00032!\\u0001\\u0001\\u0010\u0027\\u0001\\u0001\\u0001\\u0001\\u0001\\u0001\ufffd\ufffd\\u0001\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c2b0262d5a5146c1659d55c0b786fb694b1257fb\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000 \\u0000\\u0000\\u0000\u003E\\u00032!\\u0001\\u0001\\u0010\u0027\\u0001\\u0001\\u0001\\u0001\\u0001\\u0001\ufffd\ufffd\\u0001\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022\u003E2!\u0027\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 6, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000 \\u0000\\u0000\\u0000\u003E\\u00032!\\u0001\\u0001\\u0010\u0027\\u0001\\u0001\\u0001\\u0001\\u0001\\u0001\ufffd\ufffd\\u0001\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\u003E2!\u0027\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":38},{"id":9522552,"ip":"158.106.204.166","ts":"2026-06-17 20:49:19.000000","proto":"tcp","src_port":55585,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 0.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 6, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0768\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022df3f619804a92fdb4057192dc43dd748\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 6}, \u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022166075da017f072aadc51702daa9fb7fe8838255\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 6, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0768\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0768\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":4},{"id":9522553,"ip":"158.106.204.166","ts":"2026-06-17 20:49:19.000000","proto":"tcp","src_port":55586,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 3, \u0022payload_entropy\u0022: 1.584962500721156, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 6, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002276fae3c085bb43bf34b254b13bd8d00d\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 6}, \u0022payload_preview\u0022: \u0022\\u0000\\u0001n\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0001n\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0001n\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0001n\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0001n\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022936f91d6c2764765b0aff57fbf0c580a95483c05\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0001n\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022n\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 6, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0001n\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022n\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":3},{"id":9522554,"ip":"158.106.204.166","ts":"2026-06-17 20:49:19.000000","proto":"tcp","src_port":55588,"dst_port":9100,"service":"jetdirect","classification":"nfs_mount","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 44, \u0022payload_entropy\u0022: 1.6761360291184577, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 52.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 45, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00226deae0c7c1a050bba0c537a2b25fc818a7da24b5\u0022, \u0022event_fingerprint\u0022: \u0022c4ffac262af74aac6212858329eccfdbb04aa9c9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab nfs_mount \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0379\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0379\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0379\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022NFS mount string\u0022, \u0022ET H.323 setup\u0022, \u0022NFS RPC mount\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0379\u0022, \u0022pat-0868\u0022, \u0022pat-0532\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002205d8460c0884d7c9182f9c7a3daeec10\u0022, \u0022path_pattern_hash\u0022: \u002238dfb4397d753d5c3c57b50e7f57234c\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 45}, \u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(NFS0\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(NFS0\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(NFS0\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000(NFS0\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000(NFS0\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab nfs_mount \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022616e9ffadc907092ae56a3b77d4f2487c3983c8e\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(NFS0\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd(NFS0\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022nfs mount \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab nfs_mount \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab nfs_mount \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 45\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 52.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 45}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 45, \u0022risk_label\u0022: \u0022Moyen\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0379\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0379\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000(NFS0\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\\u0001\ufffd\ufffd\\u0000\\u0000\\u0000\\u0003\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022nfs mount \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd(NFS0\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_probe\u0022, \u0022net_mongodb_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_probe\u0022, \u0022net_mongodb_probe\u0022]","anomalies":"[]","severity":4,"bytes_in":44},{"id":9522555,"ip":"158.106.204.166","ts":"2026-06-17 20:49:19.000000","proto":"tcp","src_port":55589,"dst_port":9100,"service":"jetdirect","classification":"mongodb_wire_protocol","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 231, \u0022payload_entropy\u0022: 4.369460772401425, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 58.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dc2ec784f9a815f823c3fd671e6643654e6864ac\u0022, \u0022event_fingerprint\u0022: \u0022c4ffac262af74aac6212858329eccfdbb04aa9c9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022matched_patterns\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Mongo isMaster legacy\u0022, \u0022Mongo ismaster command\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022mongodb_probe\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002230f672e1822c8268f64ac92fd4073e77\u0022, \u0022path_pattern_hash\u0022: \u00229060bd55aeb34075959b54fecab264ea\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 38}, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0019\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0019\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-driver\\u0000\\u0002version\\u0000\\u0007\\u0000\\u0000\\u00001.17.4\\u0000\\u0000\\u0003os\\u0000.\\u0000\\u0000\\u0000\\u0002type\\u0000\\u0007\\u0000\\u0000\\u0000darwin\\u0000\\u0002architecture\\u0000\\u0006\\u0000\\u0000\\u0000arm64\\u0000\\u0000\\u0002platform\\u0000\\t\\u0000\\u0000\\u0000go1.26.1\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0019\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224ee15a344eab28fb8db7ce20cb4cff907946d155\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0019\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0019\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":231},{"id":9522556,"ip":"158.106.204.166","ts":"2026-06-17 20:49:19.000000","proto":"tcp","src_port":55590,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 31, \u0022payload_entropy\u0022: 3.3729205036561045, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 6, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00222ab0510cc4156c41c24112bc2a720db2\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 6}, \u0022payload_preview\u0022: \u0022CNXN\\u0000\\u0000\\u0000\\u0001\\u0000\\u0010\\u0000\\u0000\\u0007\\u0000\\u0000\\u00002\\u0002\\u0000\\u0000\ufffd\ufffd\ufffd\ufffdhost::\\u0000\u0022, \u0022request_sample\u0022: \u0022CNXN\\u0000\\u0000\\u0000\\u0001\\u0000\\u0010\\u0000\\u0000\\u0007\\u0000\\u0000\\u00002\\u0002\\u0000\\u0000\ufffd\ufffd\ufffd\ufffdhost::\\u0000\u0022, \u0022payload_snippet\u0022: \u0022CNXN\\u0000\\u0000\\u0000\\u0001\\u0000\\u0010\\u0000\\u0000\\u0007\\u0000\\u0000\\u00002\\u0002\\u0000\\u0000\ufffd\ufffd\ufffd\ufffdhost::\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022CNXN\\u0000\\u0000\\u0000\\u0001\\u0000\\u0010\\u0000\\u0000\\u0007\\u0000\\u0000\\u00002\\u0002\\u0000\\u0000\ufffd\ufffd\ufffd\ufffdhost::\\u0000\u0022, \u0022payload_snippet\u0022: \u0022CNXN\\u0000\\u0000\\u0000\\u0001\\u0000\\u0010\\u0000\\u0000\\u0007\\u0000\\u0000\\u00002\\u0002\\u0000\\u0000\ufffd\ufffd\ufffd\ufffdhost::\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224c4bf8b5aa2b4dfb9f5dcb15eb9f6965668a9b3b\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CNXN\\u0000\\u0000\\u0000\\u0001\\u0000\\u0010\\u0000\\u0000\\u0007\\u0000\\u0000\\u00002\\u0002\\u0000\\u0000\ufffd\ufffd\ufffd\ufffdhost::\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022CNXN2\ufffd\ufffd\ufffd\ufffdhost::\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 6, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022CNXN\\u0000\\u0000\\u0000\\u0001\\u0000\\u0010\\u0000\\u0000\\u0007\\u0000\\u0000\\u00002\\u0002\\u0000\\u0000\ufffd\ufffd\ufffd\ufffdhost::\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022CNXN2\ufffd\ufffd\ufffd\ufffdhost::\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":31},{"id":9522535,"ip":"158.106.204.166","ts":"2026-06-17 20:49:18.000000","proto":"tcp","src_port":55558,"dst_port":9100,"service":"jetdirect","classification":"java_rmi_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 7, \u0022payload_entropy\u0022: 2.807354922057604, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0604\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0604\u0022], \u0022matched_patterns\u0022: [\u0022pat-0604\u0022], \u0022matched_pattern_names\u0022: [\u0022Java RMI JRMI\u0022], \u0022pattern_ids\u0022: [\u0022pat-0604\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d8c49a0f759e2102fb8fa8368049d06a\u0022, \u0022path_pattern_hash\u0022: \u00227a566ca86213ccd15a91c0b5a885a24f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022request_sample\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022payload_snippet\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022payload_snippet\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022enterprise_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002210947dbc44638259948b8d1ccd99ba63bd6dc27f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022JRMIK\u0022, \u0022attack_vector\u0022: \u0022java rmi probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0604\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0604\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002K\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022java rmi probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022JRMIK\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":7},{"id":9522536,"ip":"158.106.204.166","ts":"2026-06-17 20:49:18.000000","proto":"tcp","src_port":55559,"dst_port":9100,"service":"jetdirect","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 5, \u0022payload_entropy\u0022: 2.321928094887362, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002208ca123b90bf84c9e9d2984563eb09feee3957cd\u0022, \u0022event_fingerprint\u0022: \u0022c6ef6f933ac555737be56d247749df6717c772d9\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0536\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022998c4c91063c53dbcdff933fad5ea02c\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u00124\\u0000\\u0001\\n\u0022, \u0022request_sample\u0022: \u0022\\u00124\\u0000\\u0001\\n\u0022, \u0022payload_snippet\u0022: \u0022\\u00124\\u0000\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u00124\\u0000\\u0001\\n\u0022, \u0022payload_snippet\u0022: \u0022\\u00124\\u0000\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002249cca6f168050dc55921ceef9a33c684ac11d15a\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u00124\\u0000\\u0001\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u00224\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0536\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0536\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u00124\\u0000\\u0001\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u00224\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]","anomalies":"[]","severity":5,"bytes_in":5},{"id":9522537,"ip":"158.106.204.166","ts":"2026-06-17 20:49:18.000000","proto":"tcp","src_port":55560,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 33, \u0022payload_entropy\u0022: 3.65045472541906, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 16.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.1, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 16.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 1, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022098db2a192f38cf253c354b9432b98bacf217e3a\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0768\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 16.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022da74b3e9488c0813fcd76f6273b0c115\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002293790c5aadfd811073314389bbce9937b8789066\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 16.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0768\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0768\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\\r\\n\\r\\n\\u0000\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022PRI * HTTP\/2.0\\r\\n\\r\\nSM\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022http2_preface\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022http2_preface\u0022]","anomalies":"[]","severity":2,"bytes_in":33},{"id":9522538,"ip":"158.106.204.166","ts":"2026-06-17 20:49:18.000000","proto":"tcp","src_port":55562,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 36, \u0022payload_entropy\u0022: 3.648511114409896, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c774fdf36465e0ff86b6cbcdac011d2c\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 0}, \u0022payload_preview\u0022: \u0022t3 12.2.1\\nAS:255\\nHL:19\\nMS:10000000\\n\\n\u0022, \u0022request_sample\u0022: \u0022t3 12.2.1\\nAS:255\\nHL:19\\nMS:10000000\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.2.1\\nAS:255\\nHL:19\\nMS:10000000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022t3 12.2.1\\nAS:255\\nHL:19\\nMS:10000000\\n\\n\u0022, \u0022payload_snippet\u0022: \u0022t3 12.2.1\\nAS:255\\nHL:19\\nMS:10000000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002203d1a1d4b40b64fc9a82868e6347c510ce625f20\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022t3 12.2.1\\nAS:255\\nHL:19\\nMS:10000000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022t3 12.2.1\\nAS:255\\nHL:19\\nMS:10000000\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022t3 12.2.1\\nAS:255\\nHL:19\\nMS:10000000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022t3 12.2.1\\nAS:255\\nHL:19\\nMS:10000000\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":36},{"id":9522539,"ip":"158.106.204.166","ts":"2026-06-17 20:49:18.000000","proto":"tcp","src_port":55563,"dst_port":9100,"service":"jetdirect","classification":"mongodb_wire_protocol","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 231, \u0022payload_entropy\u0022: 4.369460772401425, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 58.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dc2ec784f9a815f823c3fd671e6643654e6864ac\u0022, \u0022event_fingerprint\u0022: \u0022c4ffac262af74aac6212858329eccfdbb04aa9c9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022matched_patterns\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Mongo isMaster legacy\u0022, \u0022Mongo ismaster command\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022mongodb_probe\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022323d54e8666ed8f5e6dc4ef6aac777ba\u0022, \u0022path_pattern_hash\u0022: \u00229060bd55aeb34075959b54fecab264ea\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 38}, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-driver\\u0000\\u0002version\\u0000\\u0007\\u0000\\u0000\\u00001.17.4\\u0000\\u0000\\u0003os\\u0000.\\u0000\\u0000\\u0000\\u0002type\\u0000\\u0007\\u0000\\u0000\\u0000darwin\\u0000\\u0002architecture\\u0000\\u0006\\u0000\\u0000\\u0000arm64\\u0000\\u0000\\u0002platform\\u0000\\t\\u0000\\u0000\\u0000go1.26.1\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00220ec80b49ad899bcb6de3002221b45f678a0cb451\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0013\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":231},{"id":9522540,"ip":"158.106.204.166","ts":"2026-06-17 20:49:18.000000","proto":"tcp","src_port":55565,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 38, \u0022payload_entropy\u0022: 4.4514890264306795, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022cdeda6029ed66fc1799d1961e17d33df\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 0}, \u0022payload_preview\u0022: \u00220026git-upload-pack \/\\u0000host=62.3.50.33\\u0000\u0022, \u0022request_sample\u0022: \u00220026git-upload-pack \/\\u0000host=62.3.50.33\\u0000\u0022, \u0022payload_snippet\u0022: \u00220026git-upload-pack \/\\u0000host=62.3.50.33\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u00220026git-upload-pack \/\\u0000host=62.3.50.33\\u0000\u0022, \u0022payload_snippet\u0022: \u00220026git-upload-pack \/\\u0000host=62.3.50.33\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b106abf25814d122b74a4af74e54129553b1ffd2\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u00220026git-upload-pack \/\\u0000host=62.3.50.33\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u00220026git-upload-pack \/host=62.3.50.33\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u00220026git-upload-pack \/\\u0000host=62.3.50.33\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u00220026git-upload-pack \/host=62.3.50.33\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":38},{"id":9522541,"ip":"158.106.204.166","ts":"2026-06-17 20:49:18.000000","proto":"tcp","src_port":55567,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 6, \u0022payload_entropy\u0022: 2.2516291673878226, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00224dec1af7a5e8ffac3511945776621f67\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 0}, \u0022payload_preview\u0022: \u00221, 1\\r\\n\u0022, \u0022request_sample\u0022: \u00221, 1\\r\\n\u0022, \u0022payload_snippet\u0022: \u00221, 1\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u00221, 1\\r\\n\u0022, \u0022payload_snippet\u0022: \u00221, 1\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00222ce03fecd5ddc39e2382f84c81f43ab4b62549e6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u00221, 1\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u00221, 1\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u00221, 1\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u00221, 1\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":6},{"id":9522542,"ip":"158.106.204.166","ts":"2026-06-17 20:49:18.000000","proto":"tcp","src_port":55571,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 2, \u0022payload_entropy\u0022: 1.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227eb70257593da06f682a3ddda54a9d26\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 0}, \u0022payload_preview\u0022: \u0022\\r\\n\u0022, \u0022request_sample\u0022: \u0022\\r\\n\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\r\\n\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002249e32fc5b927e53fe04ebe1f90be48dec2ebed2a\u0022, \u0022protocol_details\u0022: {\u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":2},{"id":9522543,"ip":"158.106.204.166","ts":"2026-06-17 20:49:18.000000","proto":"tcp","src_port":55572,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 16, \u0022payload_entropy\u0022: 0.6685644431995964, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 6, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00223ef30651f1b95b36f03bb51b641eaeda\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 6}, \u0022payload_preview\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b7b18685a06c24882d959da3d1428e9eb4b2d977\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 6, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0003\\u0000\\u0001\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":16},{"id":9522544,"ip":"158.106.204.166","ts":"2026-06-17 20:49:18.000000","proto":"tcp","src_port":55573,"dst_port":9100,"service":"jetdirect","classification":"mongodb_wire_protocol","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 231, \u0022payload_entropy\u0022: 4.369460772401425, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 58.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dc2ec784f9a815f823c3fd671e6643654e6864ac\u0022, \u0022event_fingerprint\u0022: \u0022c4ffac262af74aac6212858329eccfdbb04aa9c9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022matched_patterns\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Mongo isMaster legacy\u0022, \u0022Mongo ismaster command\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022mongodb_probe\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002203b323dadcef05dca19696bce5990d11\u0022, \u0022path_pattern_hash\u0022: \u00229060bd55aeb34075959b54fecab264ea\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 38}, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0015\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0015\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-driver\\u0000\\u0002version\\u0000\\u0007\\u0000\\u0000\\u00001.17.4\\u0000\\u0000\\u0003os\\u0000.\\u0000\\u0000\\u0000\\u0002type\\u0000\\u0007\\u0000\\u0000\\u0000darwin\\u0000\\u0002architecture\\u0000\\u0006\\u0000\\u0000\\u0000arm64\\u0000\\u0000\\u0002platform\\u0000\\t\\u0000\\u0000\\u0000go1.26.1\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0015\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022c6c8537d681ed48792e01f2747758def5e00789f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0015\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0015\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":231},{"id":9522545,"ip":"158.106.204.166","ts":"2026-06-17 20:49:18.000000","proto":"tcp","src_port":55574,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 13, \u0022payload_entropy\u0022: 3.3927474104487847, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b554204323efdd0397c86823d443ca92\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 0}, \u0022payload_preview\u0022: \u0022example.com\\r\\n\u0022, \u0022request_sample\u0022: \u0022example.com\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022example.com\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022example.com\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022example.com\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022ce496ab3a73196a6b160040e97d75f5a387a136f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022example.com\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022example.com\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022example.com\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022example.com\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":13},{"id":9522546,"ip":"158.106.204.166","ts":"2026-06-17 20:49:18.000000","proto":"tcp","src_port":55575,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 6, \u0022payload_entropy\u0022: 2.2516291673878226, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b47c4c5f82a3b46964d446dca60c70bb\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 0}, \u0022payload_preview\u0022: \u0022root\\r\\n\u0022, \u0022request_sample\u0022: \u0022root\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022root\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022root\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022root\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00228c90b47e98e2bd2aae2276ce9f038a8a1939bca4\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022root\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022root\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022root\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022root\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":6},{"id":9522525,"ip":"158.106.204.166","ts":"2026-06-17 20:49:17.000000","proto":"tcp","src_port":55547,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 21, \u0022payload_entropy\u0022: 2.389758003492557, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 6, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a68e8e7f92f816f679f58e667ea7351e\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 6}, \u0022payload_preview\u0022: \u0022P\\u0000\\u0000\ufffd\ufffd\\u0003\\u0000\\f\\u0000\\u0010\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0001\\u0000\u0022, \u0022request_sample\u0022: \u0022P\\u0000\\u0000\ufffd\ufffd\\u0003\\u0000\\f\\u0000\\u0010\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022P\\u0000\\u0000\ufffd\ufffd\\u0003\\u0000\\f\\u0000\\u0010\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0001\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022P\\u0000\\u0000\ufffd\ufffd\\u0003\\u0000\\f\\u0000\\u0010\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0001\\u0000\u0022, \u0022payload_snippet\u0022: \u0022P\\u0000\\u0000\ufffd\ufffd\\u0003\\u0000\\f\\u0000\\u0010\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0001\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022471f72415d800a86cfacff14a67afc25a22a15fc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022P\\u0000\\u0000\ufffd\ufffd\\u0003\\u0000\\f\\u0000\\u0010\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0001\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022P\ufffd\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 6, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022P\\u0000\\u0000\ufffd\ufffd\\u0003\\u0000\\f\\u0000\\u0010\\u0000\\u0001\\u0004\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0001\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022P\ufffd\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":21},{"id":9522527,"ip":"158.106.204.166","ts":"2026-06-17 20:49:17.000000","proto":"tcp","src_port":55549,"dst_port":9100,"service":"jetdirect","classification":"mongodb_wire_protocol","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 231, \u0022payload_entropy\u0022: 4.369460772401425, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 58.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dc2ec784f9a815f823c3fd671e6643654e6864ac\u0022, \u0022event_fingerprint\u0022: \u0022c4ffac262af74aac6212858329eccfdbb04aa9c9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022matched_patterns\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Mongo isMaster legacy\u0022, \u0022Mongo ismaster command\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022mongodb_probe\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022cf217f1d9251a396b7e80094669c8cca\u0022, \u0022path_pattern_hash\u0022: \u00229060bd55aeb34075959b54fecab264ea\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 38}, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-driver\\u0000\\u0002version\\u0000\\u0007\\u0000\\u0000\\u00001.17.4\\u0000\\u0000\\u0003os\\u0000.\\u0000\\u0000\\u0000\\u0002type\\u0000\\u0007\\u0000\\u0000\\u0000darwin\\u0000\\u0002architecture\\u0000\\u0006\\u0000\\u0000\\u0000arm64\\u0000\\u0000\\u0002platform\\u0000\\t\\u0000\\u0000\\u0000go1.26.1\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002289ff4de9fc31ca6812339306d08db5a67736aca6\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u000f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":231},{"id":9522528,"ip":"158.106.204.166","ts":"2026-06-17 20:49:17.000000","proto":"tcp","src_port":55550,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 42, \u0022payload_entropy\u0022: 1.8064617604546434, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022677dbb7235e9dcc588a2ba992e32da9e\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 0}, \u0022payload_preview\u0022: \u0022500000FF03FF000018001004010000D*0000000001\u0022, \u0022request_sample\u0022: \u0022500000FF03FF000018001004010000D*0000000001\u0022, \u0022payload_snippet\u0022: \u0022500000FF03FF000018001004010000D*0000000001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022500000FF03FF000018001004010000D*0000000001\u0022, \u0022payload_snippet\u0022: \u0022500000FF03FF000018001004010000D*0000000001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022947497c7e52e67418dd54c6766e14df8b5b0c483\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022500000FF03FF000018001004010000D*0000000001\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022500000FF03FF000018001004010000D*0000000001\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022500000FF03FF000018001004010000D*0000000001\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022500000FF03FF000018001004010000D*0000000001\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":42},{"id":9522529,"ip":"158.106.204.166","ts":"2026-06-17 20:49:17.000000","proto":"tcp","src_port":55551,"dst_port":9100,"service":"jetdirect","classification":"mssql_tds","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 14, \u0022payload_entropy\u0022: 2.0930692077718898, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u002208ca123b90bf84c9e9d2984563eb09feee3957cd\u0022, \u0022event_fingerprint\u0022: \u0022c6ef6f933ac555737be56d247749df6717c772d9\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227d6abff7ed63a45433ab902e60248620\u0022, \u0022path_pattern_hash\u0022: \u0022285321e27377a1f85e5a231ca6cbffb2\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022\\u00124\\u0000\\u0000\\u0000\\b\\u0001\\f\\u0000\\u0000\\u0000\\u0000\\r\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u00124\\u0000\\u0000\\u0000\\b\\u0001\\f\\u0000\\u0000\\u0000\\u0000\\r\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u00124\\u0000\\u0000\\u0000\\b\\u0001\\f\\u0000\\u0000\\u0000\\u0000\\r\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u00124\\u0000\\u0000\\u0000\\b\\u0001\\f\\u0000\\u0000\\u0000\\u0000\\r\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u00124\\u0000\\u0000\\u0000\\b\\u0001\\f\\u0000\\u0000\\u0000\\u0000\\r\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00225e71348d8bce0a5819521600655c6bdc0b49a718\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u00124\\u0000\\u0000\\u0000\\b\\u0001\\f\\u0000\\u0000\\u0000\\u0000\\r\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u00224\u0022, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mssql_tds \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u00124\\u0000\\u0000\\u0000\\b\\u0001\\f\\u0000\\u0000\\u0000\\u0000\\r\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022mssql tds \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u00224\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mssql_tds\u0022, \u0022net_mssql_tds\u0022]","anomalies":"[]","severity":5,"bytes_in":14},{"id":9522530,"ip":"158.106.204.166","ts":"2026-06-17 20:49:17.000000","proto":"tcp","src_port":55552,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 4, \u0022payload_entropy\u0022: 2.0, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002229f8a395031b075d400c3d55eaeb0f0a\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 0}, \u0022payload_preview\u0022: \u0022ruok\u0022, \u0022request_sample\u0022: \u0022ruok\u0022, \u0022payload_snippet\u0022: \u0022ruok\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022ruok\u0022, \u0022payload_snippet\u0022: \u0022ruok\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022d5038c249500a5f7ea74c727f67ea8c72e080123\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022ruok\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022ruok\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022ruok\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022ruok\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":4},{"id":9522531,"ip":"158.106.204.166","ts":"2026-06-17 20:49:17.000000","proto":"tcp","src_port":55553,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 10, \u0022payload_entropy\u0022: 1.9609640474436814, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 6, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022d2d9a52d0437a637acfc9e48592c5dd6\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 6}, \u0022payload_preview\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0001\\f\\r\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0001\\f\\r\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0001\\f\\r\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0001\\f\\r\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0001\\f\\r\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00226401914d3a05d16bd041b15f47d4350000911116\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0001\\f\\r\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 6, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\u0006\\u0001\\f\\r\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":10},{"id":9522532,"ip":"158.106.204.166","ts":"2026-06-17 20:49:17.000000","proto":"tcp","src_port":55554,"dst_port":9100,"service":"jetdirect","classification":"java_rmi_probe","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 48, \u0022payload_entropy\u0022: 2.8686716140875377, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 56.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 32, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0604\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0604\u0022], \u0022matched_patterns\u0022: [\u0022pat-0604\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Java RMI JRMI\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0604\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022c93bd009b6a661ab60139d3d599602a7\u0022, \u0022path_pattern_hash\u0022: \u00227a566ca86213ccd15a91c0b5a885a24f\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 32}, \u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002LP\ufffd\ufffd\\u0000\\u0005w\\\u0022\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001D\\u0015M\ufffd\ufffd\ufffd;\ufffd\u0022, \u0022request_sample\u0022: \u0022JRMI\\u0000\\u0002LP\ufffd\ufffd\\u0000\\u0005w\\\u0022\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001D\\u0015M\ufffd\ufffd\ufffd;\ufffd\u0022, \u0022payload_snippet\u0022: \u0022JRMI\\u0000\\u0002LP\ufffd\ufffd\\u0000\\u0005w\\\u0022\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001D\\u0015M\ufffd\ufffd\ufffd;\ufffd\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022JRMI\\u0000\\u0002LP\ufffd\ufffd\\u0000\\u0005w\\\u0022\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001D\\u0015M\ufffd\ufffd\ufffd;\ufffd\u0022, \u0022payload_snippet\u0022: \u0022JRMI\\u0000\\u0002LP\ufffd\ufffd\\u0000\\u0005w\\\u0022\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001D\\u0015M\ufffd\ufffd\ufffd;\ufffd\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022enterprise_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002220f9627b904f13897563d778a6b8afd6e29e1f73\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002LP\ufffd\ufffd\\u0000\\u0005w\\\u0022\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001D\\u0015M\ufffd\ufffd\ufffd;\ufffd\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022JRMILP\ufffd\ufffdw\\\u0022DM\ufffd\ufffd\ufffd;\ufffd\u0022, \u0022attack_vector\u0022: \u0022java rmi probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab java_rmi_probe \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 32\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 56.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 32}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 32, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0604\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0604\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022JRMI\\u0000\\u0002LP\ufffd\ufffd\\u0000\\u0005w\\\u0022\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0001D\\u0015M\ufffd\ufffd\ufffd;\ufffd\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022java rmi probe \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022JRMILP\ufffd\ufffdw\\\u0022DM\ufffd\ufffd\ufffd;\ufffd\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":48},{"id":9522533,"ip":"158.106.204.166","ts":"2026-06-17 20:49:17.000000","proto":"tcp","src_port":55557,"dst_port":9100,"service":"jetdirect","classification":"mongodb_wire_protocol","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 231, \u0022payload_entropy\u0022: 4.369460772401425, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 58.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dc2ec784f9a815f823c3fd671e6643654e6864ac\u0022, \u0022event_fingerprint\u0022: \u0022c4ffac262af74aac6212858329eccfdbb04aa9c9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022matched_patterns\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Mongo isMaster legacy\u0022, \u0022Mongo ismaster command\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022mongodb_probe\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00228b4fba9b301d4a96c3bb5f846f9d7b9c\u0022, \u0022path_pattern_hash\u0022: \u00229060bd55aeb34075959b54fecab264ea\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 38}, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0011\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0011\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-driver\\u0000\\u0002version\\u0000\\u0007\\u0000\\u0000\\u00001.17.4\\u0000\\u0000\\u0003os\\u0000.\\u0000\\u0000\\u0000\\u0002type\\u0000\\u0007\\u0000\\u0000\\u0000darwin\\u0000\\u0002architecture\\u0000\\u0006\\u0000\\u0000\\u0000arm64\\u0000\\u0000\\u0002platform\\u0000\\t\\u0000\\u0000\\u0000go1.26.1\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0011\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022593b01e1669cf3c27864aff96e3fed9ca0392cc3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0011\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u0011\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":231},{"id":9522508,"ip":"158.106.204.166","ts":"2026-06-17 20:49:16.000000","proto":"tcp","src_port":55528,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 1.4466166676282082, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 6, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0768\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a9b6846df7c6ebb575095747dbd2466e\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 6}, \u0022payload_preview\u0022: \u0022\\u0004\\u0000\\u0000\\u0001\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0004\\u0000\\u0000\\u0001\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0000\\u0000\\u0001\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0004\\u0000\\u0000\\u0001\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0004\\u0000\\u0000\\u0001\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00227854645d64a813f009af7c669d7a68999e1b60e7\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0000\\u0000\\u0001\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 6, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0768\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0768\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0004\\u0000\\u0000\\u0001\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":9},{"id":9522509,"ip":"158.106.204.166","ts":"2026-06-17 20:49:16.000000","proto":"tcp","src_port":55529,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 8, \u0022payload_entropy\u0022: 2.4056390622295662, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 0, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022confidence\u0022: 0.0, \u0022classification_confidence\u0022: 0.0, \u0022precision_score\u0022: 0, \u0022precision_signals\u0022: [], \u0022kb_rule_ids\u0022: [], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022named_classification_skipped\u0022: false, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 0.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022b4d8ea061ded7b1c2bf35f35eac7a3fe\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 0}, \u0022payload_preview\u0022: \u0022\/00GF01\\r\u0022, \u0022request_sample\u0022: \u0022\/00GF01\\r\u0022, \u0022payload_snippet\u0022: \u0022\/00GF01\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\/00GF01\\r\u0022, \u0022payload_snippet\u0022: \u0022\/00GF01\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a7fb23700533992e74d60027b9d65babefb992cc\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\/00GF01\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022\/00GF01\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 0%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 0, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 0}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 0, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: null, \u0022tags_summary_labels_fr\u0022: null, \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\/00GF01\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\/00GF01\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance faible (0 %) \u2014 classification prudente\u0022, \u0022confidence_factors_fr\u0022: null, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022behavior_alert_count\u0022: 2, \u0022behavior_priority\u0022: 72}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":8},{"id":9522510,"ip":"158.106.204.166","ts":"2026-06-17 20:49:16.000000","proto":"tcp","src_port":55531,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 57, \u0022payload_entropy\u0022: 4.465988207178161, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 6, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0529\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00220404b7509e014c4edc31542d095f75d3\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 6}, \u0022payload_preview\u0022: \u0022NICK networkscanfp\\r\\nUSER networkscanfp 0 * :networkscan\\r\\n\u0022, \u0022request_sample\u0022: \u0022NICK networkscanfp\\r\\nUSER networkscanfp 0 * :networkscan\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022NICK networkscanfp\\r\\nUSER networkscanfp 0 * :networkscan\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022NICK networkscanfp\\r\\nUSER networkscanfp 0 * :networkscan\\r\\n\u0022, \u0022payload_snippet\u0022: \u0022NICK networkscanfp\\r\\nUSER networkscanfp 0 * :networkscan\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022b92d8b3a1ae46803cdeab4615980aa5cb3c6581d\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022NICK networkscanfp\\r\\nUSER networkscanfp 0 * :networkscan\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022NICK networkscanfp\\r\\nUSER networkscanfp 0 * :networkscan\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 6, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0529\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0529\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022NICK networkscanfp\\r\\nUSER networkscanfp 0 * :networkscan\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022NICK networkscanfp\\r\\nUSER networkscanfp 0 * :networkscan\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":57},{"id":9522511,"ip":"158.106.204.166","ts":"2026-06-17 20:49:16.000000","proto":"tcp","src_port":55532,"dst_port":9100,"service":"jetdirect","classification":"port_9100_tcp","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 9, \u0022payload_entropy\u0022: 1.4466166676282082, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 38.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 35, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022confidence\u0022: 0.49, \u0022classification_confidence\u0022: 0.49, \u0022precision_score\u0022: 58, \u0022precision_signals\u0022: [\u0022pat-0348\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0348\u0022], \u0022matched_patterns\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022RDP TPKT header\u0022, \u0022ET H.323 setup\u0022, \u0022Mumble ping\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0348\u0022, \u0022pat-0868\u0022, \u0022pat-0768\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022named_classification_skipped\u0022: true, \u0022named_candidate\u0022: \u0022rdp_probe\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 49.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u002293f1c4418cec9ea1e95227d4493b77a7\u0022, \u0022path_pattern_hash\u0022: \u00221144138c1a57dd6566e67742399f5aa8\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 35}, \u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0001\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0001\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0001\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0003\\u0000\\u0000\\u0001\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0003\\u0000\\u0000\\u0001\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002218fe89d2e9edc4172881336f98acca6476bd9e5f\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0001\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022port 9100 tcp \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab port_9100_tcp \u00bb (signaux protocolaires) \u00b7 confiance 49%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 35\/100\u0022, \u0022confidence_pct\u0022: 49, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 38.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 35}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 35, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0348\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0348\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0003\\u0000\\u0000\\u0001\\u0005\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022port 9100 tcp \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 49 % \u2014 Motif catalogue confirm\u00e9 \u00b7 Classification nomm\u00e9e non retenue \u2014 preuves insuffisantes\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 49 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":9},{"id":9522512,"ip":"158.106.204.166","ts":"2026-06-17 20:49:16.000000","proto":"tcp","src_port":55533,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 14, \u0022payload_entropy\u0022: 1.626688849701832, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 6, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0771\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022a6935157cd6b9eac86a84be5d0ee2195\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 6}, \u0022payload_preview\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\b\\u0001\\f\\u0000\\u0000\\u0000\\u0000\\r\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\b\\u0001\\f\\u0000\\u0000\\u0000\\u0000\\r\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\b\\u0001\\f\\u0000\\u0000\\u0000\\u0000\\r\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\b\\u0001\\f\\u0000\\u0000\\u0000\\u0000\\r\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\b\\u0001\\f\\u0000\\u0000\\u0000\\u0000\\r\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u002292b87b1705116107791d3c03501f64b7d39d290c\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\b\\u0001\\f\\u0000\\u0000\\u0000\\u0000\\r\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 6, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0771\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0771\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\b\\u0001\\f\\u0000\\u0000\\u0000\\u0000\\r\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":14},{"id":9522513,"ip":"158.106.204.166","ts":"2026-06-17 20:49:16.000000","proto":"tcp","src_port":55534,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 12, \u0022payload_entropy\u0022: 2.4508257945180887, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 6, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022f458fc12afe2c6bda83796bf902e8408\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 6}, \u0022payload_preview\u0022: \u0022fox\\u0000\\u0002\\u0001\\u0000\\u0004\\u0000\\u0000\\u0000\\u0001\u0022, \u0022request_sample\u0022: \u0022fox\\u0000\\u0002\\u0001\\u0000\\u0004\\u0000\\u0000\\u0000\\u0001\u0022, \u0022payload_snippet\u0022: \u0022fox\\u0000\\u0002\\u0001\\u0000\\u0004\\u0000\\u0000\\u0000\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022fox\\u0000\\u0002\\u0001\\u0000\\u0004\\u0000\\u0000\\u0000\\u0001\u0022, \u0022payload_snippet\u0022: \u0022fox\\u0000\\u0002\\u0001\\u0000\\u0004\\u0000\\u0000\\u0000\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u00224b93002ffe0c7894ad8a00b2a1c4d3b89a0c6630\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022fox\\u0000\\u0002\\u0001\\u0000\\u0004\\u0000\\u0000\\u0000\\u0001\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022fox\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 6, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022fox\\u0000\\u0002\\u0001\\u0000\\u0004\\u0000\\u0000\\u0000\\u0001\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022fox\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":12},{"id":9522514,"ip":"158.106.204.166","ts":"2026-06-17 20:49:16.000000","proto":"tcp","src_port":55535,"dst_port":9100,"service":"jetdirect","classification":"mongodb_wire_protocol","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 231, \u0022payload_entropy\u0022: 4.369460772401425, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 58.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 30.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 3.4, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 38, \u0022tag_count\u0022: 2, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u0022dc2ec784f9a815f823c3fd671e6643654e6864ac\u0022, \u0022event_fingerprint\u0022: \u0022c4ffac262af74aac6212858329eccfdbb04aa9c9\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022confidence\u0022: 1.0, \u0022classification_confidence\u0022: 1.0, \u0022precision_score\u0022: 116, \u0022precision_signals\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022kb_rule_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022matched_patterns\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022matched_pattern_names\u0022: [\u0022Mongo isMaster legacy\u0022, \u0022Mongo ismaster command\u0022, \u0022NFS RPC mount\u0022, \u0022STUN binding\u0022, \u0022Minecraft varint handshake\u0022, \u0022TFTP RRQ\u0022], \u0022pattern_ids\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022, \u0022pat-0532\u0022, \u0022pat-0771\u0022, \u0022pat-0554\u0022, \u0022pat-0536\u0022], \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022named_classification_skipped\u0022: false, \u0022classification_parent\u0022: \u0022mongodb_probe\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 100.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022ad44bf19ea2ce10a5c567ffedcefba69\u0022, \u0022path_pattern_hash\u0022: \u00229060bd55aeb34075959b54fecab264ea\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 38}, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u000b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u000b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-driver\\u0000\\u0002version\\u0000\\u0007\\u0000\\u0000\\u00001.17.4\\u0000\\u0000\\u0003os\\u0000.\\u0000\\u0000\\u0000\\u0002type\\u0000\\u0007\\u0000\\u0000\\u0000darwin\\u0000\\u0002architecture\\u0000\\u0006\\u0000\\u0000\\u0000arm64\\u0000\\u0000\\u0002platform\\u0000\\t\\u0000\\u0000\\u0000go1.26.1\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u000b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre_techniques\u0022: [\u0022T1046\u0022], \u0022mitre\u0022: \u0022T1046\u0022, \u0022threat_family\u0022: [\u0022database_scan\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f6a97e55ab84400c84d03a03b6a3dfd503eb4855\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u000b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab mongodb_wire_protocol \u00bb (signaux protocolaires) \u00b7 confiance 100%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte \u00b7 risque 38\/100\u0022, \u0022confidence_pct\u0022: 100, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 58.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 30.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 38}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 38, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0363\u0022, \u0022pat-0364\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022T1046\u0022, \u0022mitre_technique\u0022: \u0022T1046\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: null, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\\u0000\\u0000\\u0000\\u000b\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\\u0007\\u0000\\u0000\\u0004\\u0000\\u0000\\u0000admin.$cmd\\u0000\\u0000\\u0000\\u0000\\u0000\ufffd\ufffd\ufffd\ufffd\ufffd\\u0000\\u0000\\u0000\\u0010isMaster\\u0000\\u0001\\u0000\\u0000\\u0000\\bhelloOk\\u0000\\u0001\\u0004compression\\u0000\\u0005\\u0000\\u0000\\u0000\\u0000\\u0003client\\u0000\ufffd\\u0000\\u0000\\u0000\\u0003driver\\u00003\\u0000\\u0000\\u0000\\u0002name\\u0000\\u0010\\u0000\\u0000\\u0000mongo-go-\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022mongodb wire protocol \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffdadmin.$cmd\ufffd\ufffd\ufffd\ufffd\ufffdisMasterhelloOkcompressionclient\ufffddriver3namemongo-go-\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 100 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 100 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022ban_policy\u0022: \u0022advisory_monitor\u0022, \u0022tags_list\u0022: [\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[\u0022mongodb_hello_probe\u0022, \u0022net_mongodb_probe\u0022]","anomalies":"[]","severity":5,"bytes_in":231},{"id":9522515,"ip":"158.106.204.166","ts":"2026-06-17 20:49:16.000000","proto":"tcp","src_port":55537,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 20, \u0022payload_entropy\u0022: 1.3917601481809734, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 6, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0768\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u00227557767ca98bb300b1834588fbf18102\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 6}, \u0022payload_preview\u0022: \u0022FINS\\u0000\\u0000\\u0000\\f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022request_sample\u0022: \u0022FINS\\u0000\\u0000\\u0000\\f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022FINS\\u0000\\u0000\\u0000\\f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022FINS\\u0000\\u0000\\u0000\\f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022payload_snippet\u0022: \u0022FINS\\u0000\\u0000\\u0000\\f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022a9a39c0801c2dc0dfcaae867757e553113b4c5ad\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022FINS\\u0000\\u0000\\u0000\\f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022FINS\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 6, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0768\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0768\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022FINS\\u0000\\u0000\\u0000\\f\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022FINS\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":20},{"id":9522516,"ip":"158.106.204.166","ts":"2026-06-17 20:49:16.000000","proto":"tcp","src_port":55538,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 14, \u0022payload_entropy\u0022: 1.4299111709758698, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 6, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0532\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022dfe54d23a8f0e41e768b7e668b0e1c4d\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 6}, \u0022payload_preview\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\b\\u0001\\u0001\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\u0022, \u0022request_sample\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\b\\u0001\\u0001\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\b\\u0001\\u0001\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\b\\u0001\\u0001\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\u0022, \u0022payload_snippet\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\b\\u0001\\u0001\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022f3c7a006340407fb5d1f18f52edb20ae6a1974d3\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\b\\u0001\\u0001\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 6, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0532\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0532\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\\u0000\\u0001\\u0000\\u0000\\u0000\\b\\u0001\\u0001\\u0000\\u0000\\u0000\\u0000\\u0002\\u0000\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: null, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":14},{"id":9522517,"ip":"158.106.204.166","ts":"2026-06-17 20:49:16.000000","proto":"tcp","src_port":55539,"dst_port":9100,"service":"jetdirect","classification":"jetdirect","waf_score":null,"waf_tags":null,"http_method":null,"http_target":null,"sensor_id":"paris-1","meta":"{\u0022protocol_emulated\u0022: true, \u0022emulator_response\u0022: \u002232323020686f6e6579706f74206a657464697265637420726561647920706f72743d393130300d0a\u0022, \u0022emulator_response_len\u0022: 40, \u0022bytes_in\u0022: 7, \u0022payload_entropy\u0022: 1.5566567074628228, \u0022port_category\u0022: \u0022registered\u0022, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022service\u0022: \u0022jetdirect\u0022, \u0022app_proto\u0022: \u0022jetdirect\u0022, \u0022asn\u0022: 46450, \u0022country\u0022: \u0022US\u0022, \u0022dst_port\u0022: 9100, \u0022risk_waf\u0022: 8.0, \u0022risk_classification\u0022: 0.0, \u0022risk_behavior\u0022: 0.0, \u0022risk_geo\u0022: 0.0, \u0022risk_protocol\u0022: 22.0, \u0022risk_novelty\u0022: 0.0, \u0022risk_boost\u0022: 0, \u0022risk_granularity\u0022: 2.7, \u0022risk_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0}, \u0022risk_score\u0022: 6, \u0022tag_count\u0022: 0, \u0022anomaly_count\u0022: 0, \u0022campaign_key\u0022: \u00224795e0086a35811ce41b66e6c41b383affce2a72\u0022, \u0022event_fingerprint\u0022: \u0022eb0afc337169eaa4b8e375f85f6d9c688c816a7c\u0022, \u0022classification_confidence\u0022: 0.5, \u0022confidence\u0022: 0.5, \u0022precision_signals\u0022: [\u0022pat-0554\u0022], \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_confidence_factor\u0022: 50.0, \u0022city\u0022: null, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false, \u0022geo\u0022: {\u0022country\u0022: \u0022US\u0022, \u0022asn\u0022: 46450, \u0022org\u0022: \u0022Pilot Fiber, Inc.\u0022, \u0022is_datacenter\u0022: false, \u0022is_tor_hint\u0022: false}, \u0022fingerprint\u0022: {\u0022payload_hash\u0022: \u0022e866e1d989e997db6ebf852e781b0c09\u0022, \u0022path_pattern_hash\u0022: \u0022c07c53e9d81674e63c0ba7ee4ce18080\u0022}, \u0022target_context\u0022: {\u0022dst_port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022risk_score\u0022: 6}, \u0022payload_preview\u0022: \u0022\ufffd\ufffd\\u0001\\u0000\\u0000\\u0000\\u0001\u0022, \u0022request_sample\u0022: \u0022\ufffd\ufffd\\u0001\\u0000\\u0000\\u0000\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\ufffd\\u0001\\u0000\\u0000\\u0000\\u0001\u0022, \u0022evidence\u0022: {\u0022request_sample\u0022: \u0022\ufffd\ufffd\\u0001\\u0000\\u0000\\u0000\\u0001\u0022, \u0022payload_snippet\u0022: \u0022\ufffd\ufffd\\u0001\\u0000\\u0000\\u0000\\u0001\u0022, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022mitre_tactics\u0022: [\u0022TA0007\u0022, \u0022TA0001\u0022], \u0022mitre\u0022: \u0022TA0007\u0022, \u0022threat_family\u0022: [\u0022unknown\u0022], \u0022recommended_client_action\u0022: \u0022monitor\u0022, \u0022policy_mode\u0022: \u0022intelligence\u0022, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022event_signature\u0022: \u0022e8a029a7269e96d29acf9e2479ab69c4da6b45f8\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\ufffd\\u0001\\u0000\\u0000\\u0000\\u0001\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u0022, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022site_display\u0022: {\u0022classification\u0022: null, \u0022classification_reason\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022classification_reason_label_fr\u0022: \u0022Type \u00ab jetdirect \u00bb (signaux protocolaires) \u00b7 confiance 50%\u0022, \u0022executive_one_liner_fr\u0022: \u0022Activit\u00e9 suspecte\u0022, \u0022confidence_pct\u0022: 50, \u0022confidence_breakdown\u0022: {\u0022waf\u0022: 8.0, \u0022classification\u0022: 0.0, \u0022behavior\u0022: 0.0, \u0022geo\u0022: 0.0, \u0022protocol\u0022: 22.0, \u0022novelty\u0022: 0.0, \u0022risk_score\u0022: 6}, \u0022attack_stage\u0022: \u0022probe\u0022, \u0022attack_stage_label\u0022: \u0022Sonde \/ probe\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022attack_chain_stage_label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022risk_score\u0022: 6, \u0022risk_label\u0022: \u0022Faible\u0022, \u0022service_name\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022, \u0022dst_port\u0022: 9100, \u0022protocol_emulated\u0022: true, \u0022tags_summary\u0022: [\u0022pat-0554\u0022], \u0022tags_summary_labels_fr\u0022: [\u0022pat-0554\u0022], \u0022recommended_action\u0022: \u0022monitor\u0022, \u0022recommended_action_label\u0022: \u0022Surveiller\u0022, \u0022mitre\u0022: \u0022TA0007\u0022, \u0022mitre_technique\u0022: \u0022TA0007\u0022, \u0022persona_hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022persona_service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022correlation_flags\u0022: null, \u0022correlation_flags_labels_fr\u0022: null, \u0022sensor_role\u0022: \u0022threat_intelligence\u0022, \u0022sensor_role_label_fr\u0022: \u0022Renseignement menaces\u0022, \u0022confidence_hint_fr\u0022: \u0022Confiance mod\u00e9r\u00e9e \u2014 signal unique\u0022, \u0022protocol_details\u0022: {\u0022payload_preview\u0022: \u0022\ufffd\ufffd\\u0001\\u0000\\u0000\\u0000\\u0001\u0022, \u0022port\u0022: 9100, \u0022service\u0022: \u0022jetdirect\u0022, \u0022service_label_fr\u0022: \u0022JETDIRECT\u0022}, \u0022attack_vector\u0022: \u0022jetdirect \u00b7 via JETDIRECT:9100 \u00b7 (sonde \/ probe)\u0022, \u0022evidence_snippet\u0022: \u0022\ufffd\ufffd\u0022, \u0022target_port_label\u0022: \u00229100 \u00b7 JETDIRECT\u0022, \u0022emulator_service\u0022: \u0022jetdirect\u0022, \u0022confidence_reason\u0022: \u0022Confiance 50 % \u2014 Motif catalogue confirm\u00e9\u0022, \u0022confidence_factors_fr\u0022: \u0022Confiance 50 % \u2014 Score WAF 8\u0022, \u0022campaign_hint_fr\u0022: null, \u0022attack_phases_timeline_fr\u0022: [{\u0022key\u0022: \u0022recon\u0022, \u0022label_fr\u0022: \u0022Reconnaissance\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022probe\u0022, \u0022label_fr\u0022: \u0022Sonde \/ probe\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022exploit_attempt\u0022, \u0022label_fr\u0022: \u0022Tentative d\u0027exploit\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022post_exploit\u0022, \u0022label_fr\u0022: \u0022Post-exploitation\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022c2\u0022, \u0022label_fr\u0022: \u0022Commande \u0026 contr\u00f4le\u0022, \u0022active\u0022: false, \u0022kind\u0022: \u0022stage\u0022}, {\u0022key\u0022: \u0022discovery\u0022, \u0022label_fr\u0022: \u0022D\u00e9couverte\u0022, \u0022active\u0022: true, \u0022kind\u0022: \u0022chain\u0022, \u0022hint_fr\u0022: null}]}, \u0022honeypot_persona\u0022: {\u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022mail_host\u0022: \u0022mail.sensor-1.internal\u0022, \u0022ldap_dc\u0022: \u0022dc.sensor-1.internal\u0022, \u0022k8s_cluster\u0022: \u0022hp-sensor-1\u0022, \u0022domain\u0022: \u0022sensor-1.internal\u0022, \u0022service_role\u0022: \u0022jetdirect\u0022, \u0022service_banner\u0022: \u0022honeypot-jetdirect\u0022, \u0022service_os\u0022: \u0022linux\u0022, \u0022dst_port\u0022: \u00229100\u0022}, \u0022hostname\u0022: \u0022mail.sensor-1.internal\u0022, \u0022sensor_id\u0022: \u0022sensor-1\u0022, \u0022attack_chain_stage\u0022: \u0022discovery\u0022, \u0022matched_patterns\u0022: [], \u0022ban_policy\u0022: \u0022advisory_monitor\u0022}","tls_sni":null,"tls_ja3_hash":null,"tls_ja3":null,"http_version":null,"http_host":null,"http_user_agent":null,"http_referer":null,"tags":"[]","anomalies":"[]","severity":0,"bytes_in":7}],"total_events":636}